Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Bug Firefox Internet Explorer

Microsoft Explains Mystery Firefox Extension 142

Ricky writes with a followup to news we discussed a couple days ago that a Microsoft toolbar update was installing an IE add-on and a Firefox extension without the user's consent. Quoting Ars: "Microsoft has fixed the distribution scope of a toolbar update that, without the user's knowledge, installed an add-on in Internet Explorer and an extension in Firefox called Search Helper Extension. Microsoft told us that the new update is actually the same as the old one; the only difference is the distribution settings. In other words, the update will no longer be distributed to toolbars that it shouldn't be added to. End users won't see the tweak, Microsoft told Ars, and also offered an explanation on what the mystery add-on actually does. 'The Search Enhancement Pack is a shared component used by the Windows Live Toolbar, MSN Toolbar, and Bing Bar. This component enables toolbar search functionality, like the toolbar search suggestions drop down. It is not the toolbar. It is a component used by the toolbars.'"
This discussion has been archived. No new comments can be posted.

Microsoft Explains Mystery Firefox Extension

Comments Filter:
  • English Doc? (Score:5, Insightful)

    by commodore64_love ( 1445365 ) on Saturday June 12, 2010 @08:27AM (#32549004) Journal

    (looking perplexed)

    I still don't understand why it was added to Firefox when I'm not using MSN, Bing, or any other crap
    .

    • Re: (Score:3, Informative)

      by Voulnet ( 1630793 )
      It wasn't added to Firefox users who didn't use MSN or Bing toolbars.
      • Re:English Doc? (Score:5, Interesting)

        by arth1 ( 260657 ) on Saturday June 12, 2010 @09:51AM (#32549540) Homepage Journal

        Wrong. It got added to Firefox if any of the toolbars were detected on the system, even if it was for IE. So someone with an OEM install of Windows with an IE toolbar, but who never used IE, would still get the Firefox add-on forced upon him.

        Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

        • Re:English Doc? (Score:5, Informative)

          by rvw ( 755107 ) on Saturday June 12, 2010 @10:33AM (#32549878)

          Wrong. It got added to Firefox if any of the toolbars were detected on the system, even if it was for IE. So someone with an OEM install of Windows with an IE toolbar, but who never used IE, would still get the Firefox add-on forced upon him.

          Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

          I suppose Firefox isn't running when this happens. So it can't block anything. Firefox can block addons to be installed if they are activated from a page that Firefox visits. This is a different situation. And if Firefox is running, it's probably possible to install something that is activated after a restart. And if it shouldn't, this is Windows, MS territory, and they may be able to do anything if they want to.

        • Re:English Doc? (Score:5, Insightful)

          by AusIV ( 950840 ) on Saturday June 12, 2010 @10:40AM (#32549928)

          How do you propose Firefox prevent the installation of an extension by software that has direct file system access? Firefox is open source, so anyone can look and see how an extension is installed. Third party software need only update the right files and the extension would be installed. Firefox had no control over any step.

          Now, this doesn't make Firefox a good target for malware writers. Anyone who can execute arbitrary code on your system doesn't need Firefox to cause problems.

          • "How do you propose Firefox prevent the installation of an extension by software that has direct file system access?"

            Don't use filesystem placement as the method of registering extensions. Keep registered extensions in an encrypted database which only Firefox has access to. Only add extensions when the user interacts with a secure API verifying they want the extension added. /next question?

            • "Keep registered extensions in an encrypted database which only Firefox has access to."

              You mean, like DRM? Yeah, hackers will never figure that out.

              (i.e., this solution would be vulnerable to the _exact_ same problem seen with media rights management.. the browser would need the key to access the database, thus it is also available to anyone who looks in the right place.)

              • by Polumna ( 1141165 ) on Saturday June 12, 2010 @05:21PM (#32552848)
                You're obviously right, but there's an implication worth mentioning for this specific instance. *Microsoft* would have had to violate the DMCA publicly. Even if they did it with some legal sleight-of-hand, it would at least make for a >500 comment slashdot story. :P
              • Re: (Score:3, Insightful)

                Except that if Microsoft circumvented the DRM, it would be flagrantly illegal and could not happen by accident.

                We're not talking about defending against a hypothetical foreign attack by a malicious adversary here, we're talking about preventing unwanted accidental or incidental installs.

                • by AusIV ( 950840 )

                  The DMCA applies to "technological measures used by copyright owners to protect their works." I think it would be hard to argue that it applies to this kind of protection.

