Once again, only a Windows problem

Story: Mozilla says Microsoft browser malware can Firefox off Total Replies: 23
Author Content
phsolide

Oct 18, 2009
10:54 PM EDT
If you use Firefox on Linux or MacOS or anything other than Windows, it looks like you're unaffected by this one. Once again, what's really a Windows problem gets reported as a general problem.

Maybe I should have ignored this one: it is a "DaniWeb" article.
gus3

Oct 18, 2009
11:24 PM EDT
But one can always cast this as a "be glad you don't use Microsoft" matter, where appropriate, or "so sorry you use Microsoft" otherwise.

Compromising the security of a third-party software package makes it a Microsoft corporate matter, not just a reflection of poor Windows design.

jdixon

Oct 18, 2009
11:45 PM EDT
> Compromising the security of a third-party software package...

Isn't that sort of a given when you're running on Windows?
gus3

Oct 19, 2009
12:04 AM EDT
Quoting:Isn't that sort of a given when you're running on Windows?
No, there's a difference between the security holes endemic on a particular platform (it's running on Windows, doesn't matter what program it is), and singling out a specific third-party package for compromise. Has the Nero CD burner been targeted by Microsoft for such abuse? I doubt it.

Or, to quote Kroc Camen (http://www.osnews.com/story/22358/Silent_Install_Firefox_Plu...):

Quoting:Whilst it's not okay in Microsoft's eyes for Google to install a plugin into Internet Explorer, increasing the potential surface area of attack, when Microsoft do it to Firefox, it's a different matter.
hkwint

Oct 19, 2009
7:22 AM EDT
Quoting: it looks like you're unaffected by this one.


That's not true. I'v been reading up on this, and the problem is indeed more general to Firefox: It doesn't give a signal to the Firefox-user if a third party installed a new add-on. Lots of users wonder why 3d parties are able to install plugins to Firefox without consent of 'their own Firefox' anyway. Linux package managers, but also Windows update - are able to install add-ons to Firefox, without telling the user.

I'm not sure about other distro's than Gentoo, but for example, when installing a JVM in Linux, it may install a plugin to Firefox - systemwide. Adobe FlashPlayer always does this, and I guess so does Quicktime (some version also blocklisted currently). At my system they're in /opt/firefox/plugins or /opt/netscape/plugins. Of course, in Gentoo, you could disable the system-wide installation of plugins by using the -nsplugin USE-flag. I'm not sure how other distro's deal with the issue.

There are two things which need improvement, this also goes for Firefox on Linux:

1) If a 3d party installs an add-on 'beyond' the normal distribution channels (website of Mozilla), the user should be warned and given the opportunity to disable and uninstall this add-on. Also, currently uninstalling system-wide add-ons is not possible because of file permissions (the unprivileged Firefox-user doesn't have acces to /opt, and probably this behaviour can't be 'fixed').

Also, let's say the particular version of the JVM contains a security hole, but the next version doesn't. Nonetheless, Mozilla and Sun decide to put the add-on on the blacklist. Then, Sun fixes the issue. Currently, there is no way for the Firefox-blocklist to know if the base system is patched or not.

2) The blacklist should have some sort of way to find out the patch level of the system it runs on.

What happened is that Mozilla blocklisted an add-on that didn't represent a security hole anymore (this was mainly because lack of communication from MS), because it was already patched by MS. Also, the Microsoft add-on didn't give the right version info. However, Firefox should be able to deal with 'flawed' add-ons which don't give the right version info.

If Microsoft would have been smart, they would have shipped a new version of the Firefox-add-on together with the patch of the security hole, than the new version of the add-on wouldn't be blocklisted for patched systems.

Anyway, it seems Mozilla learned from this problem and fixes for problem 1 are on the way for FF3.7, fixes for problem 2 are being looked at.
phsolide

Oct 19, 2009
11:20 AM EDT
Not to quibble, as I don't entirely understand what's going on, but the problem lies in a ".NET" helper plugin, right? And you got it by doing a "Windows Update".

