Forgot your password?
typodupeerror
Firefox Google Microsoft Mozilla Privacy Apple

Apple, Microsoft, Google Attacked For Evil Plugins 293

Posted by CmdrTaco
from the also-wear-more-hats dept.
nk497 writes "A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"
This discussion has been archived. No new comments can be posted.

Apple, Microsoft, Google Attacked For Evil Plugins

Comments Filter:
  • Yes (Score:5, Insightful)

    by metrix007 (200091) on Monday November 29, 2010 @11:12AM (#34375078)

    Yes...I should not have to check addons to firefox to make sure nothing dodgy has been installed. Of course, this behaviour will continue as long as it is technically possible, so why doesn't Mozilla simply make it impossible? Only allow installing addons through firefox, with explicit prompts.

    • Re:Yes (Score:5, Insightful)

      by Krneki (1192201) on Monday November 29, 2010 @11:28AM (#34375302)
      Exactly, lock the plug-ins with a password. This is something I'm waiting since a long time ago.

      It's my browser and I don't like changes being made without my explicit confirmation.
      • Re:Yes (Score:4, Insightful)

        by QuoteMstr (55051) <dan.colascione@gmail.com> on Monday November 29, 2010 @12:04PM (#34375762)

        This approach is doomed.

        The browser has to somewhere remember that a user approved an extension. It does this by writing state to disk. A malicious extension installer can simply modify this saved state to make the browser think the user installed and approved the payload. The same goes for a startup message advertising extensions that have been installed since the last browser run.

        You can't win this fight without OS involvement. The correct solution is application-level sandboxing, which quite a few people are working on.

        • Re: (Score:2, Insightful)

          by Sancho (17056) *

          This kind of problem can be significantly mitigated through the methods suggested by the GP, though. Encrypt the list of enabled plugins with a user password. Now other software may be able to add plugins, but they can't enable them. You could go farther and encrypt the entire plugin directory, but I think that's probably overkill.

          • Re:Yes (Score:5, Insightful)

            by QuoteMstr (55051) <dan.colascione@gmail.com> on Monday November 29, 2010 @12:45PM (#34376306)

            Encrypt the list of enabled plugins with a user password

            "Encryption" is the wrong word here. What we're talking about is digital signing. The way it would work is that upon installation, the browser would generate a public-private keypair, encrypt the private key with a password of the user's choice, and save the resulting public key and encrypted private key to persistent storage.

            At all times, the browser would store the list of enabled plugins and sign it with the encrypted private key. Nobody can generate a valid signature for a list of enabled plugins without the password, and the browser will not use a plugin list unless it comes with a valid signature.

            All this is fine as far as it goes, but it'll only work until our malicious plugin installer patches [microsoft.com] the browser binary and makes it skip the key check; the malware could also replace both the public and the private key with replacements of its choosing. Either way, the user may or may not eventually notice that something is wrong, but if he does, it probably won't be a while, and he probably won't be able to track the malfunction back to the evil installer.

            Malware vendors can also wait for the user to type his password when installing a different plugin, then use that password to generate a valid signature for a plugin list that includes anything desired.

            The moral is that applications still need to be sandboxed. They're not protected from each other [msdn.com]. Without OS-level protection, applications can do horrible things (often without needing elevated privileges at all). Half-measures aren't the answer.

            • by Sancho (17056) *

              What you're talking about is digital signing. What I was talking about was encryption. Both would work just fine to mitigate the problem (as I said.) The GP to my original post said nothing about encryption or signing, just "password protecting."

              Neither approach solves the problem (as implied by my use of the word "mitigates."

              It's the height of arrogance to assume that I didn't mean what I wrote.

              • Re:Yes (Score:5, Insightful)

                by QuoteMstr (55051) <dan.colascione@gmail.com> on Monday November 29, 2010 @01:03PM (#34376568)

                My interpretation was in the spirit of intellectual charity, not arrogance; i.e., I gave you the benefit of the doubt, employing the only interpretation that makes any sense.

