Chris Cason wrote:
> 
> Do you ever recall seeing firefox mention that the extension had been installed?
> (As I mentioned, I did not).
> 
> -- Chris

Not at all. It didn't ask me, FF didn't do it's usual "Hey! You have a 
new plugin" dialog. Nothing.

Had I not read your post, I wouldn't have known about it.
-- 
~Mike

Post a reply to this message

Chris Cason wrote:
> Darren New wrote:
>> In any case, did it bring up the "you installed new plug-ins" window when 
>> you started firefox the next time?  If not, this sounds like a bug in 
>> firefox as well.
> 
> No. But rather than a bug in FF, more likely Microsoft used a means that avoids
> this (which might be designed into FF, for all I know).

Hmmm... Here's what I did. I started a new VM, installed Vista, installed 
all suggested updates but .NET 3.5 SP1, then installed the latest firefox, 
and confirmed there was nothing in the tools menu about Microsoft.

Then I installed SP1.  Contrary to my memory, it did not make me agree to a 
new EULA, so if you told Windows to install updates without asking, it 
probably would do so "silently" as requested.

After rebooting, the first time I started firefox, it popped up the window 
saying "You have new extensions". The default option boxes were both turned 
off, so it doesn't report every version of .NET and doesn't prompt before 
running click-once programs. (Sounds like bad defaults to me.)

If you didn't get that, perhaps you have a different version of Windows of 
Firefox or .NET 3.5 SP1 installed. Perhaps MS got flamed and changed the 
code to be marginally less silent.

http://darren.s3.amazonaws.com/Junk.png because I'm sure at least some 
people will think I'm lying.  I'm sure at least some people will think I'm 
lying and even made up the screen shot, like I work for MS's legal 
department or something.

>> I'm also trying to figure out why this is a problem at all. You install 
>> software,
> 
> *Microsoft* installs software. *I* did not install it. Whether it came via
> windows update or bundled with another program I can't be sure. I can be sure I
> was never asked about it.

Since it was made available via Windows Update and did not require an EULA 
agreement, it's possible it installed itself if you tell Windows Update to 
install things automatically.

> I can't say whether or not the end-user is asked about it when it's installed
> via automatic updates (where they are set to "automatically download and
> install" but I would be surprised if they were asked - the purpose of auto
> download and install of windows update items is to do exactly that.

Usually big things ask, or at least anything where MS wants your agreement 
to a new EULA. For example, I don't think the "malicious software removal 
tool" runs without explicit permission. This update didn't.

> As a general rule, Microsoft has avoided directly installing stuff into programs
> they don't own in the past. And in any event, if I install software from
> manufacturer "X", I don't expect them to fiddle with the software from
> manufacturer "Y" unless they ask me first.

OK.  I guess they figure firefox is getting enough popularity they have to 
support it.  Maybe it comes from the number of people complaining you have 
to use IE to get to particular microsoft-centric web sites.

>> the problem is, really. It's not stealth, 
> 
> If I'm not told it's being done, it's stealth, at least insofar as modifying
> another company's product (*especially* when that product is considered by
> Microsoft as a competitor to one of their own programs).

OK. I guess that's just semantics there. They don't ask in advance, but 
before it runs you get told about it and get the opportunity to turn it off. 
It's modifying another company's product by installing extensions through a 
defined interface. Dunno.

> *DO NOT WANT* any Microsoft internet-related code running in FF, it's that simple.

Doesn't the "disable" button keep it from running? I mean, isn't that what 
that button *does*?  If not, sounds like FF is broken too.

> THAT is why I and many are pissed off this appeared in FF without our
> permission. Their security record speaks for itself. If you wish to defend
> Microsoft irregardless of their record, please do so elsewhere: this is not the
> forum for it.

Fair enough. Now I understand. :-)  I'm not sure why the conversation 
couldn't stay civil.

> Please: no more replies, no more posts from you on this topic. It gets nowhere
> and distracts from the real purpose of the thread.

I'm still curious about the "real purpose" of the thread. :-)

-- 
   Darren New, San Diego CA, USA (PST)
   My fortune cookie said, "You will soon be
   unable to read this, even at arm's length."

Post a reply to this message

> The majority of us (those who use FF for this reason)
> *DO NOT WANT* any Microsoft internet-related code running in FF, it's that 
> simple.

That will be a bit tricky seeing as you have FF running on an OS written by 
MS, if you really do not want any MS code running then use a different OS 
for web browsing, it's the only way to be sure.

