Sneakiness and Myth
How about this for sneakiness. Earlier this year, Microsoft shipped a 'security update' for its .NET framework, a programming platform used by many applications. The update, installed on millions of computers, also installed an add-on into the Firefox browser if it was present on the computer. It didn't ask for permission, and it disabled Firefox's uninstall button, so you couldn't safely remove the component. The add-on - which appears in the add-ons popup as 'Microsoft .NET Framework Assistant 1.0' - is a serious security threat, since it allows web sites to quietly install software on your computer. The fact that Microsoft's Internet Explorer allows this sort of thing is one of the main reasons why a large number of people moved over to Firefox, which, sans the add-on, doesn't allow it. People were definitely Not At All Happy, especially when they discovered that the only way to remove the offending component was to manually edit the computer's registry. This resulted in a hasty back-down by Microsoft who have now issued a fix for their 'fix'. If you are one of the unlucky people that Microsoft dumped on, their fix is at <http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab>. Sheesh - no wonder many people are so reluctant to install Microsoft 'security' updates!
I wanted to correct several points in your recent write-up on the .NET Framework Assistant. As a .NET developer and a Firefox user I have been following this issue since it came up, and (as usual) the rumors and even the press reports have been very misleading. I thought you might be interested in getting the real story. 1) The update that installed the add-on (.NET Framework 3.5 Service Pack 1) was not a security update. If you run Microsoft Update on a machine that does not have SP1 installed, you will see the following (for example): "Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86". It was listed as a high-priority update, and therefore it would have been installed on any computer that was set to automatically install high-priority updates. But anyone who chose what updates to install would not have seen it listed as a security update (despite the fact that there were important security fixes in the update). 2) Many people have cried foul because the uninstall button is disabled, and the process to uninstall the add-on through the registry is complicated. However, Microsoft did not disable the uninstall button for the add-on. Rather, the add-on was installed at the machine-level, not the user level; this makes the add-on automatically available to all users. And Firefox does not allow individual users to uninstall machine-level add-ons. Installing at the machine level makes perfect sense if you consider that the source of the add-on was a system-level update (although you can of course argue that a system-level update should not have installed the add-on in the first place). If anything, it is a Firefox design flaw that there is not a better way to uninstall machine-level add-ons. It should also be noted that this is hardly the only add-on to exhibit this behavior. When I open the "Add-ons" window in my Firefox right now, I see that the "Java Quick Starter" extension, which I also never explicitly installed, also has the uninstall button disabled. But oddly, you don't see anyone beating down Sun's door trying to force them to change their add-on. There are also a number of other add-ons from other high-profile companies with the same behavior (see the link at the bottom). 3) The statements, such as from annoyances.org, that the add-on creates "the ability for websites to easily and quietly install software on your PC" are simply untrue. Any attempt to install a ClickOnce application through the browser invokes a dialog asking the user whether to install the application, and includes the application name and the publisher. It is not possible for a malicious website to install software on the machine without the user knowing about it. Even when the application has been installed on the machine, it still does not create a security risk. This is an important distinction between ClickOnce and ActiveX, to which it has been compared. By default, ClickOnce applications that are installed from the web use a mechansim built into the .NET Framework called Code Access Security (CAS) to execute in a sandbox, or what is known as "partial trust". An application running in partial trust cannot directly access the file system, cannot access the network (except the host it was installed from), cannot read other processes on the machine, and many other restrictions. So even if a user accidentally installs an application through ClickOnce that they did not mean to install, they are still not at risk. This is a key point that is missing from most of the discussion of this issue. The .NET Framework is *not* native code, and it does not have the same built-in security flaws that native code does. Since ClickOnce can only be used to deploy managed .NET applications, and it automatically runs them in a sandbox, *regardless* of the permissions of the executing user, there is no inherent security risk. The mistake that Microsoft made, and the one they are now correcting, is that the add-on should not have been installed as part of SP1 in the first place; it should have been made available as any normal Firefox add-on. This is in keeping with their general overbearing, "we own your system" mentality, and I am glad that people are calling them on it. I just wish that people wouldn't obscure this legitimate complaint with other red herrings that do nothing but draw attention away from the real problems. Scott Hanselman, a Microsoft VP, has a good write-up on this issue at http://www.hanselman.com/blog/HowToRemoveTheNETClickOnceFirefoxExtension.aspx. You can also read more about CAS and the ClickOnce sandbox at http://www.informit.com/articles/article.aspx?p=691085. Keep up your good work with Winding Down and with Fed 2.
I mentioned last week in the Microsoft round up that a recent security patch added code as a plug-in to Firefox, something which I thought was very sneaky and had security implications. I had a letter from reader David Nelson. (See, someone other than me does read Winding Down!) The letter is substantially longer than my original two paragraphs, and deals with a number of issues, but the gist of it is that while he agrees with me that it was a sneaky thing to do, it is not in fact the security threat that I implied. He also points out that the disabling of the uninstall button is an artifact of Firefox, not a dastardly plot by Microsoft.
Back to the Phlogiston Blue top page If you have any questions or comments about the articles on my web site, click here to send me email. |