Slashdot Mirror
Microsoft Update Slips In a Firefox Extension
An anonymous reader writes "While doing a weekly scrub of my Windows systems, which includes checking for driver updates and running virus scans, I found Firefox notifying me of a new add-on. It's labelled 'Microsoft .NET Framework Assistant,' and it 'Adds ClickOnce support and the ability to report installed .NET versions to the web server.' The add-on could not be uninstalled in the usual way. A little Net searching turned up a number of sites offering advice on getting rid of the unrequested add-on." The unasked-for extension has been hitchhiking along with updates to Visual Studio, and perhaps other products that depend on .NET, since August. It appears to have gone wider recently, coming in with updates to XP SP3.
Remember Sony?
Bite me
!First. Fail!
This definitely goes into the "WTF?" category.
The higher the technology, the sharper that two-edged sword.
Microsoft gives us updates all the time and we trust them to fix bugs and security holes. Firefox not coming with their extension is not in the scope of bugs and security holes they should fix. When they overstep their bounds like this ON TOP of an application(esp. a free software application) what might they be doing in their proprietary code under the application? Whatâ(TM)s next, an OpenOffice extension to make sure Microsoft never has an $ where their s is?
Classic move. People noticed. Two steps forward 10 steps back, eh?
Obligatory blog plug: http://www.caseybanner.ca/
The add-on is automatically installed when you install the latest version of the .net framework. Microsoft Update does NOT automatically install this add-on. In order for it to be installed you had to explicitly choose to install the .net framework.
Honestly, had they mandated silverlight, and included this in the silverlight install, I think they may have gotten it to most of the users that they would need to have it anyway, and pissed less people off in the process. Welcome to the new (steve) microsoft, same as the old (bill) microsoft.
Ya know, since Bill is long gone, I think the Microsoft icon could use an upgrade. I have an idea. It has to do with a chair, Steve Ballmer, and his ass.
This is unequivocal proof of a conspiracy to deliberately install unrequested code on computers. Note that there is no intent beyond this. In other words, the unrequested add-ons are not being installed as an means to reach some other end, and they do not do anything questionable with respect to privacy, security, or any other issue. Rather the end is simply to put unrequested code on computers, just so that the conspirators can laugh behind everyone's backs knowing that they have put unrequested code.
They are gathering intelligence on how to build on of these "web browsers".
Yea, more spyware. Now on FireFox instead of Internet Explorer. :P
The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
Are you sure? Did you actually mean .Net 3.5 SP1? That's what just installed it on my machine. I've never seen XP SP3 install it.
Although it's not the best approach that could have been taken it is a good sign. If Microsoft can no longer ignore Firefox then all those sites that still require IE to function will begin to follow.
Never forget.
Forgetting is key to getting caught again. You can only catch a cat in the same trap once.
Help stamp out iliturcy.
One hint that this "extension" is unwanted garbage is that when you Google (google: Microsoft Framework Assistant) for it and the top links are pages about how to remove it. Then the first link from your site (microsoft.com) is also a forum that mentions getting rid of it...
Anyway, here's how to remove it.
http://www.robertnyman.com/2009/01/26/microsoft-force-installs-firefox-extension/
Microsoft just can't resist the urge to use it's position as the marketplace leader for desktop OSes to be a dick.
This showed up on my Server 2003 machine too.
It's Funny, i have had the same issue with apple update, i find it requesting to install updates for programs that weren't installed in the first place, seems like the same thing but different company...
Some of the recent updates for Java SE have included "Java Quick Starter". And for those with Ubuntu, there are a number of things that show up in the Add-ons list that are not explained well.
Since this is a rather nasty "Payload" for firefox, what is its performance vs ACID and other rendering tests before and after the plugin?
I mean, hasnt anybody profiled it to see its raison d'etre?
Has anyone noticed a performance hit to Firefox or anything? Any critical need to remove it?
Not that I'm happy that it was put on my system and that it can't be removed through the accepted addon system with Firefox, but I'm wondering if its really worth the trouble and for what reasons other than the standard "MS is evilllll", "They're spying on us", or what is sure to become a new spin on a popular internet meme "Microsoft raped my web browser".
