[Infowarrior] - Silent Install Firefox Plugin Backfires on Microsoft

Sun Oct 18 03:52:06 UTC 2009

Silent Install Firefox Plugin Backfires on Microsoft
posted by Kroc Camen	 on Sat 17th Oct 2009 05:27 UTC
http://www.osnews.com/story/22358/Silent_Install_Firefox_Plugin_Backfires_on_Microsoft

Whilst it's not okay in Microsoft's eyes for Google to install a  
plugin into Internet Explorer, increasing the potential surface area  
of attack, when Microsoft do it to Firefox, it's a different matter.  
Now a security hole has been found in a plugin that Microsoft have  
been silently installing into Firefox.
Along with .NET Framework 3.5 SP1, Microsoft have been silently  
installing a Windows Presentation Foundation Plugin that allows the  
embedding of XAML applications (an XML-based UI technology) in web  
pages, called XBAP (XAML Web App).

The exploit is drive-by, meaning that the victim only needs to be  
lured onto a web-page for the attack to be effective. The only safe  
thing to do until a patch is issued, is to open Firefox’s AddOn  
Manager and disable the WPF plugin.

Microsoft were caught earlier this year silently installing a “.NET  
Framework Assistant” plugin into Firefox, which could not initially be  
uninstalled. After some pressure from the press, Microsoft relented  
and provided an update to enable the uninstall button. That update  
then broke a number of other Firefox extensions.

The only thing that surprises me more, is that I’m not surprised that  
Microsoft could be this incompetent when it comes to the safety of all  
users of the web using Windows, regardless if they’re using IE or not.

With greater marketshare than ever before, and a firm position in the  
mainstream, every software vendor and their dog are wanting to  
integrate with Firefox. This has led to numerous unwanted, irritating  
and often uninstallable plugins to add themselves to Firefox. WPF is  
really only the tip of the iceberg.

Silently installing software on your computer that you are unaware of,  
is called malware in my book. Mozilla have the capability to blacklist  
plugins and addons if they misbehave or pose a threat. Frankly, if I  
were Mozilla, I would ban Microsoft’s plugins from Firefox until they  
provide an opt-in interface.

This also raises concerns with how Mozilla handle extensions and  
plugins being installed into the browser without the user’s  
permission. Whilst Firefox will bring up the AddOns Manager when a new  
extension is installed, the new extension is not disabled by default  
until you permit it (Mozilla are working on a proposal for this).  
External programs on the computer can install extensions into Firefox  
with nothing more than a registry key, and plugins that are added  
outside of Firefox itself will not be reported to the user (as in the  
case with WPF).

With good timing, Mozilla have been working on a Plugin Check system  
to ensure that users are kept up to date with plugins, which pose a  
security threat and are a part of the browser users are often unaware  
of. This follows Mozilla alerting users to an out of date Flash Player  
version on their landing page for updated Firefox versions.

HTML5 promises to reduce the need for plugins by providing much of the  
same functionality natively, in the browser via SVG, JavaScript and  
native video and audio elements. In my opinion, Mozilla need to take a  
hard stance and stop this plight of plugins as it may turn people off  
of using Firefox, not least lead to bad press as more plugins are used  
as exploit vectors in the face of growing Firefox marketshare. 