Firefox Users Exposed to Vulnerability Via MS Stealth Install

rated by 0 users
This post has 8 Replies | 2 Followers

Top 10 Contributor
Posts 24,867
Points 1,116,100
Joined: Sep 2007
ForumsAdministrator
News Posted: Sat, Oct 17 2009 2:55 PM
Earlier this year, Microsoft released the .NET Framework 3.5 update. At the same time, as an added bonus, end users would get an extra Firefox extension, the "Microsoft .NET Framework Assistant (ClickOnce)," without being asked. That's bad enough, but at the same time the extension made Firefox vulnerable to attack.  Additionally, let's not forget the other stealth install, a plug-in called "Windows Presentation Foundation."

This sort of behavior is what we call a stealth install. Sometimes what's installed is spyware, or adware, and sometimes you can't get rid of it. That was the case with the original version of the extension: it could not be disabled or uninstalled, unlike most Firefox extensions, without some registry editing, not something most people are comfortable with.

Later versions added the ability to uninstall and delete the extension. That doesn't make the stealth install any more forgivable, however. And the fact that it added a vulnerability to Firefox adds insult to injury.

In a post on Microsoft's Security Research and Defense site, the company said:
While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox [...]
Nice. Our recommendation? Uninstall the darn thing. It's not like you can't live without the functionality they add to Firefox.
ClickOnce enables the user to install and run a Windows application by clicking a link in a web page. The core principle of ClickOnce is to bring the ease of deployment of web applications to the Windows user. In addition, ClickOnce aims to solve three other problems with conventional deployment models: the difficulty in updating a deployed application, the impact of an application to the user's computer, and the need for administrator permissions to install applications.
The vulnerability was patched by Microsoft in its Patch Tuesday release for October. According to Microsoft, the vulnerability is "critical," and can be exploited against any version of IE, including IE8.
  • | Post Points: 80
Top 75 Contributor
Posts 1,248
Points 11,580
Joined: Jan 2005
Location: Florida

Firefox auto-disables it right now. So it really doesn't do anything anymore.

Smooth Creations LANShark "Blue Flame" + ASUS G73JH-A2 + ASUS EeePC S101H

"I frag therefore I am!"

  • | Post Points: 5
Top 150 Contributor
Posts 651
Points 5,915
Joined: May 2008
Location: Stockholm
mhenriday replied on Sun, Oct 18 2009 3:08 AM

Manoeuvres of this sort make it very difficult for users to have any confidence at all in Microsoft....

Henri

Top 200 Contributor
Posts 416
Points 4,715
Joined: Dec 2005
Location: Sarnia, Ontario Canada

WTH! I don't recall giving any permission to install this at all.

Imagine my surprise on seeing this in feedblitz, checking and finding something I didn't ask for or even know. Aren't they required to disclose adware like installations? Sorta like they would have to ask if I wanted to use their search engine or have a toolbar ect?

AMD X6 1100T - MSI 750-G55 - 16GB Patriot Viper II - nVidia GTX 470 - SB XFi Titanium>JVC A-X9>JBL Control Monitor 4312A

  • | Post Points: 5
Top 10 Contributor
Posts 8,436
Points 102,150
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Sun, Oct 18 2009 11:28 AM

At this point they aren't required to disclose to us by law. Common decency dictates otherwise though. If I didn't NEED their OS for my gaming, I would dump them outright.

They KNOW we need them though, that's why the charge so freakin' much for the software that they sell.

Firefox does disable their shenanigans now, my browser warned me of the incompatibilities last night.

This story reminds me of the arrogant Sony rootkit exploit that they included on Sony CD's thinking that they wouldn't get caught!

The people who do this sort of thing think that they're so smart, they'll never be found out. They ALWAYS DO though. The Laugh is on them.

Don't part with your illusions. When they are gone you may still exist, but you have ceased to live.

(Mark Twain)

  • | Post Points: 20
Top 75 Contributor
Posts 1,963
Points 25,700
Joined: Sep 2009

Yes, I remember the Sony rootkit exploit. Thought the entire saga that followed was quite hilarious.

I think what most of us do is install an alternative to Windows on our systems such as Ubuntu. Though once you've purchased their OS, Microsoft probably doesn't care whatever the hell you do with it.

And PC gamers will keep coming back to Windows because they little choice.

  • | Post Points: 5
Top 200 Contributor
Posts 416
Points 4,715
Joined: Dec 2005
Location: Sarnia, Ontario Canada

Gibbersome, I think thats the root of it, they know they have a cornered group of users, between OEM installs, business users and finally gamers...

It comes down to they know they can do it, and they don't care if they expose a bunch of 'non MS software using ' users once in a while. Hell they don't even need to tell us. S'pose we will figure it out on our own. That would be the choice we made when we thought MS wasn't the only way to go. [/sarcasm]

I await the day that MS finally gets real full OS competition. A mighty glorious OS capable of everything MS is, however without the agenda of screwing with its user because it can.

AMD X6 1100T - MSI 750-G55 - 16GB Patriot Viper II - nVidia GTX 470 - SB XFi Titanium>JVC A-X9>JBL Control Monitor 4312A

  • | Post Points: 35
Top 150 Contributor
Posts 651
Points 5,915
Joined: May 2008
Location: Stockholm
mhenriday replied on Mon, Oct 19 2009 6:41 PM

Endersothergame, in my opinion many Linux distros already are fully competitive with Microsoft's OS. Gamers who react to being locked in by Microsoft might want to note the recent Make Tech Easier article on the Djl game manager (http://preview.tinyurl.com/yfhvflk ), which provides «instant access» to over 100 games. Not being a gamer myself, I haven't installed it on my Ubuntu Karmic beta setups, but it would certainly be interesting to hear from gamers and Linux enthusiasts who have tried it....

Henri

Top 75 Contributor
Posts 1,963
Points 25,700
Joined: Sep 2009
gibbersome replied on Mon, Oct 19 2009 11:02 PM

That's the trouble isn't it, if we do get a bonafide Windows replacement, we'd be stuck with another Microsoft.

Valid OS replacements exist with Linux and Mac OS, but they haven't grabbed a large share of the market as yet.

Haha, could you imagine a WIndows simulator for the Linux which could run any WIndows based game?

  • | Post Points: 5
Page 1 of 1 (9 items) | RSS