Routine Windows security update invisibly creates security holes in Firefox browser
Millions of computer users may be at risk
Should Microsoft’s hackers be jailed?
The 800-pound gorillas at Microsoft, notorious for releasing perhaps the most poorly tested, security-deficient commercial software in the known universe, have taken it upon themselves to shoot holes in the security of third-party software as well.
In February 2009, the bumbling twits at Microsoft released a—I actually hesitate to use the term, for reasons which will become apparent—“Security Update” for the Microsoft .Net Framework, specifically, “Microsoft .NET Framework 3.5 Service Pack 1.”
Outrageously, this update also installs the Microsoft .NET Framework Assistant 1.0 extension (add-on) into Firefox without asking the user’s permission.
Yeah? So What?
Well, if you use the Mozilla Firefox browser, you will now find, (actually, you may not—until it’s too late), that websites can now—without your knowledge or consent—download, install and run software on your computer! That’s right, the default settings of this add-on permit websites to install software without notifying you.
Yep! That’s what it does. Microsoft has seen to it that the users of third-party browsers can now have the same sort of security problems which plague users of Microsoft’s—much reviled—Internet Explorer!
But wait, there’s more! The add-on reports the .NET version installed on your computer to every website you visit in the User-Agent string.
The add-on makes use of “ClickOnce” technology, which is expressly designed to allow the installation and execution of software, simply by clicking a link on a webpage—whether or not the link legitimately indicates it is pointing to a software package.
Well, Wikipedia says ClickOnce is a secure technology. So, why shouldn’t I trust it?
Considering the fact that Wikipedia is the world’s largest repository of laughably erroneous data, and that said data is often provided by parties with a vested interest in skewing the information, lets look instead at a quote from InformIT.com’s page on ClickOnce security:
“The problem with the default security model for an enterprise [business] environment is that it puts the trust decision of whether to elevate permissions or not into the users' hands. If an application needs elevated permissions, it prompts the users, and if they click the Install button, the application can elevate its permissions all the way to full trust if it wants to, effectively removing the runtime protections that ClickOnce is capable of providing… Many users do not have the experience to discern a true high-risk scenario from one that is acceptable.”
Indeed, given Microsoft’s abysmal security track-record over the years, (they permitted one XP security hole to remain unpatched for seven years—though they knew about it all along), are you willing to bet that there isn’t a malicious hacker out there who can defeat whatever ClickOnce really has for security and take a peek at your credit card numbers or your financial data? Or watch over your shoulder as you do online banking?
If you have “Automatic Updates” enabled, and you are a Firefox user, you may have the .NET Framework Assistant installed on your computer.
To add insult to maliciousness, should you, while perusing your Firefox add-ons, run across the Microsoft .NET Framework Assistant extension in the list and wonder, “what the hell is that and how did it get into my Firefox?” I’m sure you will be equally bemused to find that the “Uninstall” button is disabled.
So, what is Microsoft .Net Framework? To simplify somewhat, .Net Framework, (yes, that .dot is supposed to be there), is a collection of software which can be used by Windows and third-party programs to perform various functions which would otherwise have to be coded into each application: It helps programmers by cutting down on their code-work and helps you by reducing the overall size of programs which require such routines.
So, this Firefox add-on thing is necessary to the functioning of my software then, Right?
Not in the slightest.
The average Windows user will likely never install software that requires the .Net Framework. Even if a user does have applications that require it, the “ClickOnce” add-on to Firefox is completely unnecessary, representing more of a security risk than it creates a convenience for the user.
Indeed, Annoyances.org, a website which relies on user input to find and fix problems related to Microsoft applications and operating systems, has this to say about the .NET Framework Assistant add-on:
“This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC. Since this design flaw is one of the reasons you may've originally [chosen] to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.”
Ditch the Firefox add-on, ditch it now.
Removal instructions may be found at Annoyances.org and Microsoft Support. WARNING! Microsoft has seen to it that there is no easy way to remove this malware! The removal instructions require registry editing which—if done incorrectly—may result in software malfunctions or Windows refusing to start altogether! Follow the instructions precisely.
If you are unwilling or unable to remove the offender according to instructions, open Add-ons in Firefox, right-click “Microsoft .NET Framework Assistant” select “disable” and restart Firefox. Hopefully, it will stay disabled.
Don’t think you are safe with the Microsoft malware enabled in Firefox so long as you don’t visit “questionable” websites: Here is a short sample of the many, many legitimate websites which have been hacked in the recent past:
Al Gore's climate crisis website hacked by Viagra sellers (Had to put Chicken Little at the top of this list)
So just what the hell did Microsoft think they were doing? According to Brad Abrams at this site they claim they were doing you a favor:
“A couple of years ago we heard clear feedback from folks that they wanted to enable a very clean experience with launching a ClickOnce app from FireFox. [I wasn’t one of them, Brad, nor, I’ll just bet, were the vast majority of Firefox users] James Dobson published FFClickOnce and got very good reviews, but we had many customers that wanted ClickOnce support for Firefox built into the framework… so in .NET Framework 3.5 SP1 we added ClickOnce support for Firefox! This made ClickOnce apps much more accessible to a wide range of customers.