            • Wouldn't that cause issues with software updates by extensions in general? I mean often when wanted extensions and addons like Java or Flash are updated, they need to point the references to a new file name or version. If that can be done without accessing the encrypted DB, like through windows update or when another browser is open, then the entire point of the encrypted database is mooted because you can install anything by simple adding to the existing plugins.

            • by AusIV ( 950840 )
              I'm not suggesting it has to do with filesystem placement, but that Microsoft's software has the ability to read and modify everything Firefox has access to. How do you propose creating an encrypted database that only Firefox has access to? Where do you plan to keep the key that Firefox can get it but Windows updates can't? This works (for a while) for proprietary software employing security through obscurity, but it could never work for open source software.
        • Which means they had the toolbar installed. I wasn't wrong there, I just wasn't very specific. Firefox now does prompt you when a website tries to install a plugin, but how this one got installed is beyond my knowledge. Apparently Microsoft knows its way around its system.
        • Re:English Doc? (Score:4, Interesting)

          by buchner.johannes ( 1139593 ) on Saturday June 12, 2010 @11:15AM (#32550218) Homepage Journal

          Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

          Windows Update can remove or rewrite your Firefox install any way you like, Firefox can't in any way control that.
          Also, your profile folder can be rewritten in any way by user run program (malware). There is no way Firefox could prevent that.

          The only way to prevent things like this is OS security packages that enforce security policies (program A can write to folder B, program C may have TCP sockets). AFAIK RSBAC and SELinux are capable of this on Linux. But user home dirs, no way (how?).

          • by arth1 ( 260657 )

            Have Firefox require user signing of all extensions that are allowed to run.
            With the signing key protected by TPM on systems that support it, or an option to store it on an external location (like a USB key or a WEBDAV location) for those that don't.

            To get around that, Microsoft would have to hack and binary-patch Firefox' own code, which would no longer be merely immoral, but illegal. Not to say exceedingly difficult, considering how many different versions and revisions of browsers there are out there wi

            • It wouldn't have to be that difficult. All MS would have to do is create a sub-shell like program that Firefox runs in. with this, they could intercept or manipulate anything- including using scripts or whatever to overlay boxes on the ui.

              Think of it as the same principle that spyware and popups work/used to work. They installed a program that intercepted your internet sessions, vied them and injected their own ads or content in the replies. Even in some cases, they would recognize the competitions ads on a

        • Firefox can't prevent a process with elevated privileges from making configuration changes to an existing Firefox installation, that's true.

          It could, however, provide an option which requires the user to sign every extension and plugin that the user wants to install or update.

          The only way a rogue process could imitate this effect would be to capture keystrokes. And subverting that sort of security would be no "accident". It's the sort of thing that would lead to lawsuits.
        • Re: (Score:3, Interesting)

          by Hurricane78 ( 562437 )

          Uuum because Windows Update is software that has to have full control over the system to do its job of updating core system files. And because Firefox, being a normal user program and maybe not even running, can’t override a program with full access and rights to everything.

        • It got added to Firefox if any of the toolbars were detected on the system, even if it was for IE.

          No, I never install toolbars, and it got installed on one of my computers...

          I guess I'll have to investigate...

          • Re: (Score:3, Informative)

            by arth1 ( 260657 )

            The toolbar doesn't have to be installed by you. If the Windows version is OEM, it might have been pre-installed by the manufacturer. And if you've installed a program that requires java, it might have installed java with the silent option, and the Yahoo toolbar is opt-out. And a plethora of other options, including it being installed and disabled. If you don't use IE at all, chances are you never noticed it.

        • by SeaFox ( 739806 )

          Wrong. It got added to Firefox if any of the toolbars were detected on the system, even if it was for IE. So someone with an OEM install of Windows with an IE toolbar, but who never used IE, would still get the Firefox add-on forced upon him.

          I don't use any of the toolbars mentioned. I built this machine myself and installed Windows on it from a corporate XP installation CD. Why did I get that mysterious Microsoft extension?

          • by arth1 ( 260657 )

            If it was a corporate XP CD, it's far from inconceivable that it has been slipstreamed.
            Open Internet Settings, choose Programs, then choose "Manage add-ons". If you don't see any of the toolbars there, and don't see it in the Add-ons in any of your Gecko based browsers, contact Microsoft support -- I'm quite sure they would like to figure out how it was detected as installed on your system.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Then that MS PR flack did their job well.