I saw this thing today while trying to fix an ailing Vista laptop. WTF!? And I couldn't get rid of it. I was thinking that my GF's son somehow got this thing installed but maybe it wasn't his fault afterall. God, I hate Microsoft.
!First. Fail!
...not first, fail not? ugh, this is why I prefer using the bitwise oprtator (~) instead, although in /. lore this is instead in jokes used to mean "home", per the bash usage instead of the one's complement.
Or, I just need to get out more. After asking why all the guys were buying wings and beer on the same day in throngs at the grocery store, I found out the last super bowl was indeed not 32.
it's slipping spyware/crapware into a competitor's product? That's even worse than Sony and many others (where you can usually opt out or at least you know where it's coming from). Microsoft is stooping very, very low these days. They deserve another conviction... soon.
Custom electronics and digital signage for your business: www.evcircuits.com
You mean call it out specifically in the install of .NET, I think you may have a point there.
However, it is sad that it is needed at all, even if for acceleration purposes. It means that .NET relies on something only specifically available before in IE. Uncool. No uninstall- unforgivable. My guess is that they will fix it.
And rootkit comparisons? Jesus. Nothing close.
quis custodiet ipsos custodes
I'm seriously confused as to why this is upsetting considering that the average Firefox user installs plugins to assist in rendering media types (I'm picking on Flash) that could potentially be exploited far more than an extension that Microsoft produced because they realize that there is a huge established base of Firefox users on their Windows operating system.
I think this one is a win for the Firefox community in the sense that instead of being greeted with "your browser ain't IE, yo" that they are using the fundamental openness of Firefox to be able to reach users who, like me, think IE is the best waste of disk space on my Windows machines. Let Microsoft continue to develop for Firefox and realize how much of a pair of pants it can hand over to its beloved IE.
Or, continue to bitch and moan over its attempt to reach the Firefox customers to the point where they say, "Screw it - give them the ol' your browser is not supported" line.
Ayup
it seems very for malware to be installed like this
Maybe I'm looking at this the wrong way, but shouldn't Firefox stop extensions being installed this way?
a) Why is it possible? I think there should be at least a warning from FF if an add-on is installed w/o user interaction. b) What's next? will MS include FF in the "Mailicious software removal tool" if it detects that your FF is running without the MS-Alien in its belly...
no sig
Wtf is this under my Firerfox 3 Add-ons under plug-ins.....2 of them are listed.
Microsoft DRM
DRM Netscape Network Object
Microsoft DRM
DRM Store Netscape Plugin
You are (purposely?) missing the entire point. The average Firefox may CHOOSE to install flash, but that is their choice. If Microsoft wants to make a Firefox extension, then they need to put it in the directory just like everyone else.
Spooooon!!!!!
People think that Microsoft is a software company that is sometimes abusive. But it isn't, in my opinion. Microsoft is an abuse company that delivers abuse using software.
Maybe because...
Just one of those is enough to make something bad.
Game! - Where the stick is mightier than the sword!
What part of "can't uninstall" confuses you?
3 things about computers: they're alive, they're self-aware, and they hate your guts.
I'm seriously confused as to why this is upsetting considering that the average Firefox user installs plugins ...
The point isn't that MSFT is creating FF plugins.
The point is that MSFT is silently forcing plugins without telling us what they do.
This whole thing would have been a non-issue if they had
But MSFT is too arrogantly stupid to do that.
"I don't know, therefore Aliens" Wafflebox1
Winsows 7, its amazing...
http://www.conceitodigital.com
I find it interesting that people here are so outraged at MS installing an extension for third party software, particularly a web browser. Think about how many completely non-Mozilla related products install a Firefox extension - PDF readers, media players, etc. I'll take as an example Adobe Reader, which installs a plugin for in-browser viewing when you install the desktop app (I hate Adobe Reader too, but it's a high-profile example). Firefox is not an Adobe product at all! yet we aren't yelling at that. Additionally, MS already has components installed in FF. Silverlight and the Windows Presentation Foundation are both MS products that are commonly installed in Firefox as plugins, to enable apps that take advantage of Silverlight and .NET browser features to operate in Firefox and friends as well as Internet Explorer. This plugin seems to serve a similar purpose of allowing .NET-powered web apps (which MS wants to be common in the future) to operate in Firefox as well as Internet Explorer. It seems like we should appreciate this move towards interoperability on MS's part - the alternative is only supporting Internet Explorer for web apps.