                Encryption without authentication is worthless. Either you're using symmetric encryption and you make the user enter the password every time the browser wants to read the plugin list (or worse, store the key on disk), or you're using asymmetric encryption and creating a message that can be decrypted by a given public key is simple.

                Encryption *and* authentication is pointless in this case because the browser needs to be able to decrypt plugin information at all times using only information in persistent storage. Encryption does not provide any security properties in this context.

                So we're left with authentication itself being the task at hand, which I assumed is what you meant. But instead of having an adult conversation about the issue, you have a temper tantrum. I'm through.

        • Re:Yes (Score:4, Informative)

          by theCoder (23772) on Monday November 29, 2010 @12:28PM (#34376060) Homepage Journal

          Normally, I'd agree, but the OP specifically talked about a user supplied password to be able to add a plugin. That password could control access to a private key that is used to sign a hash of the valid list of plugins. On startup, Firefox could use the public key to validate the list of plugins, and throw up a big error if the list is invalid (because someone snuck one in).

          Of course, recovering from this state would be difficult -- maybe Firefox could provide a way to disable plugins until the new list matched it's hash? But it would at least alert the user that something fishy was going on. Think of it as a tripwire [tripwire.org] for plugins.

      • by guanxi (216397)

        Exactly, lock the plug-ins with a password. This is something I'm waiting since a long time ago.

        It's my browser and I don't like changes being made without my explicit confirmation.

        Good idea, but impossible to enforce. If you give a program rights to install local code, it can modify or bypass any security Mozilla implements.

    • And (Score:5, Insightful)

      by ISoldat53 (977164) on Monday November 29, 2010 @11:37AM (#34375414)
      Make it easier to remove them.
    • Re:Yes (Score:4, Insightful)

      by mellon (7048) on Monday November 29, 2010 @11:42AM (#34375452) Homepage

      You are right in principle, but not in practice. The problem is that the security model for software package installations allows for privilege escalation in an unconstrained (not chrooted) environment. This means that the installer can do whatever it wants to Mozilla, and there's nothing Mozilla can do to stop it.

      The solution to this problem is to use a different installation model and a different security model. Two examples are Bitfrost [laptop.org] and iOS [wikipedia.org]. Both use a security model where apps are constrained as to what they can access, and how they can access it. Installers aren't allowed to scribble all over the filesystem. Consequently, app installers would not be *able* to modify the Mozilla install, so this simply wouldn't be an issue.

      So basically what's going on here is that these companies are taking advantage of a broken security model while they can. Hopefully as technology marches forward, this broken security model will become obsolete, although I see no evidence that Microsoft or Apple are working on it.

    • Re: (Score:2, Insightful)

      by mysidia (191772)

      so why doesn't Mozilla simply make it impossible?

      Because they shouldn't have to? Due to understood ownership of the application's own files by that application and the system admin?

      Apple, Google, Microsoft should list their plugins in the Addons directory, just like everyone else has to. If they think users will strongly benefit from a plugin and want to make things easy, they should at least prompt first, before messing with a different application's files.

      Because the functionality Microsoft/Goog

    • Re: (Score:3, Insightful)

      by Tharsman (1364603)

      Exactly what I was thinking. How about they stop being enablers and turn those stealth instals into install requests the user can turn down immediately?

    • Because they can't make it impossible. If they do that installers will simply start directly modifying whatever file contains that list of explicitly approved plugins to add theirs to it.

