Microsoft hides mystery Firefox extension in toolbar update

They've done this before, silently adding a Firefox extension when you install their NET framework. One that can be disabled by the extensions manager, but not removed, which requires either NET uninstallation or registry jiggery-pokery. As a further thumb in the eye, it also changed Firefox's useragent string. Bad form, really bad fucking form.

Attn MS nitwits: Mozilla has an addons repository. Try using it, even if it gives Ballmer scalp rash.

As part of its regular Patch Tuesday, Microsoft released an update for its various toolbars, and this update came with more than just documented fixes. The update also installs an add-on for Internet Explorer and an extension for Mozilla Firefox, both without the user's permission. As you can see in the Windows Update screenshot above, Microsoft does not indicate that the update will install anything for either browser. It's also not really clear what the installed extension actually does.

To make matters worse, the update was marked "Important" instead of "Optional," which means it was more likely to be installed either automatically (if the user has Automatic Updates on) or manually when the user clicks Install (Important updates are checked by default).
...

On one of our Windows systems, we had the Windows Live Toolbar installed for Internet Explorer but not for Firefox. Nevertheless, installing this update added the add-on/extension to both browsers without telling us that it would do so. On our second system, we had the Bing Bar installed for Internet Explorer, but it was disabled. Firefox was not installed. This system already had the update in question, so we decided to install Firefox. Not only was the Bing Bar extension present upon Firefox's first launch, but so was the Search Helper Extension.

Additional testing determined that the update is only being offered to those with one of the Microsoft toolbars installed, regardless of whether they are enabled or disabled. It's unknown how many users fall into that scenario, but the toolbars often come bundled with new PCs and popular Microsoft downloads...



http://arstechnica.com/microsoft/news/2010/06/microsoft-slips-ie-firefox-add-on-into-toolbar-update.ars

having such a gaping hole as to allow code to be installed stealthily? But it is easier to blame Microsoft trying to keep their products updates I suppose.

of Firefox not defending against injections from Windows Update. Seems like a fanciful notion.

But it is easier to blame Microsoft trying to keep their products updates I suppose.

"Their" products, like Mozilla?

Blaming Microsoft for a dumb move they knew better to make... yeah, it's pretty easy. You should try it once.

BTW, there's plenty of room out there for a "Firefox, the really really secure web browser that isn't really really secure" thread.

and yes you should be worried because this is the same thing you would slam MS for. If it is bad for one then it is bad for all. Obviously there is a known hole in firefox that will allow installations without consent. That is bad security for any software.

http://www.thechromesource.com/paper-browser-extensions-have-potential-security-implications/

In a comprehensive paper that was recently published, researchers at Berkeley’s Department of Electrical Engineering and Computer Science studied the possible security impact that extensions could have on a browsers’ vulnerability to exploit and/or attack a computer. It was found that of twenty-five popular Firefox Extensions, all of them had the highest level of security privileges in the browser. That’s all that would theoretically be needed to attack a machine, which could potentially result in a compromised situation.

Because "MS" not followed by corresponding failure from another company -- for mandatory "balance" of course -- is gratuitous slamming. Same as always.

Yes they have to update the extension

You should read the OP. It's about installing extensions without permission, not updating them.

Again, what do you propose Firefox should do to protect itself from Windows Update? Conflating a WU install with vulnerabilities in Firefox extensions is your hook for blowing chaff away from MS, but it's irrelevant and hamfisted. Are the stealth-installed toolbars that plagued MS products for years similarly blameless? I think they're pretty skeevy, myself. As is Microsoft, in this instance.

Are Firefox extensions over-privileged? Yes. Are they ripe for exploit? Yes. Is Mozilla's repository review for mitigating these dangers insufficient and untenable? Yes. Is Mozilla's disinterest in making Firefox run with reduced privileges under WIC, an interim stopgap that could limit malware damage NOW, foolish and harmful? Yes. If Mozilla doesn't start moving to address these issues soon (and from what I've seen from their reactions to Bugzilla submissions, they won't), they'll pay for their dumbassery.

I don't mind talking about Mozilla's shortcomings. But not with someone discomfitted beyond reason by MS criticism, who'll bend every discussion into a lament about how unfair the world is to Microsoft.

I've located the paper your chromesource posting talks about. It's here:

http://www.adambarth.com/papers/2010/barth-felt-saxena-boodman.pdf

It's interesting and unnerving, so thanks for that. I knew one of the authors casually years ago, Aaron Boodman. He's a remarkably smart guy who knows his stuff (he's the author of Greasemonkey for Firefox, for one thing, so he's especially well-informed about extensions).

Anyway, you'll have to excuse me for a while. Or congratulate me, if you're in a good mood. I've gotten a new system I haven't unpacked yet, and I'll be doing the drudgery of moving files, de-crufting, and getting accustomed to a new OS, Win7.

can't argue with tuna

According to the article you only get this if you have the ms toolbars installed, sounds like its a fix for those toolbars. The fact that it applies itself across all browsers is bad why?

is a good indication they should ask. Somebody might not want it in Firefox, for any number of reasons. In the NET instance above, MS had to endure the ignominy of announcing they'd injected a vulnerability into Firefox.