We added this support at the machine level in order to enable the feature for all users on the machine. Seems reasonable right? Well, turns out [translation: ‘We knew it couldn’t be uninstalled and did it anyway’] that enabling this functionality at the machine level, rather than at the user level means that the "Uninstall" button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.”
Makes you wonder what the hell else these bozos have sneaked into your computer without your knowledge, doesn’t it?
Are Microsoft programmers like many journalists? Do they have to flunk an intelligence test before they are hired?
Brad, Microsoft, no. It sure as hell isn’t reasonable in any way, shape or form, to hack someone’s computer without their knowledge or consent. If there is some fool out there who wants to give websites the ability to silently run their software in his computer, he should manually install it from the Mozilla add-ons site—where Microsoft should have posted this disgrace in the first place. Microsoft has no business hiding this in an otherwise legitimate “security” update.
I work with clients whose companies are locked into Windows; consequently, I have to have at least one computer for my business which runs Windows so I can follow along with those clients—remotely—as I try to solve a problem they just discovered.
I go to a very great deal of trouble, indeed, to make certain that malicious software never takes a foothold on that computer—including the use of the more secure Firefox browser. The very last thing I need is for Microsoft—or other software companies—to waste my time, make my life more difficult and make my computer less secure by introducing yet more potential security holes while hacking my third-party applications!
Fortunately, said precautions prevented Microsoft from tinkering with my Firefox. Yours may be another matter. (And no—please don’t even think of asking what my security precautions and procedures are.)
Lets take a for instance, (I just love “for instances,” don’t you? They’re so warm and cuddly): You own a car, a Chevy, say, and you’ve paid it off—you own it free and clear. You take your car to your Chevy dealer for a 3,000-mile oil change and Chevy’s mechanic disables the third-party security device you had installed—without your knowledge or consent.
What’s the difference between our little for instance and Microsoft frivolously altering your third-party software? Save that Microsoft’s criminal tampering with private property was done via the internet—precisely, none.
If a basement-dwelling hacker did the same thing to your computer—altered your software to make it less secure—when caught, he would be arrested and charged with, at the very least, illegally accessing a computer. There is nothing in the EULA—the Microsoft End-User License Agreement—which gives Microsoft the right to tamper with your third-party software. Such tampering is illegal in the U.S. and many other countries.
"Breaking into other people's property is a crime—it makes no difference if it's a computer or a house that you're burgling."
—Graham Cluley, senior technology consultant for Sophos Anti-Virus
So, perhaps the twits at Microsoft who decided to hack your third-party software should spend a little time in the slammer, (I might recommend hard labor; smashing Microsoft Vista CDs).
“Now wait a minute,” I hear you bellow. “That’s ridiculous! You’re blowing this way out of proportion!”
Many people have their whole lives in their computers. Consider what may be found on a typical user’s system:
- Financial records
- Passwords to bank accounts
- Mortgage data
- Codes to disarm the security alarms for the house and the office
- Medical information
- Credit card numbers
- Sensitive emails
- Family photos—including pictures of the kids and the exterior and interior of the house
- School records
- Information which might allow someone to determine the whereabouts of children at a given time
- Code words to be given to said children in case of emergency
- The babysitter’s name and the dates and times she watches the kids
- Data on what medication, money or firearms may be in the house
- Safe combinations
Rightly or wrongly, wisely so or not, all that and more may be on someone’s computer, (which the users have reason to believe* to be as secure as possible), when Microsoft tampers with their system, allowing Jimmy-The-Crook’s website to download and run unknown software.
Given the above, maybe you’re not taking this seriously enough!
*Note: Do not infer from my statements that I consider Firefox or any other web browser to be 100% secure—that just ain’t so, folks.
Some internet sites speculate that Microsoft’s little Firefox hack job may have been a deliberate attempt to sabotage it’s competitor’s product. If this is, in fact, the case, it wouldn’t be the first time: Microsoft was brought to trial by the U.S. Department of Justice in 1998 for similar offenses.
If you find that your Microsoft security update has hacked your copy of Firefox, or if any other software company has similarly hacked your third-party software, and you reasonably believe that this activity is illegal, I strongly urge you to report the crime to:
FYI, Microsoft isn’t the only upstart company to resort to such practices:
- Apple’s QuickTime and ITunes updates previously installed MobileMe and Safari (63 MB and security-plagued)—without user notification or permission—and pushed Apple Mobile Device Support, Apple Software Update and Bonjour.
- The RealAudio media player's default installation includes both Google Toolbar and Google Desktop Search.
- Sometime ago, Java's default installation included a game called "Puzzle Pirates"—then Java decided they wanted to install Sun Open Office (takes up 250 MB on your hard drive) and Yahoo Toolbar during Java updates.
- Adobe Acrobat Reader's default installation includes the Google Toolbar.
- The RealAudio media player's default installation includes both Google Toolbar and Google Desktop Search.
None of the extras the software providers push in these installations and updates are necessary. In truth, many of these installs and updates do give you the option of disallowing the installation of some of the software, but if you have no bloody idea what “Open Office” or “Bonjour” is, do you allow it or disallow it and hope that the software you do install will run without it?
When in doubt, take a cue from Nancy Reagan and “just say, NO!”
If you research the Google or Yahoo toolbars and decide you want one of them added to your browser, go to their sites and download them—don’t trust anything you are asked to install second-hand.