Posted by: Ken Harthun
Browsers, insecure, Microsoft, Remote Code Execution, Security, Vulnerabilities
When I fired up my laptop the other day, I was greeted with this pop-up box:
If you’re running Firefox, you may have already seen it yourself. Recall that these add-ons were installed into Firefox without the user’s permission, causing quite an uproar in the Mozilla user community. Brian Krebs of The Washington Post wrote:
In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove.
Mike Shaver, Mozilla’s vice president of engineering, wrote Friday on the Mozilla Security Blog:
Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately.
At least Microsoft agreed with Mozilla’s action to block the insecure add-on, but shame on them for blatantly compromising the security of a browser they don’t even own.
Conspiracy theorists: Do you have an opinion on this?