So it's really nothing abnormal to install an extension in a third party browser. This leaves us with only one issue, the fact that it was distributed via updates to other applications. I refute this as being a major issue for the exact same reason - quite a few programs update/install Firefox extensions as part of their normal update procedure - I raise Foxit Reader as an example, which as of v3.0 automatically installs a Firefox plugin. No one's yelling about that.
A significant question here: If it wasn't Microsoft, would anyone be nearly as angry?
I might be stupid, but that's a risk we're going to have to take.
I've noticed several of these uninstall-proof extensions lately. How about the Mozilla folks tweaking the extension model to allow an uninstall option?
The government can't save you.
A lot of you will hate me for this...
MS doing this is them trying to ensure that Firefox will work with their web apps (or, web apps built with their technology). Now, granted that they are taking liberties they should not. It would be better to just make the plugin easy to get and install. Consider however that they are doing this so their technology will work on a standards-compliant browser. That's not nothing. It IS dysfunctional in a passive-aggressive way (aggressive-passive?). On the other hand MS is trying to make the browsing experience BETTER for people who use .Net with Firefox. I'm not so sure this is a bad thing. maybe poorly executed...but...there's an argument for saying it's not.
Look, if you were running Ubuntu, installed Opera, and automatically got plugins from Synaptic for Opera that added new functionality would you complain?
Then again, the convoluted removal process should be reconsidered.
Everybody and their mother does that:
1) Quicktime/iTunes ...
2) Acrobat/Flash/etc
3) RealPlayer
4) Skype
5)
In fact that's what the whole system of extensions and plugins was *designed* to do. Accommodate 3rd party functionality that wasn't built-in to the browser itself.
And that's a GoodThing (TM).
The bad is that you can't uninstall it (easily). But you can always disable it...
There is no reason why firefox shouldnt be able to download their windows updates in firefox!
That explains why .NET 3.5 SP1 was tagged as a 'high-priority,' and thus completely automatic and unnotified, install for anyone who allows Automatic Updates self-governance.
It clearly wasn't a security update: I only have .NETs v1 and v2 installed, and yet I still got a notification to install the SP1 update for .NET v3.5! Luckily, I don't automatically trust Microsoft with anything. I told it to ignore the update and never show it to me again.
Basically, MS is once again abusing the high-priority update channel, just like they did with the Genuine Advantage Notification tool. Don't let anyone tell you differently. They are treating machines set to update automatically like a spammer treats his botnet.
--
Toro
It seems Microsoft has finally gotten around to doing the second E in "Embrace, Extend and Extinguish" (literally).
All they have to do now is to make the FF addon force all links to iexplore.exe, and there's your extinguish.
Homonyms are fun!
You're driving your car, but they're riding their bikes there.
it's not ms developing add-ons for ff as much as even knowledgeable users (like avg /.ers) not knowing, much less consenting, that this MS product is being installed on their PCs.
They have silverlight plugin which nags me all the time but at least it does not install itself without my knowledge. If I need or want it I will get it. there is no reason for ms to do it for me.
Given Microsoft's track record with security, I worry:
- Windows user installs Firefox to avoid IE's security flaws. .NET functionality allows websites to host .NET executables.
- Microsoft silently installs a plugin onto Firefox that reports the browser includes
- Hackers discover a way to exploit this.
- Thus, Firefox is now less secure thanks to Microsoft.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
The amount of venom/vitriol/nerdrage comments in this story is fucking astounding.
Install .NET 3.5 SP1 (the latest version of .NET) you get this firefox extension. It enables the use of ClickOnce within firefox. You guys know what clickonce is right?
http://en.wikipedia.org/wiki/ClickOnce#Firefox_extensions
One can only assume if you install .NET, you might actually want to run .NET apps, and some of them are deployed using ClickOnce. The FF extension is a convenience.
