Re: Microsoft may be Firefox's worst vulnerability

[Nairda]

»Q« wrote:

In ,
Nairda  wrote:


http://blogs.techrepublic.com.com/security/?p=1716&tag=nl.e011

Snip:
"We added this support at the machine level in order to enable the 
feature for all users on the machine. Seems reasonable right? Well, 
turns out that enabling this functionality at the machine level,

rather than at the user level means that the “Uninstall” button is
grayed out in the Firefox Add-ons menu because standard users are not
permitted to uninstall machine-level components."


Irresponsible journalism, all too typical in the tech press.  The
techrepublic guy is quoting Brad Abrams' blog entry,
,
but he neglected to quote this part:

  Update (5/2009):  We just release an update to .NET Framework 3.5 SP1
  that makes the firefox plug in a per-user component.  This makes
  uninstall a LOT cleaner.. none of the steps below are required once
  this update is installed.

That update was made to the blog *before* the techreport article was
posted.

No browser, including Firefox and SeaMonkey, can protect the user from
anything any app that the user chooses to run with administrative
privileges.  In this case, the app was Windows Update, which a lot of
people trust, but it could have been anything.



Thanks for that Q. Well spotted.
What's the world coming to when you can't even trust M$! (;
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[»Q«]

In ,
Nairda  wrote:

> http://blogs.techrepublic.com.com/security/?p=1716&tag=nl.e011
> 
> Snip:
> "We added this support at the machine level in order to enable the 
> feature for all users on the machine. Seems reasonable right? Well, 
> turns out that enabling this functionality at the machine level,
> rather than at the user level means that the “Uninstall” button is
> grayed out in the Firefox Add-ons menu because standard users are not
> permitted to uninstall machine-level components."

Irresponsible journalism, all too typical in the tech press.  The
techrepublic guy is quoting Brad Abrams' blog entry,
,
but he neglected to quote this part:

  Update (5/2009):  We just release an update to .NET Framework 3.5 SP1
  that makes the firefox plug in a per-user component.  This makes
  uninstall a LOT cleaner.. none of the steps below are required once
  this update is installed.

That update was made to the blog *before* the techreport article was
posted.

No browser, including Firefox and SeaMonkey, can protect the user from
anything any app that the user chooses to run with administrative
privileges.  In this case, the app was Windows Update, which a lot of
people trust, but it could have been anything.

-- 
»Q«  /"\
  ASCII Ribbon Campaign  \ /
   against html e-mailX
    / \
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[Nairda]

Benoit Renard wrote:

David E. Ross wrote:

The malware is a Firefox extension that (among other things) disables
the ability of Firefox to remove it.


As far as I know, they didn't disable uninstallation. It just isn't 
possible while using Firefox because it's installed on the application 
level, and not in the user's profile.



If only that was the case. Please see below.

http://annoyances.org/exec/show/article08-600

Snip:
"Unfortunately, Microsoft in their infinite wisdom has taken steps to 
make the removal of this extension particularly difficult - open the 
Add-ons window in Firefox, and you'll notice the Uninstall button next 
to their extension is grayed out! Their reasoning, according to 
Microsoft blogger Brad Abrams, is that the extension needed "support at 
the machine level in order to enable the feature for all users on the 
machine," which, of course, is precisely the reason this add-on is bad 
news for all Firefox users."



http://blogs.techrepublic.com.com/security/?p=1716&tag=nl.e011

Snip:
"We added this support at the machine level in order to enable the 
feature for all users on the machine. Seems reasonable right? Well, 
turns out that enabling this functionality at the machine level, rather 
than at the user level means that the “Uninstall” button is grayed out 
in the Firefox Add-ons menu because standard users are not permitted to 
uninstall machine-level components."

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[Benoit Renard]

David E. Ross wrote:

The malware is a Firefox extension that (among other things) disables
the ability of Firefox to remove it.