    • Doomed to failure. (Score:4, Insightful)

      by davev2.0 (1873518) on Monday November 29, 2010 @01:08PM (#34376666)
      This solution requires Mozilla to fix things on their end rather than complaining about big companies doing something Mozilla didn't bother to prevent.
      • Re: (Score:3, Insightful)

        by Zumbs (1241138)
        No, it requires Mozilla to hack Windows and OSX to ensure that programs running with administrator rights cannot change resourses used by Firefox. Which will get pretty messy.
  • anti-trust! (Score:3, Funny)

    by alphatel (1450715) * on Monday November 29, 2010 @11:13AM (#34375102)
    But MS, G and A all have our best interests at heart. No program should be able to circumvent this explicitly allowable behavior!
  • by GodWasAnAlien (206300) on Monday November 29, 2010 @11:16AM (#34375134)

    Warning: A third party plugin, PluginNameHere, has been installed without user consent:

    DELETE KEEP

    • by X0563511 (793323)

      That verbiage is bad. You can't know if it was with consent or not.

      • by thePowerOfGrayskull (905905) <marc.paradise@NOsPAm.gmail.com> on Monday November 29, 2010 @12:03PM (#34375750) Homepage Journal
        You could if you tracked which ones were installed through the browser, vs which ones simply showed up in the plugins directory and were never 'approved' by the user. It doesn't seem difficult.

        While you couldn't offer to delete them (because priv acct might be required) you *could* only enable them after explicit user approval.

        • by X0563511 (793323)

          I'm just saying the wording was bad. Just find a more neutral way to say it, is all I meant. (something like "the addon 'SuperHappyKittySearchbar' was installed in an unusual manner. Do you wish to enable it?")

          • Re: (Score:3, Insightful)

            by d3ac0n (715594)

            The thing is, nontechnical users don't WANT "neutral" verbiage. Part of the problem with many computer dialogs is not that they don't make sense, it's that they don't help you assess the VALUE of the warning they are giving.

            Since most computer users don't have a frame of reference or knowledge from which to assess the value of warnings they receive, we have to supply that for them in the dialog message.

            I think that we can all agree that installing something, ANYTHING, into our browsers without explicit user

    • Re: (Score:2, Insightful)

      by baka_toroi (1194359)
      "Son, what should I do?" I will remember you forever when my mom calls me about that dialog box. Thank yo, GodWasAnAlien (BTW, don't you mean "Christ"?)
    • Let us look at some use cases -

      System plugins in central directory, firefox starts. This is the case after creating a new user, or wiping the firefox local directory, or after a typical install. In this case you don't want endless nattering, because it is just too confusing.

      If yum or apt is used to install new software, that software was usually installed with root privilege. It can just drop the new plugins into the central directory, and you are basically at the first point. And, as a "bonus", these plugi

  • by gurps_npc (621217) on Monday November 29, 2010 @11:16AM (#34375144) Homepage
    Not that difficult to code in a startup screen "X addons installed since last restart. Should I remove?"
    • Re: (Score:2, Funny)

      by Anonymous Coward

      One could write a plugin that does just that!

      • by gurps_npc (621217)
        A plug in to detect plugin changes and ask to remove them? Sounds like a good idea to me. Of course, the pop up should have an optional auto-cancel itself if you don't respond to it within 5 seconds.
    • Re: (Score:3, Insightful)

      by MobyDisk (75490)

      Only slightly less difficult than that, is making the installer mark the add-ons as already approved. Even so, it is still a good idea because while installing a plug-in without permission is a gray area, pretending that the user clicked "yes I want this" when they didn't is probably illegal.

    • Here's an addon that claims to do just that. It's at version 0.2 and hasn't been updated in a year, but maybe worth a try (or worth helping the developer):

      PluginChecker
      https://addons.mozilla.org/en-US/firefox/addon/46214/ [mozilla.org]

  • by Anonymous Coward on Monday November 29, 2010 @11:17AM (#34375164)

    One thing I've slowly come to realize is that most people do not mind a big company or other entity controlling their computers. They're quite happy to run javascript trackers, download web bugs, run any executable without knowing whether it's safe, and so on.

    Many of us here have an aversion to these things. If we see a plugin installed without our permission, we'll figure out how to remove it. But most people do not place any value in having control over their own hardware, so they see no value in doing that.