Post a reply to this message

scott <sco### [at] scottcom> wrote:
> > The majority of us (those who use FF for this reason)
> > *DO NOT WANT* any Microsoft internet-related code running in FF, it's that 
> > simple.

> That will be a bit tricky seeing as you have FF running on an OS written by 
> MS, if you really do not want any MS code running then use a different OS 
> for web browsing, it's the only way to be sure.

  So basically you are saying: If you use Windows, don't bother even trying
to browse securely. Just use IE and whatever. After all, it's futile to even
try to do anything securely.

  That's the kind of TheDailyWTF style mentality, in the same lines as
"we don't have any passwords in your database server because, after all,
it's impossible to secure it from all possible hacker attacks".

-- 
                                                          - Warp

Post a reply to this message

Warp wrote:
> scott <sco### [at] scottcom> wrote:
>>> The majority of us (those who use FF for this reason)
>>> *DO NOT WANT* any Microsoft internet-related code running in FF, it's that 
>>> simple.
> 
>> That will be a bit tricky seeing as you have FF running on an OS written by 
>> MS, if you really do not want any MS code running then use a different OS 
>> for web browsing, it's the only way to be sure.
> 
>   So basically you are saying: 

No. Basically he's saying FF is still using Windows graphics routines to 
draw, Windows font handlers to load fonts, Windows TCP stack to do TCP, 
Windows DNS clients to look up hosts, Windows image processing code to 
display images, and quite possibly (I haven't looked) Windows cryptographic 
services to deal with certificates.

If you "do not want *any* Microsoft internet-related code running in FF," 
then you're going to have an awful time connecting out the ethernet port 
that Windows is managing to share with all you other applications, as I'm 
pretty sure FF doesn't come with its own TCP stack and ethernet drivers. If 
MS's track record is so awful with shatter attacks, network hooking and 
redirecting, keystroke sniffing, etc, and your security needs are such that 
you can't afford to have a disabled extension in your firefox directories, 
you probably *shouldn't* be running Windows. Which is not to say running FF 
is a bad idea or less secure. It just means you can't run FF under windows 
without running any MS internet related code, which is *exactly* the bit 
Scott quoted.

But hey, a good hyperbole goes miles towards keeping a flame fest alive, so 
who am I to interfere?

-- 
   Darren New, San Diego CA, USA (PST)
   My fortune cookie said, "You will soon be
   unable to read this, even at arm's length."

Post a reply to this message

Darren New <dne### [at] sanrrcom> wrote:
> >   So basically you are saying: 

> No. Basically he's saying FF is still using Windows graphics routines to 
> draw, Windows font handlers to load fonts, Windows TCP stack to do TCP, 
> Windows DNS clients to look up hosts, Windows image processing code to 
> display images, and quite possibly (I haven't looked) Windows cryptographic 
> services to deal with certificates.

> If you "do not want *any* Microsoft internet-related code running in FF," 
> then you're going to have an awful time connecting out the ethernet port 
> that Windows is managing to share with all you other applications, as I'm 
> pretty sure FF doesn't come with its own TCP stack and ethernet drivers. If 
> MS's track record is so awful with shatter attacks, network hooking and 
> redirecting, keystroke sniffing, etc, and your security needs are such that 
> you can't afford to have a disabled extension in your firefox directories, 
> you probably *shouldn't* be running Windows. Which is not to say running FF 
> is a bad idea or less secure. It just means you can't run FF under windows 
> without running any MS internet related code, which is *exactly* the bit 
> Scott quoted.

> But hey, a good hyperbole goes miles towards keeping a flame fest alive, so 
> who am I to interfere?

  Spoken language is not always unambiguous. The expression "you are saying"
can have two meanings with a subtle difference:

  1) The literal meaning: "This is exactly what you are saying".

  2) The figurative meaning: "You are writing this, but you seem to be
implying this."
  Or more shortly: "So basically you are implying:"

  I understand perfectly the *literal* meaning of what he wrote, even
without your useless lengthy explanation. However, that literal meaning
seemed to imply what I said, ie. "since you can't avoid using MS software
if you are running your web broser in Windows, then it doesn't really
matter what software you use, and trying to make your system more secure
is useless".

  Or if we put it in other words: He seemed to be implying that if the
attitude is that MS software is insecure, running Firefox on Windows to
get more security (for the reason that MS software is insecure) is useless
because it will be running on top of MS software. The second implication
from this is that running FF is useless and you could just as well use IE.