As far as I know, they didn't disable uninstallation. It just isn't 
possible while using Firefox because it's installed on the application 
level, and not in the user's profile.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[JeffM]

David E. Ross wrote:
>By the way, the latest W3Schools report now indicates that
>more people are now using Gecko browsers than IE.
>Of course, the specialized nature of the W3Schools Web site
>skews their survey so that it really doesn't reflect
>the general audience of Internet users.

Well, the number you get depends on whom you ask
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
--but the trend is clear: folks are tried of
infection-friendly ecosystems; attempts at vendor lock-in;
poor rendering; browsers that are lagging WRT features[1].
.
.
[1] WRT the multi-process thing, WebKit-based browsers
(like Google Chrome) and  Trident-based IE8
are out front of Gecko-based browsers.
...but not being able to BLOCK
bandwidth-hogging/screen-space-wasting junk
is a big negative for those offerings.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[David E. Ross]

On 6/21/2009 2:41 AM, Daniel wrote:
> David E. Ross wrote:
>> On 6/20/2009 5:00 PM, Nairda wrote:
> 
> 
> 
>>  Since I
>> use Internet Explorer only to get Windows updates and to check my own
>> Web pages, I have rejected all .NET Framework (and ActiveX) updates.
>>
> 
> Sorry, David! You only use IE to get updates and check your own webpages.
> 
> As you use SM, I suspect your web pages would be more rules complaint 
> than IE would need, so what do you find out by checking your web pages 
> with IE??
> 
> Just interested!
> 
> Daniel

I have found a few instances where my HTML and CSS were compliant but
where the results in IE were not quite what I wanted.  A small change --
still compliant -- made the affected page appear the way I wanted in
both IE and SM.

By the way, the latest W3Schools report now indicates that more people
are now using Gecko browsers than IE.  Of course, the specialized nature
of the W3Schools Web site skews their survey so that it really doesn't
reflect the general audience of Internet users.

-- 
David E. Ross


Go to Mozdev at  for quick access to
extensions for Firefox, Thunderbird, SeaMonkey, and other
Mozilla-related applications.  You can access Mozdev much
more quickly than you can Mozilla Add-Ons.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[Daniel]

David E. Ross wrote:

On 6/20/2009 5:00 PM, Nairda wrote:





 Since I
use Internet Explorer only to get Windows updates and to check my own
Web pages, I have rejected all .NET Framework (and ActiveX) updates.



Sorry, David! You only use IE to get updates and check your own webpages.

As you use SM, I suspect your web pages would be more rules complaint 
than IE would need, so what do you find out by checking your web pages 
with IE??


Just interested!

Daniel
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[Nairda]

David E. Ross wrote:

On 6/20/2009 6:02 PM, David E. Ross wrote:

On 6/20/2009 5:00 PM, Nairda wrote:

Hi everyone.
Can someone with a bit more understanding of these things please read 
this article and say weather this applies to SM as well?


http://blogs.techrepublic.com.com/security/?p=1716&tag=nl.e011

Snip:
In a surprise move this year, Microsoft has decided to quietly install 
what amounts to a massive security vulnerability in Firefox without 
informing the user. Find out what Microsoft has to say about it, and how 
you can undo the damage. Microsoft pushed out its .NET Framework 3.5 
Service Pack 1 update this February

End Snip.

It looks rather nasty, and I wish I had read it sooner.
Cheers.

The malware is a Firefox extension that (among other things) disables
the ability of Firefox to remove it.  This apparently affects only
Firefox 3.x because of the way extensions are installed.  SeaMonkey
1.1.x is related to Firefox 2.x and is not affected because of a
different scheme for installing extensions.  I don't know if SeaMonkey
2.x will be affected, but it does use the same extension installation
scheme as Firefox 3.x.

In any case, I've avoided this problem.  My Automatic Updates is set for
"Notify me but don't automatically download or install them."  Since I
use Internet Explorer only to get Windows updates and to check my own
Web pages, I have rejected all .NET Framework (and ActiveX) updates.