    The end result of this is going to be a highly controlled internet, because the number of people who care about its freedom and openness is very tiny compared to the number who don't. The market forces will decide, and those are clearly on the side of the "you may control my computer in any way you want, Mr Multinational Corporation".

    PS - my CAPTCHA for this message was "disallow".

    • by spacefiddle (620205) <spacefiddle&gmail,com> on Monday November 29, 2010 @12:00PM (#34375706) Homepage Journal

      I would alter "do not mind" to "have no clue and don't understand the potential implications of." The end result will be a highly controlled everything, because people are neither taught nor encouraged to think about things that don't relate to their immediate button-pushing responsibilities, coupled with a fair amount of casual despair about having any control over their own lives.

      Most enduser types I've talked to about such things tend to give me lines like "Ah, none of this stuff affects me," "Whaddyagonna do, they'll do what they want anyway" and "Pfff, they wouldn't do anything really bad."

    • by erroneus (253617) on Monday November 29, 2010 @12:07PM (#34375794) Homepage

      There is much truth in what you speak here. But it gets worse.

      Turns out that this is all done because Apple, Microsoft and Google (and more) have all done studies to determine the preferences of most users. The goal is to make things easier. It doesn't matter if easier makes them more vulnerable, easier is preferred by the general public. (Now if only the TSA and government would get this message! We don't care to be "safer" if it's inconvenient!)

      If they have to be bothered to install or even be prompted to install things, this will add to the level of frustration a user will experience.

      Does anyone remember the period of time in which you could hear the words "computer illiterate" spoken with a certain level of pride? "Oh, I'm computer illiterate..." Seriously? It's true and there is still a small number of people out there who wear their ignorance as a badge of honor. We have a HUGE world of user psychology to overcome before we can get to a place where people are aware and cautious.

      For the moment, "ignorance is an excuse" for the problems they experience. If they actually take control of their own machines and something bad happens, it becomes THEIR OWN fault which is a responsibility they do not want to accept. It is far easier for them to curse and blame the faceless others out there rather than blame themselves for their own lack of interest.

      TL;DR? Users want to blame anyone but themselves when they have problems. If they learn anything, it becomes a burden of responsibility they simply do not want.

    • Many of us here have an aversion to these things...But most people do not place any value in having control over their own hardware...

      People are that way about what they ingest into their bodies also.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The CAPTCHAs are themed to the article. Slashdot has been doing this for a long time now. People like you keep posting their CAPTCHAs as if it is some humorous and unlikely coincidence that the word has a contextual applicability to the article topic.

      This is on purpose. The system is explicitly designed to do this. Stop acting surprised.

  • The Mint Linux distro installs a default custom search that not only removes a lot of functionality from google but also takes up half the page size on a 12.1 inch netbook with a plain ugly design, just to make some cash. Fixing it is possible but come on! I donate cash already to various projects, but Mint can kiss my hairy ass. I need that left column in Google search because else it gives me results from the beginning of the ice age on any query related to current events.

    But companies just can't accept

    • So your aspiration in life is to work at McDonalds and hope to serve Bill Gates? Wow, what an aspiration...

    • Bill Gates: "One milk shake please"

      Guys, it is time we quit picking on that pitiable guy. Was bad, was responsible for (what passes for) culture in Microsoft. But that was a long time ago. May be he did not know the evil he was unleashing on computers. But now he is mostly out of Microsoft and is trying atone for his sins by spending his money in charity.

      • But that was a long time ago.

        I still have to fix IE6 bugs.

        The vast majority of companies still use Windows PCs, largely due to the lock-in which started in Bill's time.

        Gates may no longer be in charge at Richmond but the effects of his thirty-odd years leading one of the most powerful tech companies in the world will be felt for a long time yet.

        • I am no fan of Microsoft. But their monumental screw-up is so big it is impossible to credit one man with all of it. May be he got bulk of the benefits and so should bear most of the blame, but still all those clueless CIOs of corporations, shills, contractors, brainless users, useless trade magazines... We should hold the feet of the present day honchos to the fire, instead of allowing them to feign innocence by blaming it all on Bill Gates. Saw him on CNN Christiane Ammanpour yesterday, he has earned War
          • Re: (Score:3, Interesting)

            by mcgrew (92797) *

            "I’ll tell you why I like the cigarette business. It costs a penny to make. Sell it for a dollar. It’s addictive. And there’s fantastic brand loyalty." —Buffett, quoted in Barbarians at the Gate: The Fall of RJR Nabisco (from wikipedia) [wikipedia.org]

            If you want me to like Bill Gates, saying he has Warren Buffet's approval won't do it.

    • Why Bill? Didn't he retire?
      Perhaps more can be read on the fact that you want to feed Bill Gates your seed, though...*cough*

    • by couchslug (175151)

      "But companies just can't accept that we don't want their crap. "

      Yeah, I hate all that unwanted shit Debian installs. Oh, wait....

    • by internewt (640704)

      I would love to serve one of the execs.

      Bill Gates: "One milk shake please"

      Me: *FAP FAP FAP*. *HATCHOO*. *SPIT*.

      Me: "Sure, and enjoy the free extra I added in regoniztion of the quality software you shovelled on me."

      Anyone knows if the McD at Redmond is hiring?

      The jingle from the CrackDonalds adverts that goes "du du du da da, I'm lovin' it" also fits perfectly with "du du du da da, There's cum in it". And is probably much more descriptive.

      Hell, a mate of mine swears a local SmackDonalds was closed down after Trading Standards found semen in food from the place (allegedly 7 different peoples'). I have tried to track the story down, but there doesn't seem to have been anything in the press about it, so I count it as an urban legend.

      But I bet there are rumours like

  • by Anonymous Coward on Monday November 29, 2010 @11:21AM (#34375202)

    When I read the title I understood: "Apple, Microsoft, Google Attacked by Evil Penguins ". I should not have tried to read it again, it completely destroyed the original effect.

  • by bradgoodman (964302) on Monday November 29, 2010 @11:34AM (#34375366) Homepage
    See no evil, Hear no evil, Speak no Evil
    • Indeed. We want to keep our Firefox like it is! We don't want it to become Internet Explorer, Safari or Chrome!
  • It is the fault of others for exploiting it?

    Now, I am not saying Apple/Google/MS are in the right here, but Mozilla shouldn't allow just anyone to install extensions.

    How about they fix their exploits instead of pointing fingers.
    • by Lundse (1036754) on Monday November 29, 2010 @12:08PM (#34375814)

      Yes. It is the other's fault.

      The human body is very easy to puncture with a knife, this does not make slashing open your neighbour OK.
      Cars can drive beyond the speed limit, houses can be broken into, people can be swindled, telephones called by telemarketers, etc. etc.

      None of this makes it OK to do any of these things, and just because Firefox is built around a certain design principle (that it should be easy to modify) does not make it OK for others to modify it against the user's wishes.

      • Agreed. This is a social problem, not a technical problem. As long as you can back up your home directory and restore it to your new computer without having to reconfigure your browser then any installer will be able to do the same. It is good that this can be done, companies just need to stop abusing it.

  • by bl8n8r (649187) on Monday November 29, 2010 @11:37AM (#34375404)
    when you have 300 jillion people using your product, you can afford not to care.  No it's not fair, but that's capitalism.
  • I'm repeating what someone has already said-- but why do we not have reasonable protection (security) against this, at the browser level?

    • All Firefox does is scan a directory for extensions. Anyone can write to your profile even when the browser isn't running. You just need to dump files there. How can Firefox protect a directory when Firefox isn't even running?

      If extensions were handled 100% through an online Mozilla service, then no one could touch that. And your extensions would travel from computer to computer.

    • It's hard to fight Windows Update.

      Neither Windows nor Linux has per-application compartmentalized security. In theory, you could use something like SELinux to give each vendor their own compartment, preventing an install from vendor A from affecting an install from vendor B. But the installers would have to be aware of this, and carefully stay in their own spaces, or installations would fail. Nobody does that.

      (Someday, somebody is going to crack the signing key for Windows update, hijack a router to

  • by Enderandrew (866215) <enderandrew@gm[ ].com ['ail' in gap]> on Monday November 29, 2010 @11:57AM (#34375644) Homepage Journal

    I have Google Chrome and Google Earth installed. I don't have any Google plugins installed in Firefox. So I'm not sure what he is talking about, unless something changed with Google Earth recently.

    Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.

    Microsoft is the worst offender here, where they use Windows Update to push a Firefox .NET Assistant extension, don't ask your permission, and don't allow you to remove it.

  • I installed iTunes on XP and ended up with about 4 services, a startup entry and an Outlook Add-in (that stops Outlook closing properly, incidentally). WTF does does iTunes need an Outlook Add-in for?
    • Apple has been up to those types of hitchhiking installs for a long time. As a Winamp fan, I didn't need itunes at all. I wanted to install Quicktime. For a long time it was not available from Apple without the iTunes installer as part of the package.

      I just checked their website to see if this was still the case. They fixed it. You can now get Quicktime with or without iTunes included. The without was not an option a few years ago.

      You can see your choices on this download page.
      http://www.apple.com/qui [apple.com]

  • original article (Score:3, Informative)

    by Eil (82413) on Monday November 29, 2010 @01:01PM (#34376536) Homepage Journal

    Here's Asa's blog post [mozillazine.org], so that you don't have to click through the "news" article, which is almost entirely a copy-and-paste of Asa's post.

  • Where was all the screaming when Adobe's PDF-making add-in for Office (Windows only, of course, since Apple did it right) turned out to force menus and a toolbar to appear in each Office app? There's no excuse for allowing an external app this kind of power. Under XP & Office2k/2003 (and maybe others, but I don't have a platform to check here), you can try deleting the toolbar&menus but they come right back next time you open Word/Excel/PPT.

  • by QuietLagoon (813062) on Monday November 29, 2010 @02:51PM (#34378224)
    The Mozilla exec is trying to turn a FireFox security hole (i.e., the ability to load plug-ins without the user's knowledge or consent) into something else (other companies are evil for exploiting the security hole).

    .
    The solution is simple, Mozilla needs to fix the security hole in FireFox, and while they are at it, provide a means to uninstall plug-ins that does not rquire me to go rummaging through the filesystem looking for oddly-named files and deleting them.

  • by harryjohnston (1118069) <harry.maurice.johnston@gmail.com> on Monday November 29, 2010 @09:07PM (#34383216) Homepage

    At least on Windows, the plugins in question aren't "additional pieces of software" that are being installed secretly. They're part of the software package you chose to install, both conceptually and technologically.

    This doesn't necessarily justify the fact that any particular software package doesn't make its browser add-on functionality optional and/or opt-in. It's just an observation.

    Incidentally, I could swear that Firefox has been prompting me lately whenever a new add-on is discovered, and giving me the chance to disable it. Problem solved, I'd think, although I suppose you could argue that it should be opt-in rather than opt-out.

  • Mozillas Fault (Score:3, Insightful)

    by Tom (822) on Tuesday November 30, 2010 @04:13AM (#34386194) Homepage Journal

    So, why does Firefox then enable and run those plugins, eh? If you really think they are evil, put your money where your mouth is, keep an internal list of enabled plugins, not editable from outside sources, and if a new plugin is detected, throw up a dialog asking the user if he wants it enabled or not.

    If you provide the functionality, don't whine if people use it. If your browser will happily activate and use any plugins I throw into its plugin directory, stop crying if I do.

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken

Working...