Network News

X My Profile
View More Activity

Mozilla Disables Microsoft's Insecure Firefox Add-on

Mozilla is disabling a pair of components stealthily installed by Microsoft earlier this year for Windows users of the Firefox Web browser, warning that the software suffers from a serious security vulnerability.

Firefox users may already have seen a pop-up notice about an unstable or insecure add-on being disabled. The message would look something like image below.


There's a short backstory to this drama. In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove.

Microsoft's initial response -- that the add-on could be removed by editing the Windows registry -- drew criticism because editing the registry is potentially dangerous affair for newbie users. In response, Microsoft later shipped a simpler, point-and-click way to remove the thing. Still, the removal tool still left behind the Windows Presentation Foundation plug-in.

Fast forward to earlier this month, when Microsoft issued a record number of security updates. Among those was a fix for what Microsoft called a "browse-and-get-owned" vulnerability in Internet Explorer, meaning all that is needed is for a user to be lured to a malicious website. Nothing particularly new there, except that this one could also be exploited through Firefox, via the Windows Presentation Plug-in.

Microsoft has been quick to point out that Windows users who have applied this month's updates are protected from this attack, regardless of which browser they use. Still, that was apparently not enough for Mozilla. Mike Shaver, Mozilla's vice president of engineering, said the company decided to nix the components because of the threat they introduce, and because many Windows users may not have understood previous instructions on how to remove them manually.

"Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately," Shaver wrote Friday on the Mozilla Security Blog.

I first noticed the pop-up pictured above earlier this afternoon while I was browsing the Web. I was initially confused because I had long ago removed the .NET Framework add-on. Turns out, I had forgotten to disable the associated plug-in. This update from Mozilla appears to have done that for me (thanks, Mozilla!).


By Brian Krebs  |  October 17, 2009; 6:54 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: PayChoice Suffers Another Data Breach
Next: President Obama on Cyber Security Awareness


Another big question is why Firefox did not notify users the add-on was installed back in February. Why users had no opportunity to manage the process, block the install and why users could not delete the add-on (MS did not supply a delete button) prior to this week. I think these underline serious security problems with the add-on procedure in Firefox.

This feels like I participated in proof of concept test for a much bigger problem.

Firefox taking credit for stopping the problem is undue I think. Like vanquishing a vandal in a building with no locks. Then declaring the problem solved. Really, I think not.


Posted by: tomm3 | October 17, 2009 7:54 PM | Report abuse

Thanks Mozilla; thanks BK.

Posted by: lostinthemiddle | October 17, 2009 7:56 PM | Report abuse

But hey, that's all in the past. You can trust M$oft now. Go ahead, buy Win7, there's nothing to worry about.

Posted by: hairguy01 | October 17, 2009 9:56 PM | Report abuse

This was asked the last time (May 29, 2009) this came up and was not answered. What are the Microsoft DRM plug-ins? What would be affected if they were disabled? Should they be disabled?

Posted by: Eremita1 | October 17, 2009 10:58 PM | Report abuse

Eremita -- I believe that's a plugin that gets bundled with Windows Media Player to manage DRM-protected media that you may download with WMP.

Check out this thread about it, on Mozillazine:

Posted by: BTKrebs | October 17, 2009 11:25 PM | Report abuse

This strong fan of Brian Krebs' says "Thank you Brian" for calling this to our attention. I saw those two warnings and re-started my own computer, right then, in the middle of my own web surfing.
He'll be sending more cautions along in the same vein, and others, be assured.
But, what really, really pisses me off is the arrogant, cavalier attitude displayed by Microsoft. It'd seem that MS considers us as a captive audience/consumer bank to be milked at whim or will, all in the spurious name of technical improvement....which too often backfires.
Shall we all of us leap into Windows 7 with slack-jawed submission?
Microsoft needs to heed its technical critics with a lot more contrition.
I guess..."Lots of luck..." on this count, but, there, I've said it.
Listen Up!, MS.

Posted by: CharlesGriffith1 | October 18, 2009 12:23 AM | Report abuse

M$ or MicroCrap is the big brother of tomorrow. They would like to know when you go to the toilet, any any thing else that they can market, sell or other wise manipulate to give themselves an edge.
After years of using, I just found out that they reserve 20% of your BW to spy and talk back to head quarters. Is there anything they won't try to do?