I've only rarely done "Windows Update" for windows itself, and I've never heard of a Linux or MacOS box needing to do a "Windows Update". So, I assumed that this problem, although it may imply problems for Firefox more generally, did not actually cause a problem *except* for Firefox-on-Windows.
gus3

Oct 19, 2009
11:51 AM EDT
And so what if a silently-installed "add-on" did come by way of Yum or Synaptic? Once the "offender" is located in the pertinent Mozilla directory, it's a matter of a single rpm or apt command to find what package it arrived in. I doubt it's so simple on Windows, thanks to the security-by-obscurity of the Registry.
hkwint

Oct 20, 2009
5:29 AM EDT
The bug was in .NET framework, part of Windows. Microsoft made an FF add-on that resembled ActiveX (it's called Clickonce), but was supposed to be safer. As part of their quest to control the web, they decided this was going to be an 'opt-out feature, and distributed it as part of a security update, without telling their users. Their add-on was using the 'compromised' part of the .NET framework.

So indeed Microsoft screwed up and the biggest problem is in Windows, and Microsoft sneakin' new features in the computers of users using the 'security update mechanism'. Linux users don't suffer here.

Nonetheless, while handling with the problem, Mozilla also found some smaller flaws in their manner of dealing with this kind of issues. They found things they could do to improve Firefox. To protect their users better and offering them more convenience while handling with problems like this (blocking features is not very convenient). And to deal better with add-on makers who make buggy add-ons that lie about versions and compatibility (such as Microsoft). So the assumed 'Windows only' problem will also cause Firefox to be improved, to handle 'Windows only' problems better.

Such problems may also occur on Linux, though less likely and to a lesser degree. But it's good to know Mozilla is at it, and Firefox for Linux will be improved as well.
Bob_Robertson

Oct 20, 2009
10:30 AM EDT
Last week I had to deal with Vista for a while, much to my disgust, and I noticed this add-on and its disablement.

The biggest problem for me, as a unknowing user at the time (since I was busy and hadn't noticed the postings about it) is that it was displayed in its disabled state and couldn't be removed.

I object to having things installed without my permission or knowledge, but not being able to remove them when found is even worse.
chalbersma

Oct 20, 2009
2:55 PM EDT
I heart opera.
gus3

Oct 20, 2009
3:04 PM EDT
But who's to say Opera is safe from Windows Update?
jdixon

Oct 20, 2009
3:22 PM EDT
> But who's to say Opera is safe from Windows Update?

Nothing. That was my point above. When running under Windows, there is no safety.
bigg

Oct 20, 2009
3:39 PM EDT
> When running under Windows, there is no safety.

When you agree to the EULA, you agree to give a company the right to do whatever they want, and they have an incentive to do bad things.

Things you can count on: 2+2=4 You will die Companies respond to incentives
caitlyn

Oct 20, 2009
4:25 PM EDT
@bigg: 2+2=11 in base 3 math. 2+2=4 only works for base 5 and above.

Dell was given big incentives to move manufacturing to North Carolina. Last week they announced they were closing the rather new Winston-Salem plant, outsourcing to third parties in "Mexico and other countries", and returning millions in tax incentives.

Two of your three are not things I would count on.
gus3

Oct 20, 2009
4:27 PM EDT
Quoting:Two of your three are not things I would count on.
And I can justify not counting on the third one:

1. I am alive to accomplish a certain number of things.

2. The longer I live, the farther behind I get.

3. Ergo, I will never die.
bigg

Oct 20, 2009
4:33 PM EDT
> Two of your three are not things I would count on.

Then you don't realize that we don't speak in base 3 any more than we speak in Trekkie. (We being normal folk.)