    • Bah! Not welcome! Why is the uninstall button broken for this extension Microsoft?
    • I just checked and there's about as many plugins labelled 'Google" as there are "Microsoft'. I don't recall installing any of them.

      But still...this is a a Microsoft bashing board, right?

      • No I pretty much hate all megacorps.....

        It's just that my hatred for MS has been burning longer (since the 80s), that's all. I started hating Apple when they started locking-out customers from installing apps or OSes, and making exploding iPod owners sign non-disclosure agreements. And Google..... well just a few months ago actually.

    • The reason, as posted in the article, was clearly explained by (I believe) one of their lawyers from the firm of Gobel D. Gook, Flim, Flam and Muddywaters. The conciseness of the explanation, narrowed to the most broad base terms of contradiction, should have been clearly understood by any writer of the Health Care Bill, as to be non-sequitur. Simple,Huh?
  • by Zumbs ( 1241138 ) on Saturday June 12, 2010 @08:32AM (#32549030) Homepage

    The Search Enhancement Pack is a shared component used by the Windows Live Toolbar, MSN Toolbar, and Bing Bar. This component enables toolbar search functionality, like the toolbar search suggestions drop down. It is not the toolbar. It is a component used by the toolbars.

    And this explains why it was silently added to Firefox how? Wouldn't the reasonable way of accomplishing this be to download the pack with the extensions in question?

    • by maxume ( 22995 )

      It explains why it has a separate install process, and the separate install process makes it more plausible that the update would mistakenly installed in browsers that do not have the toolbar installed, because of some error in the roll out process.

      The outcry-backlash for stuff like this is way too loud for Microsoft to bother trying to 'get away with something', it seems pretty likely that it was a mistake.

  • Always pushing... (Score:5, Insightful)

    by popo ( 107611 ) on Saturday June 12, 2010 @08:36AM (#32549056) Homepage

    Why must constant vigilance be required? There need to be fines against companies who install software without consent. It doesn't matter who you are, it should be an illegal act.

    • The worst part is that you can't find it Control Panel->Add/Remove--> Installed Updates so you can uninstall it. You basically need to hack around to be able to remove it.
      • by jack2000 ( 1178961 ) on Saturday June 12, 2010 @08:43AM (#32549112)
        None of that would be a problem if Mozilla had made it so third party programs can't install plugins.
        • Re: (Score:3, Insightful)

          by Nerdfest ( 867930 )
          Open API's are generally a good thing, although these days you seem to need some sort of user confirmation to stop them from being abused. The open API is not the bad part, the abuse is.

        • None of that would be a problem if Mozilla had made it so third party programs can't install plugins.

          How would that even be possible for a program where the source code is available, and the 3rd party has admin level access? Even for a close source program it's not possible if you're willing to reverse-engineer the program.

          Not mucking with a program is essentially a gentleman's agreement. We all know Microsoft is NOT a gentleman, so they'll do whatever suits them the best.

        • That's not really possible. If you have filesystem access, you can install the add-ons the same way the browser does. How would Firefox stop that?

          However, Firefox does show on startup if any new extensions have been installed - that's the way this thing was spotted.

        • by mjwx ( 966435 )

          None of that would be a problem if Mozilla had made it so third party programs can't install plugins without express permission from the user.

          There, finished that for you.

    • That will happen when you vote for it, with your dollars.

      MS will get the message when Windows sales drop because nobody buys their bullshit anymore... looks at MS sales figures... not yet it seems.

      Customer: I demand you do what I say or else I will continue to buy your products like the sheep I am.

      Company: Oh look, a talking sheep. Anyone want shiskebab? Dibs on the eyeballs.

      • Unlike most software, it wouldn't surprise me if MS Windows sales mostly follows an inelastic demand curve. People buy it because they need it much like they need gas.
        • Re: (Score:3, Insightful)

          by IANAAC ( 692242 )

          People buy it because they need it much like they need gas.

          People don't *need* it at all. They get it most of the when they purchase a new PC.

          No matter how easy Ubuntu (or whatever flavor of Linux we could talk about) is to install, people have already got an operating system on their PC and won't bother to install another one unless MS does something to truly piss them off. I say this as someone who pretty much immediately installs Ubuntu on any new machine I buy.

