Darren New wrote:
> In any case, did it bring up the "you installed new plug-ins" window when 
> you started firefox the next time?  If not, this sounds like a bug in 
> firefox as well.

No. But rather than a bug in FF, more likely Microsoft used a means that avoids
this (which might be designed into FF, for all I know).

> I'm also trying to figure out why this is a problem at all. You install 
> software,

*Microsoft* installs software. *I* did not install it. Whether it came via
windows update or bundled with another program I can't be sure. I can be sure I
was never asked about it. This is the majority of opinion in articles around the
www. I can think of several ways a KB can be installed without the end-user
being asked, including (I suspect) the "quiet" switch which is provided for
times such as a network roll-out or when it's invoked from another software
package that bundles it.

I can't say whether or not the end-user is asked about it when it's installed
via automatic updates (where they are set to "automatically download and
install" but I would be surprised if they were asked - the purpose of auto
download and install of windows update items is to do exactly that.

> plug-in. When I install software, part of it can be start menu shortcuts, 
> system libraries, new menus in my word processor, etc. I just don't see what 

As a general rule, Microsoft has avoided directly installing stuff into programs
they don't own in the past. And in any event, if I install software from
manufacturer "X", I don't expect them to fiddle with the software from
manufacturer "Y" unless they ask me first. I'd be annoyed at any company - not
just Microsoft - if they did this, and have been so in the past. But this goes
beyond just ordinary annoyance because of *what* they installed.

> the problem is, really. It's not stealth, 

If I'm not told it's being done, it's stealth, at least insofar as modifying
another company's product (*especially* when that product is considered by
Microsoft as a competitor to one of their own programs).

> I can understand it wasn't mentioned other than "click-once functionality 
> improved" in the KB article, but the outrage seems way out of proportion.

The outrage is because there are millions of firefox users who use it BECAUSE IT
IS SAFER THAN IE. IE has been repeatedly demonstrated to be a disaster waiting
for a place to happen. Microsoft has an atrocious record on security, and those
of us who were working in the industry when they first introduced activex (I
was) recall just what a bloody disaster that was.

Consider this from the point of view of someone who uses FF for this reason: why
wouldn't we be outraged when microsoft then rams a piece of potentially buggy
software into our browser, which we are using primarily to avoid using their
buggy browser code??? The majority of us (those who use FF for this reason)
*DO NOT WANT* any Microsoft internet-related code running in FF, it's that simple.

My home network needs to be secure as I work for (and in some cases network
admin for) several firms to whom I have VPN or SSH access. I don't even allow IE
to access the blasted internet! I have a proxy, firefox knows about it, but
Windows and IE do *not*. I occasionally open it up on a separate port to allow
windows update to run, but that's it. I never under any circumstances use IE on
the open internet because of the serious flaws that to this day still are being
discovered and which sometimes lead to drive-by-downloads, trojan and virus
infections, keyloggers, and what have you.

I do not want ANY Microsoft components running inside my browser since they have
proven time and time and time again over the past 14 years that they simply
cannot be trusted to produce secure, well-designed code.

THAT is why I and many are pissed off this appeared in FF without our
permission. Their security record speaks for itself. If you wish to defend
Microsoft irregardless of their record, please do so elsewhere: this is not the
forum for it.

Please: no more replies, no more posts from you on this topic. It gets nowhere
and distracts from the real purpose of the thread.

-- Chris

Post a reply to this message

Darren New wrote:
> In any case, did it bring up the "you installed new plug-ins" window when
> you started firefox the next time?  If not, this sounds like a bug in
> firefox as well.

Or Microsoft set the "notification already shown for this plugin" flag while
installing it.

Post a reply to this message

Chris Cason wrote:
> Darren New wrote:
>> Chris Cason wrote:
>>> I've told you four times now. I was NOT asked or told. You are intentionally
>>> ignoring this.
>> I'm not ignoring *your* experience.  I'm telling you that *I* wasn't 
>> surprised it was installed when I installed it.  What can I say?
> 
> Here's a direct quote from your post I made that reply to:
> 
> Darren New wrote:
>>> not like it's a root kit or something - before the first time it runs, you
>>> get FF in your face telling you it has been installed, do you want to
>>> configure it or disable it? Hardly "stealth."
> 
>  "*YOU* get ff in in your face, telling *YOU* it has been installed, do *YOU*
>   want to configure it ..."

Clearly I should have said "One gets that in one's face." Miscommunication 
there.

Right now, I'm building a new virtual machine, gonna put firefox on it, then 
install windows updates, and I'll see exactly what it does while I'm paying 
attention.

> Hardly "your" experience, 

It was my experience, as far as I recall from the two times I installed the 
stuff here. I assumed the security features in FF that showed me that worked 
for you too.

> and typical of your other replies, where you tend to
> directly contradict the poster. Your extensive use of the third party 

... second party ... ;-)

> makes it clear you intend to refer to the OP, not yourself.

Sure. But earlier I also said "maybe your experience was different."

