About | Buy | News | Products | Rants | Search | Security
Home » Rants

Re: 'How the %#@! did I miss this?'

How the %#@! did I miss this?
 - Brian Krebs

Get It

Try It

At last there's an explanation why so many people still run Windows: they're batshit insane.

In this day and age with 97% of all mail traffic being spam with a malware payload and generated exclusively by Windows computers, with an unprecedented level of computer compromise with millions upon millions of Windows PCs recruited into botnets - and lusers are just downloading crap without checking what happens to their hard drives in the process?

They're batshit insane. There's no other explanation.

A week ago Brian Krebs discovered a nasty thing had happened to his Windows boxen three months earlier when accepting a Microsoft update: he got a Firefox plugin for free. One he didn't want.

'A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.'

The catch is Brian discovered this by accident - through the Annoyances website. That's a heck of a way to find out.


'The Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows in February 2009, installs the Microsoft .NET Framework Assistant firefox extension without asking your permission.'

Check the date on that puppy. 27 February 2009. That's over three months ago. Brian published his alert on 29 May. Goodness knows it was only luck the word got out beyond Annoyances and Slashdot.

The Annoyances people find the whole thing particularly annoying.

'This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC.'

That sounds really bad. Annoyances describe the rather complex and convoluted method to get rid of the beast - and that's bad too. But the question remains how anyone discovered what was going on. For no one seems particularly concerned about just downloading all kinds of shit from anywhere and everywhere. And onto Windows PCs no less - the only reliably vulnerable platform in use today. A platform a ten year old can hack!

Those Windows lusers install a bit of Anti-This and a bit of AntiThat (and in so doing bring their wobbly Wintel jalopies to a complete standstill). They think they're alright. They have absolutely no control over what goes on or what they do. The system will only alert them to compromises after the fact, demanding they reinstall their entire operating system. Right there you know anyone running such a system has to be batshit insane.

At best these latter day Windows lusers learn how to use their Start menu and somehow muster up the Rambo-like intestinal fortitude to click all the way through (phew) to Add/Remove programs. Most of them aren't even aware there's another 'explorer' on the system disk for file management - most of them don't even know what file management is.

Windows lusers can always back up their systems (and are often told they must do so as the system's been compromised yet again) but how good is that? How long has it been since Microsoft came out with that update? Three months?

How many millions of idiots downloaded the update in exuberant giddy glee and never noticed a thing? How many millions upon millions of Windows lusers do this every day with software they've never run before - that they were perhaps introduced to through a funky popup on the web? That's a lot of batshit insane people.

How many people installed the Sony DRM rootkit and gave the rogue software the red carpet treatment? And never once checked what was going on? Former independent researcher M Russinovich (now in Bill's pocket) became suspicious - he didn't see anything straight off. How batshit insane is that?

The Joe Lusers don't notice a thing and don't seem to give a shit either. They're just too stupid. So what control do these people have? It would be one thing if they were all operating from within an impregnable fortress. Like a mainframe. But even there you're bound to run into system logs that tell you exactly what's happened to the available resources. And who's tried to compromise them. Even there the system's security isn't left in the hands of congenital dimwits.

Here we have people who willingly get themselves compromised by exploits from all corners of the world, an estimated 200,000 (two hundred thousand) in the wild, for Windows and Windows alone - and these people don't even check?

Are these the same people you see all the time in all the forums who can't lern 2 spel? They must be. You gotta be really stupid to be that stupid. That's them alright!

They're batshit insane: and this is why so many people are still running Windows. They're stupid!

Neil Rubenking's had a Windows utility called InCtrl out for years. Google for it. You might have to pay a registration fee at a site to get a download URL but the software is otherwise free. InCtrl does 'befores and afters' for you: it scans your hard drives and your Registry before you install something (or do anything) and scans again when your install (or whatever) is finished and then rather cleverly compares its scans and shows you what's happened. And does it really fast. Especially for Delphi.