-- 
                                                          - Warp

Post a reply to this message

scott wrote:
>> The majority of us (those who use FF for this reason)
>> *DO NOT WANT* any Microsoft internet-related code running in FF, it's that 
>> simple.
> 
> That will be a bit tricky seeing as you have FF running on an OS written by 
> MS, if you really do not want any MS code running then use a different OS 

That's not what I said. I said "running *in* FF". I don't understand why you
turn one into the other.

There's a difference between FF running *on* Microsoft software, and FF having
Microsoft plugins introduced *into* it. While we have to at a minimum put up
with FF using the Windows IP stack, mostly the rest of the code that is directly
exposed to the internet in FF is not written by MS. It is precisely this type of
code that has caused so many previous security incidents.

-- Chris

Post a reply to this message

Mike Raiford wrote:
> Chris Cason wrote:
>> Do you ever recall seeing firefox mention that the extension had been installed?
>> (As I mentioned, I did not).
>>
>> -- Chris
> 
> Not at all. It didn't ask me, FF didn't do it's usual "Hey! You have a 
> new plugin" dialog. Nothing.
> 
> Had I not read your post, I wouldn't have known about it.

Thanks for confirming that. It appears that perhaps Microsoft has changed the
behaviour, or alternately the presence or absence of confirmation depends on
other factors unknown to us.

-- Chris

Post a reply to this message

Darren New wrote:
> you can't afford to have a disabled extension in your firefox directories, 

Just to clarify, as I presume you are implying (since clearly Warp made no
statement even slightly like this) that I made such claims:

  1. I have made statements that for security reasons I don't like risking
     having operational Microsoft extensions silently turn up in my FF install.

  2. I have at no time said I "cannot afford" to have a disabled extension.
     Any such implication is at most a distortion and possibly an outright lie.

  3. I have not stated that disabling the extension is insufficient.

  4. I have pointed out that it is not good that Microsoft disables the means
     of un-installing the extension.

  5. You have repeatedly claimed that it is my fault the plugin turned up
     because I ignored warnings, clicked through EULA's, or whatever.

  6. By your own admission you now agree the service pack doesn't present an
     EULA.

  7. At least one other poster in this thread has confirmed that no warning was
     given by FF that the plugin had been installed on his system. This is also
     the experience of the majority of the posts on this topic that I have read
     around the WWW, which while not in itself proof, certainly lends credence
     to my position.

Most of your time in this thread has been spent arguing that I was wrong in my
claims. Now it appears you are resorting to casting aspersions on the *reasons*
I don't like what Microsoft did.

-- Chris

Post a reply to this message

Chris Cason wrote:
>   1. I have made statements that for security reasons I don't like risking
>      having operational Microsoft extensions silently turn up in my FF install.

No, me neither.

>   2. I have at no time said I "cannot afford" to have a disabled extension.
>      Any such implication is at most a distortion and possibly an outright lie.

I neither said nor implied you did.

>   3. I have not stated that disabling the extension is insufficient.

I neither said nor implied you did.

>   4. I have pointed out that it is not good that Microsoft disables the means
>      of un-installing the extension.

I agree with you. I'm not sure why they do.

>   5. You have repeatedly claimed that it is my fault the plugin turned up
>      because I ignored warnings, clicked through EULA's, or whatever.

I admitted I misremembered that.

>   6. By your own admission you now agree the service pack doesn't present an
>      EULA.

Yep.  Odd, since there's a SP1-specific EULA.

Are you somehow trying to embarrass me by pointing out that I took time to 
do the experiments and posted the results indicating that I was mistaken? Or 
are you encouraging me to not, in the future, admit when I've made a 
mistake? I'm honestly unsure of your motivation for this summary.

>   7. At least one other poster in this thread has confirmed that no warning was
>      given by FF that the plugin had been installed on his system. This is also
>      the experience of the majority of the posts on this topic that I have read
>      around the WWW, which while not in itself proof, certainly lends credence
>      to my position.

I can't speak to that, except to say that when I reproduced the situation, I 
got a warning myself. I already admitted that others may be running 
different versions of something that cause different behavior, and even that 
Microsoft may have changed the behavior of the SP1 since the articles noted 
it's behavior.

> Most of your time in this thread has been spent arguing that I was wrong in my
> claims. Now it appears you are resorting to casting aspersions on the *reasons*
> I don't like what Microsoft did.

I wasn't speaking about you, or to you, at all. I was saying that Warp's 
hyperbole was extending the lovely flamefest we're having, as hyperbole 
tends to do.

Try not to read personal attacks into statements that aren't about you. 
Things go more smoothly.

-- 
   Darren New, San Diego CA, USA (PST)
   My fortune cookie said, "You will soon be
   unable to read this, even at arm's length."

Post a reply to this message