Posted by: jerryf01 | October 18, 2009 1:17 AM | Report abuse

This nonsense is the reason I went to Linux several years ago. I do run a version of XP in an emulator when needed for a specific CAD package, but I avoid Microsoft products - and Apple for that matter - because of the proprietary nonsense.

Posted by: treadlefish | October 18, 2009 7:17 AM | Report abuse

On my XPs, I use IE as seldom as possible and have long preferred Firefox, even as I've mostly converted to Ubuntu Linux. Microsoft's placing of add-ons into my Firefox is an act of trespass and stands as an unpermitted use of property which is mine.

For these acts of trespass against users of Firefox, a class-action suit against Microsoft is merited. Punitive damages ought be assessed because MS created additional risk for users of Firefox.

I don't want any money from these actions against MS and believe the monetary punishments ought be given to the Mozilla foundation, whose good intentions were severely intruded upon.

Posted by: TeresaBinstock | October 18, 2009 8:09 AM | Report abuse

So many people see conspiracy where I see development. The computer world and the internet are a fast changing environment undergoing rapid exploitation on all fronts, not all that much unlike the Westward Expansion in the US during the second half of the 19th century. Lots of things are going to change -- too many things for any one person to keep up with.

Who owns your Operating System? If you've got an MS system, do you own it or does MS? If you own it, then you should have no problem disassembling it and reselling it. And if you own it, then MS has little or no obligation to provide patches, unless you've bought a maintenance contract.

I'm not a huge fan of Microsoft but I see that they are doing the best job within the computing vacuum. If the Linux guys figure that they can do a better job than the 800-lb gorilla, then more power to them. I'll take the o/s backed by hundreds of millions of dollars and a large PAID support staff.

Sure MS wants you to use their products. They know who the competition is and are ready to compete. However, I don't think that DRM is a Brown & Williamson style conspiracy to get you strung out on their product for life.

No matter what the Linux weenies say, computing is not free, either of cost or from rules of conduct.

Posted by: JoStalin | October 18, 2009 9:44 AM | Report abuse

Too much hasty comment on this topic. "Windows Presentation Foundation" and the associated stuff are intended to make 3D, accelerated graphics (hardware-assisted, triangle based) available to browser based apps. The MS code includes object classes and a markup language. The plugin must support the markup language. This seems to be the only code available to make these capabilities fairly easily and generally accessible to web and cloud. If it's blocked from Firefox, then a major new capability will be available only in IE, which might not be a good outcome for users. It doesn't seem to me that MS was doing anything evil here; the Firefox extension mechanisms are public and available for just these kinds of purposes. Better to fix the security problem and unblock the plug-ins.

Posted by: redant | October 18, 2009 9:48 AM | Report abuse

When I use Firefox, I prefer to choose my add-ons. I resent third-party intrusions into what I've chosen for Firefox. I did not assert that MS trespassed into my XP operating systems but that MS unchosen add-ons trespassed onto my hardware - which MS does not own.

Posted by: TeresaBinstock | October 18, 2009 10:25 AM | Report abuse

This simply reinforces my decision to switch to a Mac with my next computer. Perhaps the Obama Administration could revisit the Bush Administration's cosy relationship with Microsoft. Everybody seems to have forgotten that Microsoft was found GUILTY of antitrust violations but no penalty was assessed. Thank heavens for the EU which has continued to keep Microsoft's feet to the fire.

Posted by: ianstuart | October 18, 2009 10:37 AM | Report abuse

Thanks Brian for this explanation. I saw the popup earlier this week and took several seconds to decide whether it was real or a spoof, since it seemed unconnected to any other updates. I'm no MS hater, but it seems to me that it's worth their while to coordinate these things with Mozilla.

Posted by: charodon | October 18, 2009 10:55 AM | Report abuse

People - stick it to the man. Go Ubuntu instead of any MS OS. You can also get free OpenOffice suite of products, or just switch to Google Docs. It's all free, less vulnerabilities and works great...

Posted by: DontGetIt | October 18, 2009 1:26 PM | Report abuse

I need some guidance. I just used the "X" on the dialogue box. Since the updates were already blocked, were the updates excluded when I restarted Firefox?