InCtrl is the basis of Radsoft's E3 Importer. InCtrl reports are imported into the E3 system so you can get a quick overview of the changes in the form of E3 recipes you can use to subsequently 'cure' your system. It's presented in E3's Rx Recipe Viewer. You can modify or remove the recipes as you like and then have the main E3 engine run what you save. Takes seconds and it's thorough.

On the Mac side Rixstep have Tracker which is like InCtrl and E3 all rolled into one.

Even from the command line there are possibilities. There are so many variations on the Unix command find it's not funny. It's really easy to determine at any given point in time exactly what's happened to your hard drive.

FIND(1)                   BSD General Commands Manual                  FIND(1)

     find -- walk a file hierarchy

     find [-H | -L | -P] [-EXdsx] [-f pathname] [pathname ...] expression

     Find recursively descends the directory tree for each pathname listed,
     evaluating an expression (composed of the ``primaries'' and ``operands''
     listed below) in terms of each file in the tree.

Mac and other Unix users are somewhat protected by the fact that the sensitive system areas are not accessible for writing by programs run on ordinary accounts. On Windows of course all bets are off. But as long as the Unix user doesn't authenticate a program for privilege escalation nothing should be jeopardised.

And yet how many people worry about their hard drives when running Unix? Not many. Linux users have their automatic updates; Mac users have their automatic Version Tracker updates; who checks to see what's happening with these updates?

Mac users recently got hit by the simplest (the dumbest) of trojans: someone took an Apple installer with its plain text configuration files and moved things around a bit. So users would be forced to authenticate. The corrupt package had a bit of nasty software attached to it. Almost no one bothered looking inside.

To make matters worse: they found this piece of trash on BitTorrent/Warez sites and in their greed to get something for free took the download and ran the malicious installer without question.

They were batshit insane too.

Microsoft and other companies won't let you interfere with their update procedures. They regard their users as too stupid. Guess what? They're right. They shouldn't be right but they are.

'How the %#@! did I miss this?' asks Brian Krebs. The more important question should be 'how the %#@! did you think you'd detect it'?

'This kind of makes you wonder what else MS is installing without your knowledge', adds Brian. Why wonder? Why not have a routine in place so you already know? What else has everyone been missing for months - for years?

Neil named his program 'InCtrl' for a reason.

Unless you have a routine for always checking what's happening on your hard drives you're going to be toast sooner or later. And if your hard drives run a version of Windows then you're batshit insane and burnt to a crisp.

Here are some comments from Brian's blog posts on the issue. Judge for yourself how utterly batshit insane these people are.

'I've also noticed Google Gears and Java Quick Starter on my list of Firefox Add-ons, on top of the .NET one'

Noticed? How long since they arrived did you notice?

'This is a very good reason as to why I have automatic updates dis-abled [sic] here.'

Pitifully heuristic at best.

'I update every month just on MY terms.'

What terms are those? LOL. WTF.

'This should be the reason everyone should switch to Linux, BSD, or Mac.'

But it won't be. You can't cure stupid.

'linux is wondeful [sic] for the nerds, i just want my plug and play....'

Translation: thinking is too difficult. Wipe my dummy clean so I can have it back to suck on again.

'You suck for promoting a myth that the registry is too hot to touch.'

Oh whoa. A maggot with a two-bit sopho-moron brain attacks Brian.

'Umm, re-read the end user license agreement you signed when you licensed your copy of Windows. Microsoft has the absolute right to do whatever they deem necessary to THEIR operating system.'

Umm, that person's ancestors were in Germany in the 1930s and they voted for the NSDAP.

'It's doing it WITHOUT user knowledge and WITHOUT an ability to remove it.'

Everything's being done WITHOUT your knowledge because you're too STUPID to care.

'I strongly object to any company making changes to my computer and its software without my permission.'

That did it! That scared 'em off! That 'strongly' bit gets 'em every time! They're shakin' now!