          • Re: (Score:3, Insightful)

            by pizzach ( 1011925 )

            People don't *need* gas at for transport either. They could just live close enough to work to bike or walk.

            No matter how easy Ubuntu (or whatever flavor of Linux we could talk about) is to install, people have already got an operating system on their PC and won't bother to install another one unless MS does something to truly piss them off. I say this as someone who pretty much immediately installs Ubuntu on any new machine I buy.

            Most people wouldn't change their operating system even if MS pissed them off. Most people don't know they have the option and they don't have a clue how to do it. This is part of the basis for my previous assertion. You might like doing what you do. Some people love biking, too.

            If you look at job descriptions, many are asking for ability to use specific programs instead of generic skills. Many w

          • by cynyr ( 703126 )
            autocad, solidworks, ProE, VBA macros in a spreadsheet, VB app from vendor, in house product selection system in VB.Net, A large amount of other business critical windows only software. Home users do't *need* it, but does "$2 pack of games from best buy" work with anything but windows? how about that cursor set from "the Internets"? yep, thats what i thought.

            Any move needs to be tested and verified to work at 100% feature complete or if not 100% the cost in time of moving to the new system needs to be added
    • Re: (Score:1, Informative)

      by Anonymous Coward

      If you use Windows Update, then Microsoft already has your consent to install software on your computer. And that consent isn't limited to any particular kind of software, either; by agreeing to the EULA, you've given them blanket consent to install whatever they think you should have.

      • That's why I've set it to only download the updates, not install them. If MS is doing installing anyways that's not something that can reasonably be considered agreed to.
      • by Khyber ( 864651 )

        "by agreeing to the EULA, you've given them blanket consent to install whatever they think you should have."

        That won't matter in a case of Unauthorized Access of a Computer/Misuse of Computer against Microsoft for modifying software that does not belong to them without permission. EULAs can NOT circumvent the law.

    • Somewhere along the line, you consented.
  • by jack2000 ( 1178961 ) on Saturday June 12, 2010 @08:38AM (#32549076)
    No excuse, no sir. And here i was foolishly thinking they would make a public apology.
  • by beakerMeep ( 716990 ) on Saturday June 12, 2010 @08:45AM (#32549128)
    I remember when this happened with some Silverlight thing in the past, but I can't remember what the reason was the Mozilla devs gave for allowing this type of silent local add on installation.

    Found an old bugzilla debate/bug from 2009 (!) about when this happened previously. It seems some consider it a moot point because Firefox reports add-ons have been installed when it boots. Did this MS update get around that somehow?

    Here's the link: https://bugzilla.mozilla.org/show_bug.cgi?id=476430 [mozilla.org]

    And the old story from the last time MS did this: http://voices.washingtonpost.com/securityfix/2009/06/microsoft_patch_to_fix_firefox.html [washingtonpost.com]
    • by Machtyn ( 759119 )
      What's great about Silverlight is that I had to install Firefox on a Windows 7 64-bit computer to get it to work (Netflix). Microsoft Silverlight doesn't currently work with Microsoft Internet Explorer 64-bit.
  • by Anonymous Coward

    I was only able to uninstall this unwelcome extension by thinking in Russian.

  • with its updates to its oses.

    werent they recently bitchslapped by Eu for doing the very same thing, bundling and pushing their internet browser for decades to unsuspecting users ?

    corporations never learn. apparently it will be up to Eu again to bitchslap them for the sake of justice.
  • Hand Wave (Score:5, Funny)

    by FrostedWheat ( 172733 ) on Saturday June 12, 2010 @09:06AM (#32549254)
    "This isn't the extension you're looking for."
  • by Posting=!Working ( 197779 ) on Saturday June 12, 2010 @09:10AM (#32549278)

    Nothing was said about silently installing an extension to Firefox being completely wrong. No mention that it won't happen again. They've just about publicly admitting that they see nothing wrong with secretly installing changes to other companies software without need, notice, justification or a way to remove it.

    Fuck Microsoft. Everybody who had this happened needs to file a complaint with the police under the hacking laws, installing unauthorized modifications to software of a competitor without permission is illegal, it doesn't matter if Microsoft does it, it's still illegal. Here in Kentucky, it's either a class A or B misdemeanor, depending on whether your time undoing it can be considered monetary damage.

    Also, we only have Microsoft's word that it just affects search results in their toolbar. For all we know it's logging credit card numbers, recording your webcam, and copying your personal information and contents of your c:/porn folder for public display/blackmail later. They probably aren't, but then again, what have they done that's trustworthy lately?

