Linked by Kroc Camen on Sat 17th Oct 2009 05:27 UTC
Microsoft Whilst it's not okay in Microsoft's eyes for Google to install a plugin into Internet Explorer, increasing the potential surface area of attack, when Microsoft do it to Firefox, it's a different matter. Now a security hole has been found in a plugin that Microsoft have been silently installing into Firefox.
Thread beginning with comment 389746
To read all comments associated with this story, please click here.
by Hiev on Sat 17th Oct 2009 06:03 UTC
Member since:

So let me get this, Firefox can be exploited via pluggins? there are hundreds of pluggins for Firefox and everyone one of them its a potential hole, scary.

Reply Score: 2

RE: ...
by umccullough on Sat 17th Oct 2009 06:06 in reply to "..."
umccullough Member since:

Plugins are like Java, Flash, etc - they are not the same as Firefox extensions. Basically if you run into a website that demands you install some plugin, you should maybe think twice, since you're trusting a piece of software that is not sandboxed.

In any case, I notice Firefox now disables the WPF plugin "for my protection" ;)

Reply Parent Score: 3

RE[2]: ...
by Kroc on Sat 17th Oct 2009 06:37 in reply to "RE: ..."
Kroc Member since:

Ah, I was hoping someone on Windows could confirm that, I read in a comment on another article that Mozilla had flipped the kill-switch and blacklisted the plugin until MS fix it.

Reply Parent Score: 2

RE: ...
by gustl on Sun 18th Oct 2009 12:44 in reply to "..."
gustl Member since:

That is not the problem, as usually nobody will have all of the plugins installed, and NONE of the plugins will be there without his knowledge.

What MS did here, was BY FAR worse, than what google does.
If you come across a website, which requires the chrome plugin in IE, you get asked a nice question, if you want to install that plugin or not. You have to explicitly say "yes" to get the stuff installed.

Whereas in the current situation, you run an update on WINDOWS, and it installs a backdoor into software hich should be out-of-bounds for it's update scope.

Instead they should do the same as google does with the chrome plugin: Put up a plugin for download, that is installed (or not) by the browser, once it comes across a website which says it needs it.

Microsoft seems to be at it's old dirty tricks again: Make sure EVERYBODY who is on Windows can interpret THEIR closed, patented version of web protocols. Then luring web designers into designing EXCLUSIVELY for this warped web protocol, thereby creating a bad web experience for non-Windows users.

The google chrome plugin is doing the exact opposite: Enabling IE for standardized, international and platform agnostic web protocols, thereby enabling those standards to be used by EVERYBODY, including operating systems which have only one user on the whole planet.

Reply Parent Score: 5