Posted by: mortified469 | October 18, 2009 2:07 PM | Report abuse

Try to imagine the outrage from microsoft if some firefox add-on or plugin modified the way internet exploder operated.

"It doesn't seem to me that MS was doing anything evil here; the Firefox extension mechanisms are public and available for just these kinds of purposes."

Yeah, right. This we're only doing you a favor crap sounds very familiar. Anybody remember wgatray?
4ck u microsoft.

Posted by: katavo | October 18, 2009 2:14 PM | Report abuse

Another insightful article by Brian. Thank you.

Posted by: Bitter_Bill | October 18, 2009 5:09 PM | Report abuse

IE 8 & Internet connectiveity in -=7=- can be Poorer than SEAMONKY Browser, whuich uis hardest to stop out of net.

IE8 IS Weak, if troubles, use SEAMONKY downlaoded for FREE from same mozi people as Firefox, only ff=weak. Seamonky can go thru months of BAD Connectiveity while wait out till better setting is reached in -=7=-.


Posted by: ThomasStewart1 | October 18, 2009 6:08 PM | Report abuse

CLEARLY this is the latest evidence we need a COMPUTER OWNERS BILL OF RIGHTS.

This is MY computer. I bought it, it is MY property.

For Microsoft, Firefox, Mozilla, Godzilla, or Symantec to willy-nilly download THEIR components onto MY machine without my APPROVAL is positively ghastly.

Would you let your mechanic add a device to your car that made it more vulnerable for people to steal?

Would you let a locksmith come to your home and install a lock that made it a cinch to break in???

OF COURSE you wouldn't, so why should it be any different with your computer???

Computers are no longer a toy. They are vital for business, for conducting business, and for personal development. That all these monkey companies invade my property to install their components violates every common law in existence.

EVERY time they try to download something there should be a window specifically granting permission to download with a CLEAR explanation of what is being downloaded. If the company in question wants to void a warrantee then that can be part of the equation. But it should be MY decision not the decision of Bill Gates.

Posted by: ethanquern | October 18, 2009 9:36 PM | Report abuse


Does anyone think that Microsoft will like this idea? I'll bet that Chairman Bill decides that Ethan must be a communist for suggesting such an anarchistic idea. Microsoft Windows users don't have rights, didn't you know that?

Posted by: The_Mad_Hatter | October 18, 2009 10:22 PM | Report abuse

And now for some backtracking:
Mozilla is undoing their blocklisting because the plugin didn't have any vulns after all.....

Posted by: wng_z3r0 | October 18, 2009 11:39 PM | Report abuse

Once a month I fall off the open source wagon to check my usage - unlimited use would cost another $150, and I've got a food & shelter monkey on my back - only to get the gray dialog of confusion which has evidently replaced the blue screen of death.

Edit the Registry ... It's easy, just memorize the keys then ...

Yeah, right Bill. I hope Steve beats you to that special place in Hell.

Posted by: gannon_dick | October 19, 2009 4:02 AM | Report abuse

ZDNet offers newsletters with technical insights. Several of today's essays seem relevant to Brian's column about MS add-ons:


Microsoft exposes Firefox users to drive-by malware downloads

Mozilla blocks (then unblocks) MS .NET Firefox add-on

Posted by: TeresaBinstock | October 19, 2009 11:56 AM | Report abuse

My main computer setup at present is the Ubuntu Karmic beta, so these Microsoft manoeuvres don't affect me very much, but when I do boot into, say, Windows Server 2008, I notice that while Firefox allows me to *disable* the Microsoft Net Framework Assistant 0.0.0, I cannot delete it (or, for that matter, any other plugin). Any idea, Brian, why this is the case with plugins, as opposed to other types of Firefox add-ons ?...


Posted by: mhenriday | October 19, 2009 11:58 AM | Report abuse

This smells rotten to the core.

We choose Firefox to get the evil M$ crapola OUT of the browser experience, and now this collusion with them questions the security issues we expected to avoid – they are digging their own grave.


Posted by: PC-tech | October 19, 2009 12:18 PM | Report abuse

What's the difference between what MS did without permission and what those using Malware to infect your computer without your permission?

PS: I find it amusing that the MS defense posting is by JoStalin (Joseph Stalin)! Look for more postings by AHitler and DCheney?

Posted by: jeh1 | October 19, 2009 2:13 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company