> You have successfully hijacked this thread from a discussion of the topic to a
> "you were told" "not I was'nt" "yes you were".

Sorry. It looked like "I wasn't told" *was* the topic of the thread.


-- 
   Darren New, San Diego CA, USA (PST)
   My fortune cookie said, "You will soon be
   unable to read this, even at arm's length."

Post a reply to this message

Chris Cason wrote:
> 
> Do you ever recall seeing firefox mention that the extension had been installed?
> (As I mentioned, I did not).
> 
> -- Chris

Not at all. It didn't ask me, FF didn't do it's usual "Hey! You have a 
new plugin" dialog. Nothing.

Had I not read your post, I wouldn't have known about it.
-- 
~Mike

Post a reply to this message

Chris Cason wrote:
> Darren New wrote:
>> In any case, did it bring up the "you installed new plug-ins" window when 
>> you started firefox the next time?  If not, this sounds like a bug in 
>> firefox as well.
> 
> No. But rather than a bug in FF, more likely Microsoft used a means that avoids
> this (which might be designed into FF, for all I know).

Hmmm... Here's what I did. I started a new VM, installed Vista, installed 
all suggested updates but .NET 3.5 SP1, then installed the latest firefox, 
and confirmed there was nothing in the tools menu about Microsoft.

Then I installed SP1.  Contrary to my memory, it did not make me agree to a 
new EULA, so if you told Windows to install updates without asking, it 
probably would do so "silently" as requested.

After rebooting, the first time I started firefox, it popped up the window 
saying "You have new extensions". The default option boxes were both turned 
off, so it doesn't report every version of .NET and doesn't prompt before 
running click-once programs. (Sounds like bad defaults to me.)

If you didn't get that, perhaps you have a different version of Windows of 
Firefox or .NET 3.5 SP1 installed. Perhaps MS got flamed and changed the 
code to be marginally less silent.

http://darren.s3.amazonaws.com/Junk.png because I'm sure at least some 
people will think I'm lying.  I'm sure at least some people will think I'm 
lying and even made up the screen shot, like I work for MS's legal 
department or something.

>> I'm also trying to figure out why this is a problem at all. You install 
>> software,
> 
> *Microsoft* installs software. *I* did not install it. Whether it came via
> windows update or bundled with another program I can't be sure. I can be sure I
> was never asked about it.

Since it was made available via Windows Update and did not require an EULA 
agreement, it's possible it installed itself if you tell Windows Update to 
install things automatically.

> I can't say whether or not the end-user is asked about it when it's installed
> via automatic updates (where they are set to "automatically download and
> install" but I would be surprised if they were asked - the purpose of auto
> download and install of windows update items is to do exactly that.

Usually big things ask, or at least anything where MS wants your agreement 
to a new EULA. For example, I don't think the "malicious software removal 
tool" runs without explicit permission. This update didn't.

> As a general rule, Microsoft has avoided directly installing stuff into programs
> they don't own in the past. And in any event, if I install software from
> manufacturer "X", I don't expect them to fiddle with the software from
> manufacturer "Y" unless they ask me first.

OK.  I guess they figure firefox is getting enough popularity they have to 
support it.  Maybe it comes from the number of people complaining you have 
to use IE to get to particular microsoft-centric web sites.

>> the problem is, really. It's not stealth, 
> 
> If I'm not told it's being done, it's stealth, at least insofar as modifying
> another company's product (*especially* when that product is considered by
> Microsoft as a competitor to one of their own programs).

OK. I guess that's just semantics there. They don't ask in advance, but 
before it runs you get told about it and get the opportunity to turn it off. 
It's modifying another company's product by installing extensions through a 
defined interface. Dunno.

> *DO NOT WANT* any Microsoft internet-related code running in FF, it's that simple.

Doesn't the "disable" button keep it from running? I mean, isn't that what 
that button *does*?  If not, sounds like FF is broken too.

> THAT is why I and many are pissed off this appeared in FF without our
> permission. Their security record speaks for itself. If you wish to defend
> Microsoft irregardless of their record, please do so elsewhere: this is not the
> forum for it.

Fair enough. Now I understand. :-)  I'm not sure why the conversation 
couldn't stay civil.

> Please: no more replies, no more posts from you on this topic. It gets nowhere
> and distracts from the real purpose of the thread.

I'm still curious about the "real purpose" of the thread. :-)

-- 
   Darren New, San Diego CA, USA (PST)
   My fortune cookie said, "You will soon be
   unable to read this, even at arm's length."

Post a reply to this message

> The majority of us (those who use FF for this reason)
> *DO NOT WANT* any Microsoft internet-related code running in FF, it's that 
> simple.

That will be a bit tricky seeing as you have FF running on an OS written by 
MS, if you really do not want any MS code running then use a different OS 
for web browsing, it's the only way to be sure.

Post a reply to this message

scott <sco### [at] scottcom> wrote:
> > The majority of us (those who use FF for this reason)
> > *DO NOT WANT* any Microsoft internet-related code running in FF, it's that 
> > simple.