Suddenly, I'm very glad I did not update my Windows XP SP2 to Windows XP
SP3.  The latter would have included this malware.

See bug #499521 at .



It turns out that this problem was known at the beginning of February.
New bug #499521 is a duplicate of bug #476430 (see
).  I find it
strange that there is some debate whether to take any corrective action.



Thank you David for your most adroit observations.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[David E. Ross]

On 6/20/2009 6:02 PM, David E. Ross wrote:
> On 6/20/2009 5:00 PM, Nairda wrote:
>> Hi everyone.
>> Can someone with a bit more understanding of these things please read 
>> this article and say weather this applies to SM as well?
>>
>> http://blogs.techrepublic.com.com/security/?p=1716&tag=nl.e011
>>
>> Snip:
>> In a surprise move this year, Microsoft has decided to quietly install 
>> what amounts to a massive security vulnerability in Firefox without 
>> informing the user. Find out what Microsoft has to say about it, and how 
>> you can undo the damage. Microsoft pushed out its .NET Framework 3.5 
>> Service Pack 1 update this February
>> End Snip.
>>
>> It looks rather nasty, and I wish I had read it sooner.
>> Cheers.
> 
> The malware is a Firefox extension that (among other things) disables
> the ability of Firefox to remove it.  This apparently affects only
> Firefox 3.x because of the way extensions are installed.  SeaMonkey
> 1.1.x is related to Firefox 2.x and is not affected because of a
> different scheme for installing extensions.  I don't know if SeaMonkey
> 2.x will be affected, but it does use the same extension installation
> scheme as Firefox 3.x.
> 
> In any case, I've avoided this problem.  My Automatic Updates is set for
> "Notify me but don't automatically download or install them."  Since I
> use Internet Explorer only to get Windows updates and to check my own
> Web pages, I have rejected all .NET Framework (and ActiveX) updates.
> 
> Suddenly, I'm very glad I did not update my Windows XP SP2 to Windows XP
> SP3.  The latter would have included this malware.
> 
> See bug #499521 at .
> 

It turns out that this problem was known at the beginning of February.
New bug #499521 is a duplicate of bug #476430 (see
).  I find it
strange that there is some debate whether to take any corrective action.

-- 
David E. Ross


Go to Mozdev at  for quick access to
extensions for Firefox, Thunderbird, SeaMonkey, and other
Mozilla-related applications.  You can access Mozdev much
more quickly than you can Mozilla Add-Ons.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[David E. Ross]

On 6/20/2009 5:00 PM, Nairda wrote:
> Hi everyone.
> Can someone with a bit more understanding of these things please read 
> this article and say weather this applies to SM as well?
> 
> http://blogs.techrepublic.com.com/security/?p=1716&tag=nl.e011
> 
> Snip:
> In a surprise move this year, Microsoft has decided to quietly install 
> what amounts to a massive security vulnerability in Firefox without 
> informing the user. Find out what Microsoft has to say about it, and how 
> you can undo the damage. Microsoft pushed out its .NET Framework 3.5 
> Service Pack 1 update this February
> End Snip.
> 
> It looks rather nasty, and I wish I had read it sooner.
> Cheers.

The malware is a Firefox extension that (among other things) disables
the ability of Firefox to remove it.  This apparently affects only
Firefox 3.x because of the way extensions are installed.  SeaMonkey
1.1.x is related to Firefox 2.x and is not affected because of a
different scheme for installing extensions.  I don't know if SeaMonkey
2.x will be affected, but it does use the same extension installation
scheme as Firefox 3.x.

In any case, I've avoided this problem.  My Automatic Updates is set for
"Notify me but don't automatically download or install them."  Since I
use Internet Explorer only to get Windows updates and to check my own
Web pages, I have rejected all .NET Framework (and ActiveX) updates.

Suddenly, I'm very glad I did not update my Windows XP SP2 to Windows XP
SP3.  The latter would have included this malware.

See bug #499521 at .

