Apple, Microsoft, Google Attacked For Evil Plugins

nk497 writes "A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"

Re:Yes

[Anonymous Coward]

Yeah, this shouldn't be too hard. My understanding is that there's a directory that Firefox explicitly reads to load extensions. To "install" an extension, all you need to do is dump an extension in there, and it's "installed."

But you can disable extensions that have been installed and prevent them from being loaded.

So all you have to do is swap that blacklist for a whitelist. Problem solved.

Why is this a problem?

Re:Add Yahoo as well

[PNutts]

Just last night I was testing something that required Yahoo messenger. After accurately deselecting all the various optional bullshit software it still installed the fucking Yahoo toolbar and who knows what else. What a scam.

I installed Yahoo! Messager last week and it did not install anything I deselected. But since you posted as AC all I can say is you did it wrong.

Re:Yes

[drachenstern]

Because not all extensions can be "disabled" from the UI. Then there's others, like Java, which don't remove old versions... go figure.

Re:Yes

[140Mandak262Jamuna]

These dumped extensions can be disabled and uninstalled only from a root account. If you are using a lower privilege account for day to day ops, the uninstall button is grayed out. These extensions are assumed to be installed for "all users" and one low privileged user would/should not be able to take them out. It is a pain to log out, and log in as superuser just to disable one extension that some corporate creep decides to shove on my machine.

Re:Beyond Firefox

[EvilMonkeySlayer]

Actually, if you go to the google earth download page undernearth the TOS there is an "advanced setup" option that expands to some tick boxes you can untick to download a version of google earth that doesn't include the horrible updater and a version that doesn't require admin rights that can install to the users directory.

Google but not Adobe?

[Enderandrew]

I have Google Chrome and Google Earth installed. I don't have any Google plugins installed in Firefox. So I'm not sure what he is talking about, unless something changed with Google Earth recently.

Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.

Microsoft is the worst offender here, where they use Windows Update to push a Firefox .NET Assistant extension, don't ask your permission, and don't allow you to remove it.

Re:Solution: Warning box

[thePowerOfGrayskull]

You could if you tracked which ones were installed through the browser, vs which ones simply showed up in the plugins directory and were never 'approved' by the user. It doesn't seem difficult.

While you couldn't offer to delete them (because priv acct might be required) you *could* only enable them after explicit user approval.

Re:Yes

[theCoder]

Normally, I'd agree, but the OP specifically talked about a user supplied password to be able to add a plugin. That password could control access to a private key that is used to sign a hash of the valid list of plugins. On startup, Firefox could use the public key to validate the list of plugins, and throw up a big error if the list is invalid (because someone snuck one in).

Of course, recovering from this state would be difficult -- maybe Firefox could provide a way to disable plugins until the new list matched it's hash? But it would at least alert the user that something fishy was going on. Think of it as a tripwire [tripwire.org] for plugins.

original article

[Eil]

Here's Asa's blog post [mozillazine.org], so that you don't have to click through the "news" article, which is almost entirely a copy-and-paste of Asa's post.

Re:Google but not Adobe?

[tokul]

Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.

http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe [adobe.com]
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe [adobe.com]
Try to avoid installing Adobe download manager harder.

Turning the problem around

[QuietLagoon]

The Mozilla exec is trying to turn a FireFox security hole (i.e., the ability to load plug-ins without the user's knowledge or consent) into something else (other companies are evil for exploiting the security hole).

.
The solution is simple, Mozilla needs to fix the security hole in FireFox, and while they are at it, provide a means to uninstall plug-ins that does not rquire me to go rummaging through the filesystem looking for oddly-named files and deleting them.