    "WGA thinks your copy of XP is unauthorized because you added memory and a graphics card. Your credit card has been charged $399.99 for a license."

    • And this is exactly (also WGA) why I am leaving the Windows platform. It has been a long ride with Bill Gates since W3.11 but I am done. I am leaving for greener pastures and never coming back.
    • Why does everyone on this site go full retard when Microsoft is involved? I just looked in my addons/plugins on Firefox and I've got plugins for:

      * Google's Picasa
      * Hulu Desktop
      * Google Update
      * Google Earth
      * Adobe Acrobat


      I didn't specifically install any of those plugins, and yet they are there. Are you going to call out Google, Hulu, and Adobe for installing their plugins "silently"?
  • Again? (Score:2, Informative)

    by Anonymous Coward

    Didn't they do a similar thing with a .net addon?

    Oh yes, they did. [annoyances.org]

  • If Microsoft wants to make an addon, update, toolbar, or any other damned thing for Firefox, they should submit it through proper channels. If it's alright for them to make updates to Firefox, then it's equally alright for Jumpin' Jack Haxor Flash to start distributing updates for Windows.

  • Way to go MS. I guess you got jealous that Apple is hogging all the bad press, so you had to do something to prove you're still the original evil company.

  • by FlyByPC ( 841016 ) on Saturday June 12, 2010 @09:17AM (#32549328) Homepage
    No toolbars installed == no MS update. I don't even use Google's toolbar -- and I more-or-less trust them (at least more than M$, anyway).
    • Re: (Score:2, Insightful)

      Me too, and moreover, this is one reason why I don't use Windows.

      • by rvw ( 755107 )

        Me too, and moreover, this is one reason why I don't use Windows.

        At home OSX, at work Ubuntu, and for testing I use Virtualbox with an XP or 7 VM.

        • by Khyber ( 864651 )

          You think you're safer by using OSX.

          I don't know whether to laugh or cry, knowing the exploits I know about OSX.

          The joys of having been an Apple Laptop repair tech in charge of the image servers - There are SO many vulnerabilities leftover from the days of 10.2 in the codebase that are still present even today. When people bork their Macs, it usually takes me four of five seconds after boot-up to know which exploit was used, assuming it wasn't a hardware issue that caused it in the first place (which was th

  • Bogus! (Score:1, Offtopic)

    by woboyle ( 1044168 )
    What cruft! The number one reason why I am boycotting Microsoft and Apple is that they seem to think that they own my computing and communication devices and can install anything they want on them without my explicit permission. To heck with that! When are these pinheads going to get with the program, that doing so compromises the integrity and security of our systems and personal or proprietary information. I can accept auto-updates of already installed components, provided I opt-in to that, but if they ar
    • by maxume ( 22995 )

      I don't think you know what a boycott is.

      Also, if you manually applied the updates, it seems a bit tough to argue that they did anything unauthorized on your systems.

  • Another reason to keep your automatic updates DISABLED.
  • Toolbars? (Score:4, Insightful)

    by BCW2 ( 168187 ) on Saturday June 12, 2010 @11:09AM (#32550186) Journal
    People are still foolish enough to add them? Wow, I thought they were all mal ware just like all pop ups. Who has time to check which ones aren't?
    • by josath ( 460165 )
      I use the one from googlebar.mozdev.org all day long...i like being able to one-click access the many various google searches (maps / products / images / video / web / etc)
  • by QuietLagoon ( 813062 ) on Saturday June 12, 2010 @11:58AM (#32550594)
    Microsoft has always been under the false impression that just because "Microsoft explains" a bad deed, that the deed suddenly becomes OK.
    • And people like you seem to be under the false impression that just because you don't understand something, it is bad.

      I didn't get this installed on any of my computers. Guess what I don't have? The Bing toolbar! Who would have guessed?
  • M$ still thinks that they own every PC in the world. It doesn't matter if it even runs Windows or not. They've demonstrated this time and time again. Anyone remember the Suse linux controversy a couple years back? They still haven't gotten the idea through their corporate heads that the end user has a choice now on what to do with their system. Lets say you buy a computer with windows pre-installed. They pretty much say now that by even opening the box you agree to their EULA. Even if the first time you boo
  • Has anyone tried to remove this crap from Firefox? All I can do is disable it.

Single tasking: Just Say No.

Working...