Your other case is incomplete. From the information you've given, I can't tell that Dell had an incentive to stay in NC. The cost savings from moving to other countries may very well have been larger than the tax incentives they got in NC.
caitlyn

Oct 20, 2009
4:38 PM EDT
Ah... but those who have done assembler coding do speak hexadecimal and some spoke octal once upon a time as well. 2+2=4 are merely mathematical representations of an idea. They aren't universal in the world of mathematics, hence my base three example. For me to "count on something" it has to be a universal truth. The fact that I, like all other humans on the planet, will die, is the only universal truth that was offered.

The point I was making with incentives is that they aren't universally the only reason a company will make decisions and there can be conflicting incentives.

hkwint

Oct 20, 2009
5:36 PM EDT
Quoting:I object to having things installed without my permission or knowledge


Well, -You did give permission because you ran Windows Update. Of course, this assumes you read the whole freakin' EULA about what Windows Update may and may not do,

-You could have known because it was 'blogged' as early as in 2008 that Microsoft would ship this add-on. Of course, this assumes you read MS-developer blogs, because outside of that small part of the blogosphere nobody cared, back then.

The conclusion is, when running Vista you should carefully take a week to study the EULA and talk to a lawyer about it, and make reservations of at least 2% of your spare time to keep up with MSDN blogs, to be sure you will know what's next that Microsoft will force upon you in order to 'take back control of the web'. At least that's what 'ClickOnce' is supposed to do: Provide you a means to run .NET-code directly from the web with only one single click, even if you're using Firefox.

Next thing they would have liked was to make Mono a default part of Linux-distributions (they already have been quite successful here), port the FF-add-on (.NET framework assistant) to Linux, and make the very same add-on a part of the Mono-package. Then ClickOnce would also work for Linux (Microsoft would have a good reason to argue .NET is cross platform and almost all people can run it inside their browser) and they would be closer to owning the web - and your computer. Currently, as a Linux / Firefox user installing Mono, you are _not_ protected if 'someone' (M.I. anyone?) decides to make the add-on part of the Mono-package. Without telling the world, of course. I can imagine distro's like the one from Novell or those feautiring Gnome coming with such an add-on by default, as it 'fosters interoperability in a hybrid environment' (important to Novell) or 'simplifies life in the one-fits-all world' (important to Gnome). Call Roy S., there's work to be done!

However, given the recent disturbance, Microsoft will probably think twice. At least I hope they will. If not, Mozilla is also fixing the issue.
jdixon

Oct 20, 2009
7:40 PM EDT
> The point I was making with incentives is that they aren't universally the only reason a company will make decisions...

Absolutely. Case in point: It can be demonstrated conclusively that most larger companies will save ridiculous sums of money by standardizing on Linux desktops with Firefox and OpenOffice; and running Microsoft Windows applications via virtualization, Crossover, or Citrix only for those people who absolutely need it. Do they do so? No.
Bob_Robertson

Oct 20, 2009
8:31 PM EDT
JD, you beautifully restate one of the principles of Austrian economics, as opposed to mathematical schools of economics, such as Keynesian.

Perfect competition cannot exist, because no one knows everything, decisions are not always made knowing all the variables, and personal preference plays a huge role in decisions.

All economics are micro.
hkwint

Oct 21, 2009
2:11 AM EDT
Quoting:because no one knows everything,


Hey, did you just say life is flawed? Anyway, what you stated certainly goes for when you're running Windows Update it seams.
bigg

Oct 21, 2009
5:42 AM EDT
This is a WTF thread.

Apparently, it is necessary to specify that I'm using base 10 numerals, and give a complete definition of responding to incentives, and perfect competition requires perfect information about everything, and Keynesian economics assumes perfect competition and perfect information, unlike the Austrian school.

*Scratching head and walking away*
hkwint

Oct 21, 2009
1:04 PM EDT
Well bigg, you don't have to. You could also just talk about how the flaw in .NET that screwed Firefox users was once again, only a Windows problem. But indeed, that topic doesn't seem to be interesting enough to keep the attention of the posters.
bigg

Oct 21, 2009
1:23 PM EDT
I thought I was talking about that when I made my comment (agreeing to the Windows EULA let's them do what they want, and they have an incentive to abuse their users).

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!