Object Lesson: Use Firefox? Don’t Let Microsoft Install Anything In It!

Back in February, an add-on was installed into many user’s installations of Firefox were ‘augmented’ by a Microsoft plug-in item. Those who knew about it, and are not afraid (some would say paranoid) of this type of addition, thought that it was an indication that Firefox had arrived – Microsoft was finally acknowledging that Internet Explorer was in danger of no longer being top dog.

That may be true, but what happened, in a typical Microsoft doesn’t learn from its mistakes pattern is that the installed item brought with it a way to attack through Firefox.

An add-on that Microsoft silently slipped into Mozilla’s Firefox last February leaves that browser open to attack, Microsoft’s security engineers acknowledged earlier this week.

One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.

“While the vulnerability is in an IE component, there is an attack vector for Firefox users as well,” admitted Microsoft engineers in a post to the company’s Security Research & Defense blog on Tuesday. “The reason is that .NET Framework 3.5 SP1 installs a ‘Windows Presentation Foundation’ plug-in in Firefox.”

The Microsoft engineers described the possible threat as a “browse-and-get-owned” situation that only requires attackers to lure Firefox users to a rigged Web site.

That’s certainly comforting – made more so because the idea, for most users is that Firefox is more secure than Internet Exploder.

Numerous users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley, a contributor to the popular Windows Secrets newsletter.

“The .NET Framework Assistant [the name of the add-on slipped into Firefox] that results can be installed inside Firefox without your approval,” Bradley noted in a Feb. 12 story. “Although it was first installed with Microsoft’s Visual Studio development program, I’ve seen this .NET component added to Firefox as part of the .NET Family patch.”

The other problem is that it became almost impossible to remove the ‘add-in’ for Firefox. Is Opera or Chrome looking better now?

What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual “Disable” and “Uninstall” buttons in Firefox’s add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org.

It surprises me that we don’t have the Mozilla Foundation bringing suit on this one, on behalf of the unsuspecting users.

Later we have the rest of the real story  (from ComputerWorld) –

Microsoft reacted to criticism about the method it used to install the Firefox add-on by issuing another update in early May that made it possible to uninstall or disable the .NET Framework Assistant. It did not, however, apologize to Firefox users for slipping the add-on into their browsers without their explicit permission — as is the case for other Firefox add-ons, or extensions.

This week, Microsoft did not revisit the origin of the .NET add-on, but simply told Firefox users that they should uninstall the component if they weren’t able to deploy the patches provided in the MS09-054 update.

According to Microsoft, the vulnerability is “critical,” and also can be exploited against users running any version of IE, including IE8.


Over and over we see Microsoft not learn from previous mistakes, and usurp the authority that should belong to the user, who will ultimately be the one who suffers from any of these possible attacks. Then, after the flaw is pointed out, and brought into the public eye, no apology is given – it’s (Microsoft) business as usual.

Though we can’t call Microsoft a malware author, we can certainly brand this add-on a malware enabler.  Would any other large software company escape from a bungle like this so easily?


Quote of the day:

If all economists were laid end to end, they would not reach a conclusion.

– George Bernard Shaw

Opera, the fastest and most secure web browser

end your troubles now, and for the foreseeable future, use Opera!