> That will be a bit tricky seeing as you have FF running on an OS written by 
> MS, if you really do not want any MS code running then use a different OS 
> for web browsing, it's the only way to be sure.

  So basically you are saying: If you use Windows, don't bother even trying
to browse securely. Just use IE and whatever. After all, it's futile to even
try to do anything securely.

  That's the kind of TheDailyWTF style mentality, in the same lines as
"we don't have any passwords in your database server because, after all,
it's impossible to secure it from all possible hacker attacks".

-- 
                                                          - Warp

Post a reply to this message

Warp wrote:
> scott <sco### [at] scottcom> wrote:
>>> The majority of us (those who use FF for this reason)
>>> *DO NOT WANT* any Microsoft internet-related code running in FF, it's that 
>>> simple.
> 
>> That will be a bit tricky seeing as you have FF running on an OS written by 
>> MS, if you really do not want any MS code running then use a different OS 
>> for web browsing, it's the only way to be sure.
> 
>   So basically you are saying: 

No. Basically he's saying FF is still using Windows graphics routines to 
draw, Windows font handlers to load fonts, Windows TCP stack to do TCP, 
Windows DNS clients to look up hosts, Windows image processing code to 
display images, and quite possibly (I haven't looked) Windows cryptographic 
services to deal with certificates.

If you "do not want *any* Microsoft internet-related code running in FF," 
then you're going to have an awful time connecting out the ethernet port 
that Windows is managing to share with all you other applications, as I'm 
pretty sure FF doesn't come with its own TCP stack and ethernet drivers. If 
MS's track record is so awful with shatter attacks, network hooking and 
redirecting, keystroke sniffing, etc, and your security needs are such that 
you can't afford to have a disabled extension in your firefox directories, 
you probably *shouldn't* be running Windows. Which is not to say running FF 
is a bad idea or less secure. It just means you can't run FF under windows 
without running any MS internet related code, which is *exactly* the bit 
Scott quoted.

But hey, a good hyperbole goes miles towards keeping a flame fest alive, so 
who am I to interfere?

-- 
   Darren New, San Diego CA, USA (PST)
   My fortune cookie said, "You will soon be
   unable to read this, even at arm's length."

Post a reply to this message

Darren New <dne### [at] sanrrcom> wrote:
> >   So basically you are saying: 

> No. Basically he's saying FF is still using Windows graphics routines to 
> draw, Windows font handlers to load fonts, Windows TCP stack to do TCP, 
> Windows DNS clients to look up hosts, Windows image processing code to 
> display images, and quite possibly (I haven't looked) Windows cryptographic 
> services to deal with certificates.

> If you "do not want *any* Microsoft internet-related code running in FF," 
> then you're going to have an awful time connecting out the ethernet port 
> that Windows is managing to share with all you other applications, as I'm 
> pretty sure FF doesn't come with its own TCP stack and ethernet drivers. If 
> MS's track record is so awful with shatter attacks, network hooking and 
> redirecting, keystroke sniffing, etc, and your security needs are such that 
> you can't afford to have a disabled extension in your firefox directories, 
> you probably *shouldn't* be running Windows. Which is not to say running FF 
> is a bad idea or less secure. It just means you can't run FF under windows 
> without running any MS internet related code, which is *exactly* the bit 
> Scott quoted.

> But hey, a good hyperbole goes miles towards keeping a flame fest alive, so 
> who am I to interfere?

  Spoken language is not always unambiguous. The expression "you are saying"
can have two meanings with a subtle difference:

  1) The literal meaning: "This is exactly what you are saying".

  2) The figurative meaning: "You are writing this, but you seem to be
implying this."
  Or more shortly: "So basically you are implying:"

  I understand perfectly the *literal* meaning of what he wrote, even
without your useless lengthy explanation. However, that literal meaning
seemed to imply what I said, ie. "since you can't avoid using MS software
if you are running your web broser in Windows, then it doesn't really
matter what software you use, and trying to make your system more secure
is useless".

  Or if we put it in other words: He seemed to be implying that if the
attitude is that MS software is insecure, running Firefox on Windows to
get more security (for the reason that MS software is insecure) is useless
because it will be running on top of MS software. The second implication
from this is that running FF is useless and you could just as well use IE.

-- 
                                                          - Warp

Post a reply to this message

scott wrote:
>> The majority of us (those who use FF for this reason)
>> *DO NOT WANT* any Microsoft internet-related code running in FF, it's that 
>> simple.
> 
> That will be a bit tricky seeing as you have FF running on an OS written by 
> MS, if you really do not want any MS code running then use a different OS 

That's not what I said. I said "running *in* FF". I don't understand why you
turn one into the other.

There's a difference between FF running *on* Microsoft software, and FF having
Microsoft plugins introduced *into* it. While we have to at a minimum put up
with FF using the Windows IP stack, mostly the rest of the code that is directly
exposed to the internet in FF is not written by MS. It is precisely this type of
code that has caused so many previous security incidents.

-- Chris

Post a reply to this message