Jump to content
Sign in to follow this  
zalternate

FireFox disables Microsoft, hacked install, extensions

Recommended Posts

:knuppel2:

So Microsoft hacked FireFox via the Registry to install a plugin and extension. So it automatically destroyed a safer browser and made FireFox subject to Internet Explorer Vulnerabilitys.

I also complained to Mozilla many months ago on how they could allow other companies to install extensions and plugins without the users permission. The only answer was it was registry hack and FireFox could not stop the install via that permission method. Well it looks like they are fixing the problem now. Good for Them.

AVG was also one that hacked their way in. And Java as well.

http://voices.washingtonpost.com/securityfix/2009/10/mozilla_disables_microsofts_in.html?hpid=sec-tech

Mozilla Disables Microsoft's Insecure Firefox Add-on

Mozilla is disabling a pair of components stealthily installed by Microsoft earlier this year for Windows users of the Firefox Web browser, warning that the software suffers from a serious security vulnerability.

Firefox users may already have seen a pop-up notice about an unstable or insecure add-on being disabled. The message would look something like image below.

There's a short backstory to this drama. In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove.

Microsoft's initial response -- that the add-on could be removed by editing the Windows registry -- drew criticism because editing the registry is potentially dangerous affair for newbie users. In response, Microsoft later shipped a simpler, point-and-click way to remove the thing. Still, the removal tool still left behind the Windows Presentation Foundation plug-in.

Fast forward to earlier this month, when Microsoft issued a record number of security updates. Among those was a fix for what Microsoft called a "browse-and-get-owned" vulnerability in Internet Explorer, meaning all that is needed is for a user to be lured to a malicious website. Nothing particularly new there, except that this one could also be exploited through Firefox, via the Windows Presentation Plug-in.

Microsoft has been quick to point out that Windows users who have applied this month's updates are protected from this attack, regardless of which browser they use. Still, that was apparently not enough for Mozilla. Mike Shaver, Mozilla's vice president of engineering, said the company decided to nix the components because of the threat they introduce, and because many Windows users may not have understood previous instructions on how to remove them manually.

"Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately," Shaver wrote Friday on the Mozilla Security Blog.

I first noticed the pop-up pictured above earlier this afternoon while I was browsing the Web. I was initially confused because I had long ago removed the .NET Framework add-on. Turns out, I had forgotten to disable the associated plug-in. This update from Mozilla appears to have done that for me (thanks, Mozilla!).

By Brian Krebs  |  October 17, 2009; 6:54 PM ET

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
Speed Test Version 15.9
© 2019 TestMy Net LLC - TestMy.net - Terms & Privacy