Saturday, June 27, 2009
Trojan.WSUS Part 3
Well, it seems Microsoft has used its trojan, WSUS or Windows Update, to take control of our PCs again. This time, they used it to hide an unneeded, unrequested, and potentially dangerous add-in to Firefox in what was billed as a required security patch for the .Net framework.
The security patch, .Net Framework 3.5 SP1, which came out in February, had a hidden payload in it. In the security patch was an add-in to Firefox designed to enable FireFox users the ability to use Microsoft's One-Click over-the-web software installation. Of course this isn't something users have been clamoring for. It's not something that 95% of Windows users would ever use. When we surf the Internet we're not expecting sites to install software. One-click would allow a site with bad intentions or a site controlled by hackers with bad intentions to install and run software on your pc by simply enticing you to click a malformed or disguised link on their site. Or, if you're gullible enough, they could blatantly display the link as an executable file but that's not necessary at all.
One-click is not something that IE users use. Firefox users, on the other hand, not only don't use it but have generally switched to Firefox to get away from these security risks in IE. Now Microsoft is trying to get Firefox users into the fold. Remember that IE has always been a free product from Microsoft. The value of IE is not in what it does for you but in what it does for Microsoft. How does free software benefit Microsoft? By allowing them to data mine your Internet use or to offer advertisements based upon that data mining. As FireFox penetrates the near monopoly that IE has on the browser market, I expect to see Microsoft take more steps to extend their hooks into Firefox.
What I've told you up to now is not even the worst of it. Not only did Microsoft sneak this add-on into your PC unannounced, but they also disabled the ability to uninstall it. In the Firefox add-ons manager, other extensions have the ability to be uninstalled. This add-on has the uninstall button disabled. Microsoft has said that this is because the .Net add-on is a machine level add-on because it is available to all users and therefore uninstall by a user is inappropriate. But Word is available to all users and it has an uninstall. And the browser is not a machine level application at all; the browser is a per-user application.
Well, finally the uproar has been broad and loud enough that Microsoft has issued a patch - sort of. Now Microsoft has issued a patch to change the add-on to be per-user. That lets users uninstall the patch - for themselves but not for other users. If you have multiple users on your PC, you'll have to uninstall the patch for all users individually. Even worse, if you create a new user account on your PC, the add-on will be automatically added and you'll have to uninstall it again. In other words, this add-on can NOT be uninstalled. It would have been better if Microsoft had left it as a "machine" add-on so when you uninstall it, it is removed completely. I knew right off when I saw that they changed it to per-user that they were, in my opinion, making it even worse by giving you a false sense of security, thinking they had enabled the uninstall when, in fact, you still cannot uninstall the add-on completely.
It seems to me that if the .Net Click-Once add-on had been intended for anything except Microsoft's own good, for example, if it had been done for your benefit, Microsoft would have very proudly announced the add-on rather than sneaking it in at 3:00 AM the way that they did.
Firefox has a web site with listings of available extensions for Firefox. Microsoft has bypassed this standard extension behavior to sneak this in. Firefox has, it seems to me, agreed to support Microsoft in this because there has been no outcry that I have seen from Mozilla (the makers of Firefox) about Microsoft hijacking their browser. It seems to me that this should have been the makings of a giant lawsuit but, instead, I've heard nothing at all from Mozilla.
There was an interesting posting about this on Steve Gibson's site at GRC.com. This is a transcript of a security show with Steve Gibson and Leo Laporte. I have been a fan of Steve's for a dozen years and was a fan of Leo's when he was on Tech-TV before it became the useless-in-my-opinion G4-gamers-tv-with-cop-shows channel.