10/18/2009

Firefox Blocking Microsoft .NET Plugin/Add-on

There was a lot of noise starting back in February 2009 when Microsoft began pushing out a secret .NET plugin/add-on to Mozilla Firefox.

Among other problems was that Microsoft was installing the plugin to Firefox anytime you did a Windows update.

The complaints about this plugin were:
  1. There was no notification of the update.
  2. There was no practical way to prevent the update.
  3. Disabling the plugin was a supreme headache.
  4. Firefox isn't even a Microsoft product!
The good news about this is that Mozilla Firefox developers are now blocking the .NET plugin.

Given the list of problems cited above with this plugin, it's no wonder Mozilla devs moved to block the add-on.

We're not alone in wishing it had happened sooner, regardless though we're glad they have.

Sure, Microsoft has ever right to make a .NET plugin for Firefox. The problem is/was that they weren't giving users any notice the plugin was being installed.

They just did it.

Oh, and good luck getting it disabled once it's in there.

If Microsoft wants to make the download available as an optional installation AND make it possible to easily disable the plugin, that's fine.

What they did though is unacceptable as it was nigh impossible to disable for most users. If a security issue had arisen with it for which Microsoft, as they do from time-to-time, declines to issue a patch (or are slow to issue a patch), users would be hard pressed to disable the plugin to mitigate the risk.

Whoever at Microsoft was responsible for making this plugin work the way it did could have made it work the way they did for a few reasons:
  Microsoft's Possible Reasoning Why Their Reasoning Was Unsound
1. Give everyone a similar experience in Firefox they would have with Internet Explorer. Fine. Just give users the choice to opt out easily.

Give users the chance to disable easily the add-on at any time after installation if they don't like/want it.
2. Making it optional confuses too many people. If you're confused about what it is or how it works, how do you expect anyone to know what they're missing by not having the .NET add-on?
3. Making it difficult to remove makes it hard for people to miss out on the experience. What if there's a security issue? What if there's a stability issue? What if I just don't want it?

How can anyone minimize the security risk or test for stability issues if it's so difficult to remove?
4. Making it difficult to remove lets Microsoft extend its reach into Firefox. Why create more browser-related problems for Microsoft, which already has plenty of issues to contend with in the antitrust arena?


How would users feel if suddenly, without notifying users they were doing it, without giving users a chance to opt-out, and without users having a way easily undo what Microsoft had done, Microsoft started changing setting or adding "features" to something like Internet security software?

While not exactly Internet security software, per se, Firefox is installed by users because in many ways it does provide greater security than Internet Explorer.

No matter how you look at it, the way Microsoft chose to install the plugin, essentially injecting its own code into another company's product, without users' knowledge or consent, was unwise at best and while not exactly malicious, almost certainly not on the up-and-up.

I'm just glad Mozilla finally disabled the .NET add-on.

If you haven't updated your Firefox (or haven't yet tried it), you can download Firefox--the latest version, of course--and get the .NET plug-in disabled.

08/04/2009

Critical Security Patches to Mozilla Firefox

On the heels of an announcement a couple of days ago from Adobe about security flaws in Acrobat, Reader, and Flash, Mozilla just released versions 3.5.2 and 3.0.13 of Firefox to patch two security flaws they're calling "critical".

From the Mozilla Foundation's security announcement,

"We strongly recommend that all Firefox users upgrade to this latest release....

"This update can be applied manually by selecting 'Check for Updates...' from the Help menu."

3.0 and 3.5 releases of Firefox have different vulnerabilities being patched with their respective releases, but each of them are definitely well worth taking the time to patch your browser to fix.

Here's a brief recap of the fixes (for complete details visit the following URLs):

Firefox 3.5.2 Release Notes
Firefox 3.0.13 Release Notes



Firefox 3.0.13 Fixes
Mozilla Advisory # Fix Details Why It Matters
2009-42 "These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions." A subtle flaw in the way HTTPS (i.e. SSL sites) have their security certificates handled in Firefox means an attacker could lead you to believe you're on a secure site, like your bank, when in fact, you're at their evil site--even if it looks perfectly legitimate.
2009-43 "This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client." An attacker can craft a security certificate that will cause Firefox to run any code of their choosing on your computer.



Firefox 3.5.2 Fixes
Mozilla Advisory # Fix Details Why It Matters
2009-45 "Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." Memory corruption is never a good thing. In the case of software like Firefox, it can mean an attacker running code of their choosing on your PC.
2009-46 "Mozilla security researcher moz_bug_r_a4 demonstrated that the broken functionality was due to the window's global object receiving an incorrect security wrapper and that this issue could be used to execute arbitrary JavaScript with chrome privileges." Similar story here: with enough care, an attacker could write code, Javascript in this case, to run code of their choosing on your computer.



While we've not tested these various vulnerability and whether or not antivirus software could help insulate your PC from these various attacks, that's one of the things we rely on antivirus software for: protect our computers against unknown security issues.

A few things are definitely clear from this announcement:

  1. The bad guys aren't going to stop trying.
  2. Even good software like Firefox has bugs.
  3. If you think just because you're running Firefox, you're immune from such exploits, think again.
  4. While antivirus software may not help protect against every possible threat, it definitely helps minimize the risks.

02/04/2009

Security patches in Firefox 3.0.6, upgrade urged

Well my dear computing friends, there's a new release of Firefox out: 3.0.6.

This release of Firefox brings a number of security fixes of different levels of priority, four of which are 'moderate', 'high', or 'critical' in nature.

For those of you that are new readers to our blog, we recommend Firefox over Internet Explorer, but as with quite literally any software you run, there is a chance of security issues.

When it comes to your web browser, these security risks are multiplied many times over since it is the web browser that most of us use for most of our interaction with the net (the second most being our email client: Outlook, Thunderbird Eudora, or similar.)

When it comes to your web surfing, choosing a browser like Firefox and an email client like Thunderbird can mean a significantly improved, safer web browsing experience.

Combine that with an Internet security suite, and you've got a winning combination for complete computer security

If you haven't yet had chance to Download Firefox, 3.0.6 is a good release. At very least have a look at that link and our rationale behind why we (and many others) choose Firefox over Internet Explorer. For those so inclined, here's a complete list of Firefox 3.0.6 security patches along with the Firefox 3.0.0 release notes.

11/13/2008

Firefox 3.0.4 Released

Firefox, one of our favorite browsers, just released rolled out the latest version, 3.0.4.

Here's the official release notes: http://www.mozilla.com/en-US/firefox/3.0.4/releasenotes/

For a complete list of bugfixes check out: https://bugzilla.mozilla.org/buglist.cgi?....

Here's a recap of what was fixed in this version...

CRITICAL: MFSA 2008-55 Crash and remote code execution in nsFrameManager MFSA 2008-54 Buffer overflow in http-index-format parser MFSA 2008-53 XSS and JavaScript privilege escalation via session restore MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
HIGH: MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
MODERATE: MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome MFSA 2008-47 Information stealing via local shortcut files
LOW: MFSA 2008-58 Parsing error in E4X default namespace



As you can see from the list, there are plenty of reasons why you should upgrade your Firefox if you're using an older version. Download Firefox here...