'When will people get smart and STOP supporting Microsoft? It is like paying someone to beat you up...'

How the %#@! did that get in there?

Yo! Here's the Cure!

The most emotionally satisfying part of this new Windows tragedy is knowing that any number of these morons are going to grapple with the Registry to uninstall this monster plugin by hand. The instructions provided by Microsoft are so ridiculous only a ridiculous company like Microsoft could ever conceive of something so ridiculous, so batshit insane.

Right from the horse's mouth where 'horse' equates to 'Brad Adams' who has this to say first in the corporation's defence.

'A couple of years ago we heard clear feedback from folks that they wanted to enable a very clean experience with launching a ClickOnce app from FireFox. James Dobson published FFClickOnce and got very good reviews, but we had many customers that wanted ClickOnce support for Firefox built into the framework... so in .NET Framework 3.5 SP1 we added ClickOnce support for Firefox! This made ClickOnce apps much more accessible to a wide range of customers.'

'We added this support at the machine level in order to enable the feature for all users on the machine. Seems reasonable right? Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the 'Uninstall' button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.'

'Clearly this is a bit frustrating for some users that wanted an easy way to uninstall the Clickonce Support for Firefox. But good news! We have a fix in place (enabling each user to uninstall the feature for themselves) and our testing team is making sure that is rock-solid now.. I expect that to be out in the next few weeks. I'll be sure to post more information on that when I have it.'

In the meantime, if you want to disable the Clickonce Support for Firefox here are the steps directly from the dev in charge..

Yeah, shit happens, Brad boy. [This puppy can't even type - how's he going to design software?]

Stop-gap Solution To uninstall the ClickOnce support for Firefox from your machine™

  1. Delete the registry key for the extension

    1. From an account with Administrator permissions, go to the Start Menu, and choose 'Run...' or go to the Start Search box on Windows Vista

    2. Type in 'regedit' and hit Enter or click 'OK' to open Registry Editor

    3. For x86 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Mozilla > Firefox > Extensions

      For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions

    4. Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'

    OR alternatively

    1. Open a command prompt window (must be 'run as Administrator' on Vista and later)

    2. Copy and paste the appropriate command below and hit 'Enter'

      For x86 machines:

      reg DELETE "HKLM\SOFTWARE\Mozilla\Firefox\Extensions" /v "{20a82645-c095-46ed-80e3-08825760534b}" /f

      For x64 machines:

      reg DELETE "HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions" /v "{20a82645-c095-46ed-80e3-08825760534b}" /f

  2. Reset the changes made to the Firefox user agent

    1. Launch Firefox, go to the Firefox address bar and type in 'about:config'

    2. Scroll down or use 'Filter' to find Preference name 'general.useragent.extra.microsoftdotnet'

    3. Right-click on the item and select 'reset'

    4. Restart Firefox

  3. Remove the .NET Framework extension files

    1. Go to the Start Menu, and choose 'Run...' or go to the Start Search box on Windows Vista

    2. Type in 'explorer' and hit Enter or click 'OK'

    3. Go to '%SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\'

    4. Delete the 'DotNetAssistantExtension' folder and all its contents

Piece of cake. User-friendly too. You can tell those dudes at Microsoft have a handle on things because their solutions are always so straightforward. (Morons.)

Note Brad's numbering is a bit different from everybody else's: he doesn't know how to do ordered lists in HTML yet so he's got the number 'ii' twice in a row. But cut him some slack - he's from Microsoft.

Conversation Overheard at /.

From 1 February 2009.

'Remember Sony?'

'Yes. Trying not to.'

'Never forget. Forgetting is key to getting caught again. You can only catch a cat in the same trap once.'

'Unless that cat is the American public and the time since the last time you caught them is greater than the time since the last episode of American Idol.'

'Adds ClickOnce support and the ability to report installed .NET Framework versions to the web server.'
 - .NET Framework Assistant 1.1 plugin product description

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.