Firefox Users Exposed to Vulnerability Via MS Stealth Install - HotHardware
Firefox Users Exposed to Vulnerability Via MS Stealth Install

Firefox Users Exposed to Vulnerability Via MS Stealth Install

Earlier this year, Microsoft released the .NET Framework 3.5 update. At the same time, as an added bonus, end users would get an extra Firefox extension, the "Microsoft .NET Framework Assistant (ClickOnce)," without being asked. That's bad enough, but at the same time the extension made Firefox vulnerable to attack.  Additionally, let's not forget the other stealth install, a plug-in called "Windows Presentation Foundation."

This sort of behavior is what we call a stealth install. Sometimes what's installed is spyware, or adware, and sometimes you can't get rid of it. That was the case with the original version of the extension: it could not be disabled or uninstalled, unlike most Firefox extensions, without some registry editing, not something most people are comfortable with.

Later versions added the ability to uninstall and delete the extension. That doesn't make the stealth install any more forgivable, however. And the fact that it added a vulnerability to Firefox adds insult to injury.

In a post on Microsoft's Security Research and Defense site, the company said:
While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox [...]
Nice. Our recommendation? Uninstall the darn thing. It's not like you can't live without the functionality they add to Firefox.
ClickOnce enables the user to install and run a Windows application by clicking a link in a web page. The core principle of ClickOnce is to bring the ease of deployment of web applications to the Windows user. In addition, ClickOnce aims to solve three other problems with conventional deployment models: the difficulty in updating a deployed application, the impact of an application to the user's computer, and the need for administrator permissions to install applications.
The vulnerability was patched by Microsoft in its Patch Tuesday release for October. According to Microsoft, the vulnerability is "critical," and can be exploited against any version of IE, including IE8.
0
+ -

Firefox auto-disables it right now. So it really doesn't do anything anymore.

0
+ -

Manoeuvres of this sort make it very difficult for users to have any confidence at all in Microsoft....

Henri

0
+ -

WTH! I don't recall giving any permission to install this at all.

Imagine my surprise on seeing this in feedblitz, checking and finding something I didn't ask for or even know. Aren't they required to disclose adware like installations? Sorta like they would have to ask if I wanted to use their search engine or have a toolbar ect?

0
+ -

At this point they aren't required to disclose to us by law. Common decency dictates otherwise though. If I didn't NEED their OS for my gaming, I would dump them outright.

They KNOW we need them though, that's why the charge so freakin' much for the software that they sell.

Firefox does disable their shenanigans now, my browser warned me of the incompatibilities last night.

This story reminds me of the arrogant Sony rootkit exploit that they included on Sony CD's thinking that they wouldn't get caught!

The people who do this sort of thing think that they're so smart, they'll never be found out. They ALWAYS DO though. The Laugh is on them.

0
+ -

Yes, I remember the Sony rootkit exploit. Thought the entire saga that followed was quite hilarious.

I think what most of us do is install an alternative to Windows on our systems such as Ubuntu. Though once you've purchased their OS, Microsoft probably doesn't care whatever the hell you do with it.

And PC gamers will keep coming back to Windows because they little choice.

0
+ -

Gibbersome, I think thats the root of it, they know they have a cornered group of users, between OEM installs, business users and finally gamers...

It comes down to they know they can do it, and they don't care if they expose a bunch of 'non MS software using ' users once in a while. Hell they don't even need to tell us. S'pose we will figure it out on our own. That would be the choice we made when we thought MS wasn't the only way to go. [/sarcasm]

I await the day that MS finally gets real full OS competition. A mighty glorious OS capable of everything MS is, however without the agenda of screwing with its user because it can.

0
+ -

Endersothergame, in my opinion many Linux distros already are fully competitive with Microsoft's OS. Gamers who react to being locked in by Microsoft might want to note the recent Make Tech Easier article on the Djl game manager (http://preview.tinyurl.com/yfhvflk ), which provides «instant access» to over 100 games. Not being a gamer myself, I haven't installed it on my Ubuntu Karmic beta setups, but it would certainly be interesting to hear from gamers and Linux enthusiasts who have tried it....

Henri

0
+ -

That's the trouble isn't it, if we do get a bonafide Windows replacement, we'd be stuck with another Microsoft.

Valid OS replacements exist with Linux and Mac OS, but they haven't grabbed a large share of the market as yet.

Haha, could you imagine a WIndows simulator for the Linux which could run any WIndows based game?

Login or Register to Comment
Post a Comment
Username:   Password: