Sneaky Microsoft plug-in puts Firefox users at risk

An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves that browser open to attack, Microsoft's security engineers acknowledged earlier this week. Numerous users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley, a contributor to the popular Windows Secrets newsletter. "The .NET Framework Assistant [the name of the add-on slipped into Firefox] that results can be installed inside Firefox without your approval," Bradley noted in a Feb. 12 story. "Although it was first installed with Microsoft's Visual Studio development program, I've seen this .NET component added to Firefox as part of the .NET Family patch." What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update. "While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox." The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org . Annoyances also said the threat to Firefox users is serious. "This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC," said the hints and tips site. "Since this design flaw is one of the reasons [why] you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste." Specifically, the.

Microsoft reacted to criticism about the method it used to install the Firefox add-on by issuing another update in early May that made it possible to uninstall or disable the .NET Framework Assistant. NET plug-in switched on a Microsoft technology dubbed ClickOnce, which lets .NET apps automatically download and run inside other browsers. It did not, however, apologize to Firefox users for slipping the add-on into their browsers without their explicit permission - as is the case for other Firefox add-ons, or extensions. According to Microsoft, the vulnerability is "critical," and also can be exploited against users running any version of IE, including IE8. This week, Microsoft did not revisit the origin of the .NET add-on, but simply told Firefox users that they should uninstall the component if they weren't able to deploy the patches provided in the MS09-054 update.

Native iPhone support ready for Lotus Domino

IBM/Lotus said next week it will ship the long-anticipated real-time access support for the iPhone on its Domino messaging platform. In January, IBM announced that it would add support for ActiveSync to its Lotus Notes Traveler, a server add-on that provides real-time replication between mobile devices and Notes. Lotus Domino support for the iPhone uses the Apple device's mail, calendar and contact application and synchronizes data between the two platforms in real time using Microsoft's ActiveSync protocol. It is the updated Traveler software in Domino 8.5.1, which was released Tuesday, that provides the iPhone support.

Updates to Traveler in Domino 8.1.5 add remote wipe, device lock, password management, and external calendar integration to the Symbian platform. Traveler already works with devices based on Windows Mobile and Symbian. Lotus is playing a bit of catch-up as Microsoft and other vendors such as Kerio who offer push e-mail for the iPhone. Also from Network World: Lotus goes after Microsoft's 'ridiculous and fabricated' figures The only thing iPhone users have to add to their device is a configuration file that tells the iPhone how to find the user's mailbox on the Domino server. Motorola, Nokia, Palm, Sony Ericsson, Symbian also support ActiveSync on their mobile devices.

For initial set-up, the iPhone's Safari browser is used to access the Domino server and download the configuration file. Those credentials are stored on the device so the iPhone and Domino can trade data without further user intervention. When the user signs onto Domino to get the configuration file, the user's sign-on credentials are captured by the iPhone. Lotus Notes users have had to suffer with e-mail access via the iPhone's Safari browser and the Notes Web Access client. We want to support all the devices out there and this is the next one we have added." The Domino iPhone support also features limited management capabilities, including the ability to remotely wipe data if the device is lost or stolen.  Follow John on Twitter

With that configuration, users have to manually connect to the Domino server and go through each individual e-mail via the browser. "It has rich email, attachment support and calendaring capability and is the same user experience a user would get using the iPhone against Exchange or Google," said Ed Brill, director of product management for Lotus Software. "Clearly the iPhone is increasingly a component of an enterprise strategy.

To boost security, Mozilla launches plugin checker

Mozilla developers have launched a new online tool that tells Firefox users whether popular add-on components such as Java or QuickTime are up to date. A test version of the site was introduced last week. The new Plugin Check page tests for more than 15 popular plugins right now, and Mozilla plans to add more in the future. "Visitors to the page can see which plugins they have installed and, for any that are outdated, follow an easy link to the update site," wrote Mozilla's "human shield," Johnathan Nightingale in a Tuesday blog posting. The final page tests for plugins such as Silverlight, Picasa, iTunes and Acrobat.

But this can't be done with the plugin software targeted by the new Web page, Nightingale said in an e-mail interview. "Plugins like RealPlayer, Flash or Silverlight are pieces of software installed on your machine outside of Firefox's control," he said. "They interact with Firefox, but they are independent software packages, and make their own choices about when and how to update." Keeping plugins up-to-date is becoming increasingly important. Firefox can already check to make sure that add-ons, installed through the addons.mozilla.org Web site, are up to date. Mozilla says that about 30 percent of browser crashes are caused by obsolete plugins. That's because out-of-date plugins are increasingly exploited by hackers in Web-based attacks that place malicious software on the victim's computer. Besides that annoyance, however, they also pose a security risk. Flaws in Adobe's Flash and pdf formats, Apple's QuickTime, and RealPlayer have all been widely exploited in this way in the past few years.

That should help keep many more Firefox users up-to-date. "We can't control how plugins choose to update themselves," he said. "But we can help our users to know when an update is available." After criminals launched widespread attacks based on a flaw in Adobe's Flash player earlier this year, Mozilla built an automatic Flash checker into its browser. Security conscious Firefox users can use the Plugin Check site for now, but the checks will be built into the upcoming Firefox 3.6 browser, expected by year's end Nightingale said. Within days of its release last month, 10 million Firefox users had clicked through to Adobe's Web site after being alerted that their Flash player needed an upgrade.

World War III could be fought on Internet, says ITU head

Threats of cyberwar and a story of real violence rubbed shoulders at a news conference to mark the opening of the ITU Telecom World exhibition and forum in Geneva on Monday. "The next world war could begin in cyberspace," warned Hamadoun Touré, secretary general of the International Telecommunication Union, the United Nations agency that organized the event. That's why the ITU is pushing an ambitious worldwide program for cybersecurity and peace. "By the end of next year, we will broker a global agreement with every country to protect its citizens online, not to harbor cyberterrorists, and not to start an online attack," he said. The beginnings of such an unconventional war could be out of the control of conventional diplomacy, he said, because in cyberspace "there is no such thing as a superpower: Every citizen is a superpower." With an army of "bots," or compromised computers, at their command, almost anyone could wield great power in a virtual battle, as a number of recent denial-of-service attacks against targets around the world have shown. "We know from conventional wars that the best way to win is not to start," Touré said. U.N. Secretary General Ban Ki-moon began by expressing his sorrow at news of an all-too-real attack, the suicide bombing earlier in the day of the Islamabad, Afghanistan, office of the U.N. Food and Agriculture Organization, which left several people dead.

Encouraging the participation of "our youth, drivers of innovation and change," is vital if those divisions are to be eradicated, he said. Returning to the theme of the conference, he highlighted "a world divided," those with access to information on one side, and those without on the other. Investment in infrastructure and services must be encouraged too in order to eliminate the technology divide - but the motive should be profit, not charity, Touré said. "In our strategy of connecting the world, we have no need for charity: It's pure business. The telecommunications industry will always have investment, because it's a profitable industry, he said. If you have the right business plan, you will have investment," he said. That's turning out to be the case in Rwanda, said President Paul Kagame, where state infrastructure projects have attracted investment from Chinese network equipment manufacturers. "The availability of capital for everything is getting more and more scarce, but in our country there is a strong partnership between public and private sectors," he said.

In the company's home market, revenue from international calls is down 20 percent because of a reduction in tourism and manufacturing exports, he said. China continues to invest internationally, despite the impact of the global economic crisis and the attraction of the untapped potential of its home market, said Wang Jianzhou, chairman and chief executive officer of China Mobile, also present at the news conference. "We have still got challenges from the international financial crisis," he said.

Piracy's global economic impact debated

There's no question that software piracy is a global problem with a heavy financial impact. A May 2009 report by the Business Software Alliance and IDC estimated that 20% of software programs installed in the U.S. last year were unauthorized copies. But just how heavy it is is a matter of debate. Worldwide, the figure is 41%, with an estimated financial impact of $53 billion - a figure based on the retail value of the pirated PC software.

If it were, the BSA's global loss figure of $53 billion would drop sharply, they maintain. "Obviously, not every piece of pirated software will be replaced immediately with legitimate software if underlicensing is addressed or sources of pirated stuff dry up," acknowledges Dale Curtis, the BSA's vice president of communications. But critics of the study say it fails to account for the possibility that pirated software could be replaced with Linux or other open-source options. But he says that over the years, IDC has found "a very strong correlation between piracy rates and software sales. One country that wasn't included is Canada - and that doesn't sit right with Michael Geist, a professor at the University of Ottawa. "What the BSA did not disclose is that the 2009 report on Canada (whose piracy rate declined from 33% to 32% in the study) were guesses since Canadian firms and users were not surveyed. In country after country, as the piracy rate falls, legitimate sales go up." A second criticism of the report is that its country-by-country figures are partly based on the results of an annual survey that in 2009 covered 24 countries. While the study makes seemingly authoritative claims about the state of Canadian piracy, the reality is that IDC . . . did not bother to survey in Canada," Geist wrote in a May 27 blog post.

Further, he says Canadian users were surveyed the previous year, and "there is no reason to assume large changes in results from one year to the next." Ivan Png, a professor of information systems and economics at the University of Singapore, says the BSA and IDC should explain how they applied the results from the 24 countries surveyed to all of the other countries not surveyed. "IDC should make the methodology transparent," Png says. Curtis responds that the study "is not a guess, nor is it a scientific measurement, nor is it based primarily on a survey of software users, as Geist suggests." A survey of 6,200 users is only a piece of the model, Curtis says.