-- 
David E. Ross


Go to Mozdev at  for quick access to
extensions for Firefox, Thunderbird, SeaMonkey, and other
Mozilla-related applications.  You can access Mozdev much
more quickly than you can Mozilla Add-Ons.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Microsoft may be Firefox's worst vulnerability

[Nairda]

Nairda wrote:

Hi everyone.
Can someone with a bit more understanding of these things please read 
this article and say weather this applies to SM as well?


http://blogs.techrepublic.com.com/security/?p=1716&tag=nl.e011

Snip:
In a surprise move this year, Microsoft has decided to quietly install 
what amounts to a massive security vulnerability in Firefox without 
informing the user. Find out what Microsoft has to say about it, and how 
you can undo the damage. Microsoft pushed out its .NET Framework 3.5 
Service Pack 1 update this February

End Snip.

It looks rather nasty, and I wish I had read it sooner.
Cheers.


PS.

If so, what mods need to be made to the following instructions to apply 
it to SeeMonkey?


Remove the Microsoft .NET Framework Assistant (ClickOnce) Firefox Extension

Intended For
Windows 2000
Windows 7
Windows XP
Windows Vista
The Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through
the Windows Update service to all recent editions of Windows in February
2009, installs the Microsoft .NET Framework Assistant firefox extension
without asking your permission.

This update adds to Firefox one of the most dangerous vulnerabilities
present in all versions of Internet Explorer: the ability for websites
to easily and quietly install software on your PC. Since this design
flaw is one of the reasons you may have originally chosen to abandon IE
in favour of a safer browser like Firefox, you may wish to remove this
extension with all due haste.

Unfortunately, Microsoft in their infinite wisdom has taken steps to
make the removal of this extension particularly difficult - open the
Add-ons window in Firefox, and you'll notice the Uninstall button next
to their extension is grayed out! Their reasoning, according to
Microsoft blogger Brad Abrams, is that the extension needed "support at
the machine level in order to enable the feature for all users on the
machine," which, of course, is precisely the reason this add-on is bad
news for all Firefox users.

Here's the bafflingly-convoluted procedure required to remove this
garbage from Firefox:

1. Open Registry Editor (type regedit in the Start menu Search box in
Vista/Windows 7, or in XP's Run window).
2. Expand the branches to the following key:
* On 32-bit systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Mozilla \ Firefox \
Extensions
* On x64 systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Mozilla
\ Firefox \ Extensions
3. Delete the value named {20a82645-c095-46ed-80e3-08825760534b} from
the right pane.
4. Close the Registry Editor when you're done.
5. Open a new Firefox window, and in the address bar, type about:config
and press Enter.
6. Type microsoftdotnet in the Filter field to quickly find the
general.useragent.extra.microsoftdotnet setting.
7. Right-click general.useragent.extra.microsoftdotnet and select Reset.
8. Restart Firefox.
9. Open Windows Explorer, and navigate to
%SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation
Foundation.
10. Delete the DotNetAssistantExtension folder entirely.
11. Open the Add-ons window in Firefox to confirm that the Microsoft
.NET Framework Assistant extension has been removed.

It will be a great day when PC users no longer have to waste this much
time to protect themselves from those who write the software they use.
(And if you're thinking, "Why not just use a Mac," may I remind you of
the MobileMe junk recently installed on so many Windows machines without
their owners' permission!)
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Microsoft may be Firefox's worst vulnerability

[Nairda]

Hi everyone.
Can someone with a bit more understanding of these things please read 
this article and say weather this applies to SM as well?


http://blogs.techrepublic.com.com/security/?p=1716&tag=nl.e011

Snip:
In a surprise move this year, Microsoft has decided to quietly install 
what amounts to a massive security vulnerability in Firefox without 
informing the user. Find out what Microsoft has to say about it, and how 
you can undo the damage. Microsoft pushed out its .NET Framework 3.5 
Service Pack 1 update this February

End Snip.

It looks rather nasty, and I wish I had read it sooner.
Cheers.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey