Microsoft screwed up and all that, I agree... but you're presenting facts as if Microsoft purposefully created a security threat that they maliciously injected in Firefox, with the aim of making it vulnerable. That's not the case. They installed it in IE, too (and, surprisingly, the original goal of the plugin wasn't to be a walking security threat).

I mean, if people read what you said but don't follow the links you gave, they're likely to get the wrong idea, or just be confused. Distorting facts to make them more sensational doesn't help your credibility. :\

You're not the only one guilty of that, but seriously, it's annoying to read twisted / misrepresented facts everywhere. Do you guys have to turn everything into some kind of Jerry Springer Show?

"It did not, however, apologize to Firefox users for slipping the add-on into their browsers without their explicit permission -- as generally the procedure for Firefox add-ons or extensions."

It worries me that Microsoft can do this - if they can, can others too?

What's the point of Firefox explicitly asking for the user's permission if it can just be bypassed?

Sorry, i'm not too technically minded. if I've missed the point, let me know :-)

Stifu, I completely disagree.

Microsoft has a pretty awful track record when it comes to security on the Web over the last decade and they intentionally secretly installed software into Firefox that couldn't be removed by users and that did have a surface exposed to the Web.

When it happened, we all thought "man, that was dirty" and the very next thought was "sure hope it doesn't open Firefox up to security holes."

Here we are 8 months later, completely justified. It was bad behavior to install the software without asking. It was bad behavior to do it in a way that was not reversible. It was bad behavior to add to Firefox's security exposure surface for potentially hundreds of millions of users even if they did not know about the flaw at the time.

There's nothing but bad behavior here -- at no point in this whole sad series of events was Microsoft's behavior appropriate. I'm not sensationalizing. It's just bad, bad, bad.

- A

Colin F., you asked "It worries me that Microsoft can do this - if they can, can others too?"

If "others" can install software on your computer like Microsoft can with Windows Update (silently, or with your express permission) they can install extensions in Firefox.

This isn't anything specific to Firefox though. If they can install software on your system, they could just as easily replace Firefox with a malicious version of Firefox -- no need to install just an extension.

If you let someone install software on your PC, you're trusting them with your computer -- all of it.

What you hope is that the companies like Microsoft you trust to install software on your computer don't abuse that trust and sneak unrelated software onto your system that opens you to potential security vulnerabilities.

Remember when Apple was using Apple Update to sneak a copy of Safari onto computers when users updated QuickTime or iTunes? Same thing. If you let someone install software on your computer, they can do what ever they want. It's that simple.

It's a shame we can't say "only install software from vendors you trust" because most people trust Microsoft and Apple -- two companies that have shown a willingness to abuse that trust to forward their goals.

- A

@Colin: Microsoft installed the add-ons through a regular system installer, in this case Microsoft Update, rather than through Firefox's extension installer. It bypassed Firefox's permission checks in exactly the same way that installing, say, Microsoft Office or World of Warcraft would happen without Firefox asking your permission.

Asa: Wouldn't this be a good time to use http://www.mozilla.com/en-US/plugincheck/ to both warn users and suggest that the they disable it?

Ironic.

I mentioned that letting that plugin install automatically like that was a bad idea in dev.apps.firefox a while ago.

I believe support for hidden addons has been removed in mozilla-central and likely to be removed in Firefox 3.6 (bug 508109). (This doesn't change what addons are installed; it just changes what shows up in Tools -> Add-ons.)

"If you let someone install software on your PC, you're trusting them with your computer -- all of it."

YEP! It happens all of the time. Sun has done it through Java (added Yahoo toolbar WITHOUT prompt or options), Google added added an extension silently and globally through Google Photos Screensaver, and QuickTime added Apple Software Update through an update (a few days ago) without warning or options and after I had already uninstalled it 2-4 times in the past, and, it hijacked all of my default file association settings (I no longer have QuickTime on my system).

As far as apps installing extensions into Firefox silently and globally (all current and new profiles), my opinion is that it just shouldn't happen and be allowed by Firefox. There are too many security risks.
I'm not sure what the current status of this issue is, I tracked down 3 bugs pertaining to it starting with one that I filed on 10/21/2008 about the Microsoft .NET Framework Assistant extension long before the story hit the media and here are a few comments in the bug.

10/22/2008
"We can try to make sure the
"obvious" mechanisms for extension installation cause users to be notified.
But we can't make it impossible for an external application to install an
extension silently -- only the OS can make that impossible."

10/21/2008
"The "global profile paths" are an intentional feature that facilitates global
extension installation. They can only be used by programs that already have
write access to your hard drive, which means that if someone truly was trying
to use them to spread malware, no amount of protection or user notification in
Firefox code is going to stop them - the game's already over. They could choose
to use their write access to replace Firefox (or another program) entirely, or
to install a trojan and register it to run at startup, or any number of more
direct attacks than installing a malicious extension.

Given that this feature is well-known and already used, there's no need to keep
this bug report hidden. I'm not sure there's anything described in this bug
report that could really lead to action - any mitigation for the problem from
our side is likely be ineffective enough that their implementation costs
outweigh their benefit, I think, but I'm of course open to specific proposals
about how we could improve the situation."

I would like to see Mozilla work independently or with another company to provide some sort of detection and removal app for when an app is going to or has installed a new extension silently, globally, etc.
Catching it before the installation may not be too easy, but I can't image it as being impossible considering that anti virus programs have specific definitions that they look for when scanning a file and they warn a user prior to opening a file if there is something harmful found (according to their definitions list).
At the very least, a user should be notified that a new extension has been installed into Firefox. That was not the case for me with Microsoft and Google.

As it stands, and as far as I'm aware, users remain extremely vulnerable.

The old bugs. Perhaps there are newer ones.
Invasive Automatic Unwanted Extension Installations by OS Programs
https://bugzilla.mozilla.org/show_bug.cgi?id=461088
Make it harder for malware to install extensions into Firefox
https://bugzilla.mozilla.org/show_bug.cgi?id=346960
Limited-privilege extensions (was: security on Extensions is seemingly non-existent)
https://bugzilla.mozilla.org/show_bug.cgi?id=219180
Unwanted Auto Add-ons Installations screen shots (October 2008) Firefox versions 2.0 to 3.1b1
http://www.accessfirefox.org/Unwanted_Auto_Addons_Installations.php

Ken, there are two cases here. There is the case of a "good actor" doing the wrong thing -- like Microsoft has done here. In that case, I think education rather than technology is the right approach. The second case is a "bad actor" trying to harm you. In that case, there's nothing Firefox can do to protect itself because if the bad actor is running code on your system, he could simply replace Firefox with his own version of Firefox that didn't do anything to protect itself. There's no mitigation for a bad actor that has achieved permission to run code on your system.

- A

Well, I guess that it all comes down to doing research on anything that you are about to download and/or install, of course before downloading it.
I'm in the habit of doing that now for vendors and sites that I'm not familiar with or haven't already allowed access (the good actors), but I am increasingly skeptical about the good actors too and for obvious reasons.

When it comes down to it, there are no fool-proof security measures that one can take aside from not downloading and installing anything, including emails, but I'm pretty confident that the software that I use does a damn good job at helping to protect me which of course includes Firefox and some security related extensions, Thunderbird, Avast (my best friend), and a hand full of others.

By the way, it's great to see that you have (apparently) finally settled in and have gotten back to blogging again. It was odd seeing 2 months go by without monthly market share posts. I'm sure that it really threw off your metrics methodology critics too.

Microsoft has a pretty awful track record when it comes to security on the Web over the last decade and they intentionally secretly installed software into Firefox that couldn't be removed by users and that did have a surface exposed to the Web.

Here's a reality check for you, Asa.

Mozilla has had a worse track record than Microsoft since 2006 when it comes to security on the Web, and Mozilla intentionally allows secret installions of software into Firefox that couldn't be removed by users and that did have a surface exposed to the Web.

Evidence may I ask for, Eice?

The plugin is now blocked in my Firefox.
That is strange, because I thought that
the security problem was gone after the
Microsoft patches. And it got blocked
after that.

I just wonder, is this plugin somewhere
used???? It is rather vague plugin.

I am going to block or uninstall more
plugins. After the Mozilla version check, my
RealPlayer and QuickTime were out of
date.

Updating RealPlayer is a real pain, because
you get always things you don't want.
QuickTime was a download of 101Mb!
With the Microsoft updates, it took me
about an hour to get everything up to date.

Once, I had a separate laptop for filling
in my job hours. For security reasons it
was on a separate laptop. So, I used that
laptop only once a month. With as consequence,
that every time I used it, I had to update
it. So, filling in my hours should only
take 10 minutes, but with the update and
restart it became 20 minutes. So, 200%
overhead for updating!

Updating becomes a bigger and bigger problem.
New OS should be designed in the core for
efficient update, removal of unwanted software
etc.

Lucas

And of course all of this happens just as I think, "Ive been watching my updates too close for too long, It will be okay" And then, I download. Never again will I trust these updates . I always had a bad feeling about them, and went over them with a fine toothed comb, and then I waited a few days to see what problems would come up and only then would I download. Not this time!
If only I had waited as usual, I wouldnt have to worry about this particular situation. I did disable it through the tools setting in Firefox. But, at some point after that as I started my browser a few days later, I got the message of the harmful plugin with what steps to take. Im not sure what is going on.
And what about the people who know nothing else but how to turn a computer on?
The reason I ask this, I helped someone set up their system, and of course I turned the express settings on for her updates because she has no clue of how to do the custom settings. I know its simple, but there are some people out there like this.

Asa is just full of some over the top sensationalism again.

"Not only was the install not requested by users (malware)"

I guess all those plugins out there are malware then. You get Real Player plugins, Quicktime plugins, Windows Media Player plugins, Acrobat Reader plugins, Adobe Flash plugins, Java plugins, etc. etc. You install something, it installs plugins to all your browsers without explicit permission.

After all, you are using Microsoft Windows, which has .NET Framework, on which you install a service pack, and it installs a plugin to all the browsers. So Microsoft's behavior is not really any worse than all those other plugin makers out there, and as long as all those other plugins are not counted as malware, I don't think anyone can accuse it being malware. And it's completely different from the Apple Update/Safari case, since it does update something already installed on your computer (.NET Framework) and it is installing a relevant plugin to implement some features of this .NET Framework update.

"it opened Firefox users to a critical remote exploit flaw"

And how is that anything new? Adobe Flash and Acrobat Reader and Java plugins have done that times again much much longer, and unlike Microsoft, at times Adobe don't even care to fix their plugins many months after critical vulnerabilities are discovered.

In the end, Microsoft is not guilty of anything that's not already commonly practiced time and again by almost all those plugin makers out there, if something should be changed, it's the whole plugin eco-system, Microsoft is really just following the norm, and at least they seem to be more committed to fixing their plugin's vulnerabilities than Adobe (and Adobe surely has a much more awful track record when it comes to security on the Web over the last decade than Microsoft).

Actually, isn't it already the de facto standard for plugins to be installed silently without explicit permissions, and then introduce critical vulnerabilities to the browsers. I think if you really care about the security of the Web, you should put much more emphasis on the faults of the whole existing plugin eco-system, instead of just focusing on Microsoft. Then it will actually help the Web, instead of some more sensationalism that helps nothing.

I think they should block ALL add-ons that are known to install themselves without permission. Many of these parasitic add-ons are unnecessary and unwanted by users, yet ALL large programs that are connected to a Web browser carry security risks. The risk is not just theoretical, either. I think virtually all Microsoft programs have had critical security vulnerabilities. In the case of the .NET plugin, it's difficult to avoid and difficult to remove.

Sneaking such programs into Web browsers is unacceptable. It's unfortunate that Mozilla timidly waited for so long to disable this one. And even now, have they not removed the block already? Come on, Mozilla, get a spine.

Unfortunately, this problem is not confined to Microsoft. Even my favorite Google has sneaked in a plugin. Block them all until they ask permission for installation.

@kaixin001: The difference is that with Flash, Quicktime, etc., you EXPECT it to install a plugin. In most cases, that's specifically what you're trying to install.

This is more like installing an office application and having it silently add a plugin to your browser.

I had forgotten about this, but I just remembered how I have avoided this one plugin so far. I temporarily uninstall Firefox each time before I update Windows or install .NET. It keeps the MS leeches from finding Firefox. It's not really fun or recommended, but it does work--so far.

Add-on developer Davide Ficano has written an extension that alerts users when a new plugin has been installed. Pretty cool imo.
http://dafizilla.wordpress.com/2009/10/18/net-framework-assistant-automatic-plugin-installation-and-pluginchecker/

"I think they should block ALL add-ons that are known to install themselves without permission" VanillaMozilla

That would be great, but it would be impossible to create and maintain such a list considering that pretty much any program can install an add-on.
Again though, as Asa has said, and as I learned through personal experience with the .NET add-on, if you grant permission to a program (any type) to install something into your system, you are giving it access to your entire system.

I just want (at a bare minimum) for Firefox to alert me when a new add-on has been installed by an external app. That was not the case for me with the .NET and Google Photo Screensaver extensions that were installed silently.

Asa, it would be great if education alone would be sufficient to prevent future issues similar to this one, but in all due respect, that would never be enough especially considering the bad actors.
Mozilla needs to be proactive and put into policy and practice (through technology) that external apps cannot install add-ons into Firefox without explicit permission from the user. A simple check box, opt out option would work for me. Sun finally does it and so do many others such as VLC for their Firefox plugin.
Apps installing add-ons globally sucks too but I at least learned how to remove them.

More often than not, and despite how wrong and inaccurate that it is, people are blaming Mozilla more than they are the company (in this case MS) that is installing add-ons silently.
It's bad PR.

Ken, the problem is that if someone wants to add an extension to Firefox without permission, and they are executing code on your system, they could just turn off or replace the part of Firefox that gave the warning. They could replace the entire Firefox. There's no way to stop bad actors here.

- A

A gal can dream can't she?

I guess that I was just being stubborn or overly hopeful.
I actually do get it. Sorry that you had to repeat yourself.

It's all like allowing someone like a subcontractor to come into your home to do a seemingly honest task and they end up screwing you over right in front of your eyes or when you go to the can. It's a personal violation and it's no doubt worse when it ends up being someone that you thought that you could trust (the good actors).

I wonder if it was because of the outrage that arose from users and all of the online coverage that Sun decided or was forced to provide an opt out option for the Yahoo toolbar that came/comes along with Java. No company wants to be associated with crapware sneaky installs unless that company is Apple or Microsoft.
Google I imagine does care and I'm sure that they will change their ways, but primarily because we've allowed it from the beginning, Microsoft is going to do what Microsoft wants to do so an outcry from users is more than likely to fall upon deaf ears there. However, the end result of this issue will show just how important that Mozilla is to the Internet and how they stand up for us little guys and gals.
I can't get on the phone and call Microsoft, Mozilla can (and is, bug 522777) on behalf of its users which will hopefully bring about policy changes that all Microsoft product users will benefit from, not just Mozilla ones.

I love the lizard. :)

Feel free to use that. It isn't copyrighted (yet).

I'm not suggesting the impossible -- that you try to block malware or that you block all possible programs that can install plugins without permission. I'm suggesting that you block KNOWN, common rudely installed plugins. Most of us don't have malware as plugins. We have plugins from MS, Google, and the like, and those are the ones that have turned out to be (1) installed without permission and (2) vulnerable. I betcha most people have at least one of those and don't know it. Flash is often vulnerable, but at least (1) I put it there and (2) I KNOW it's there and can take precautions. Your users need a hand here.

"I'm suggesting that you block KNOWN, common rudely installed plugins. "

Well, we are instituting a notice to users when a third-party app installs an extension. Besides this MS WPF plug-in, what common plug-ins are installed without user permission? The ones I have installed were all either installed with my permission (Flash, Google Earth Plug-in, Flip4Mac WMP, and QuickTime.

- A

Asa: I remember having a bad experience with the Ask toolbar, installing itself on its own in Firefox. Wasn't on my computer, but on my bro's and others as well. I don't remember how it got there.

"If you let someone install software on your PC, you're trusting them with your computer -- all of it."

Nice thing about Mac OS X is that most software doesn't require installations, like Firefox. It's possible to never install any software and still have decent choices. I don't install software unless I already know it won't inject my system. Linux too, but I don't think Linux users take that route.

Quote Asa:
"Well, we are instituting a notice to users when a third-party app installs an extension. Besides this MS WPF plug-in, what common plug-ins are installed without user permission?"

Why, the .NET extension, of course. And if you install Google Chrome it sneaks an extension into Firefox. It's nice that you that for extensions, but it needs to be done for plugins as well. It's not unreasonable to require permission to install.

I don't understand why Mozilla doesn't enforce this. Timidity? Understand that they won't necessarily have to block plugins, but that's the remedy if more genteel methods fail.