Apple, Microsoft, Google Attacked For Evil Plugins 293
nk497 writes "A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"
Re:Yes (Score:1, Informative)
Yeah, this shouldn't be too hard. My understanding is that there's a directory that Firefox explicitly reads to load extensions. To "install" an extension, all you need to do is dump an extension in there, and it's "installed."
But you can disable extensions that have been installed and prevent them from being loaded.
So all you have to do is swap that blacklist for a whitelist. Problem solved.
Why is this a problem?
Re:Add Yahoo as well (Score:3, Informative)
Just last night I was testing something that required Yahoo messenger. After accurately deselecting all the various optional bullshit software it still installed the fucking Yahoo toolbar and who knows what else. What a scam.
I installed Yahoo! Messager last week and it did not install anything I deselected. But since you posted as AC all I can say is you did it wrong.
Re:Yes (Score:4, Informative)
Because not all extensions can be "disabled" from the UI. Then there's others, like Java, which don't remove old versions... go figure.
Re:Yes (Score:3, Informative)
Re:Beyond Firefox (Score:3, Informative)
Google but not Adobe? (Score:4, Informative)
I have Google Chrome and Google Earth installed. I don't have any Google plugins installed in Firefox. So I'm not sure what he is talking about, unless something changed with Google Earth recently.
Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.
Microsoft is the worst offender here, where they use Windows Update to push a Firefox .NET Assistant extension, don't ask your permission, and don't allow you to remove it.
Re:Solution: Warning box (Score:4, Informative)
While you couldn't offer to delete them (because priv acct might be required) you *could* only enable them after explicit user approval.
Re:Yes (Score:4, Informative)
Normally, I'd agree, but the OP specifically talked about a user supplied password to be able to add a plugin. That password could control access to a private key that is used to sign a hash of the valid list of plugins. On startup, Firefox could use the public key to validate the list of plugins, and throw up a big error if the list is invalid (because someone snuck one in).
Of course, recovering from this state would be difficult -- maybe Firefox could provide a way to disable plugins until the new list matched it's hash? But it would at least alert the user that something fishy was going on. Think of it as a tripwire [tripwire.org] for plugins.
original article (Score:3, Informative)
Here's Asa's blog post [mozillazine.org], so that you don't have to click through the "news" article, which is almost entirely a copy-and-paste of Asa's post.
Re:Google but not Adobe? (Score:3, Informative)
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe [adobe.com]
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe [adobe.com]
Try to avoid installing Adobe download manager harder.
Turning the problem around (Score:3, Informative)
.
The solution is simple, Mozilla needs to fix the security hole in FireFox, and while they are at it, provide a means to uninstall plug-ins that does not rquire me to go rummaging through the filesystem looking for oddly-named files and deleting them.