The only valid critique I see here is necessity for more people to prune back the Opt-In settings for Windows Update. The rest of you though..
Installing software on my computer -- especially software that is designed to make YOUR software work better, at the possible expense of others -- without my knowledge or consent is UNETHICAL . Period. And deliberately making uninstall difficult? INEXCUSABLE!!!
Shame on MS. They have been through this before and should know better. Bad. Bad. Negative points. Sad, sad negative Karma.
Actually, you can. Install the extension "IE Tab." It makes websites you choose (by default, the windows update site is chosen) think that you're using IE. And guess what? Windows update runs just fine through that.
mumble... bitwise oprtator (~) mumble...
Lovely spelling as well, after all its not like every app using GNOME has spell-check now. And on such a detailed subject with no right being brought up in the same post as football, too! Why don't I either start writing my posts in binary or just tap some snipped ethernet wires together to make the binary datagrams/packets myself? Man I really need to get out more...
I, too, am a fan of British Columbia.
I thought this had been around since the last .NET Framework service pack; it certainly didn't just show up today. I'm not defending the extension itself, it's basically useless and might present security risks, but it's been around for a while and apparently no one took any great notice of it before, so maybe, just maybe, it isn't all that big of a deal.
This is where Microsoft shows its true colors. They believe that as long as you are running Windows, they actually have RIGHTS regarding your desktop and the software you run.
They think they have a right to re-configure the software you use, for their own convenience and profit. That they can install things and you should have no say in the matter.
I am serious. On the corporate level (not most individual employees, I am sure), they really think that way. The evidence is incontrovertible.
Which used to serve them well. But which, in today's environment, is suffering a greater and greater disconnect with reality. I am sure you have noticed this yourself... the most obvious explanation for Microsoft's accelerating loss of market share is simply that they have lost touch with the realities of the market: their users' wants and needs, and, not to make too small a point of it, their business ethics.
I am not surprised at all.
The addon was installed when you first installed .net framework 3.5... at that time, it installed the firefox extension.
.net framework 3.5.
.net framework 2, and another for those who got 3.5.
I've seen that being done with other applications (e.g., Veoh installing various plugins and addons to firefox, as with Microsoft Office)... why haven't people complained about those?
I think that the problem here is that the update shouldn't have been treated as a "high priority" update, since there are those who did not want the
Whatever security fix was required, MSFT should have had one update for those who installed <=
Winxp SP3 here, I don't have it...not 100% sure what the requirements are for it, though :?
"...Sleep comes like a drug in God's country Sad eyes, crooked crosses in God's country..."
Hell one of the plugins listed in my copy of firefox is Windows Genuine Advantage. I see no reason for that to exist in firefox. Also there are two Microsoft DRM things. However, all can be disabled. Running SP3 here as well as .NET 3.5, and i do not have the plugin/addon mentioned.
You are actually running IE.
I suffer from attention surplus disorder.
Anybody remember when Windows "Genuine Advantage" validation software was getting slipped in as part of "critical updates" for things like the Microsoft Flash Player patch? It wasn't really that long ago.
You don't seriously expect Microsoft to *not* do these sorts of things on what they consider to be *their* systems, do you?
Here's a look at all the plugins I didn't want and had to disable:
Extensions: .NET Framework Assistant 1.0
- Java Quick Starter 1.0
- Microsoft
Plugins: - Adobe Acrobat
- Java(TM) Platform SE 6 U10
- Java(TM) Platform SE 6 U11
- Java(TM) Platform SE 6 U11 (Yes, again)
- Microsoft(R) DRM
- Microsoft(R) DRM (Yes, again)
- QuickTime Plug-in 7.4.5 (I'll send it to the external player, please)
- RealPlayer Version Plugin (RealAlternative, please)
- RealPlayer(tm) G2 LiveConnet-Enabled Plug-IN (32-bit)
- Windows Media Player Plug-in Dynamic Link Library
So far, that's Sun, Apple, Real, Adobe, and Microsoft messing with my browser without telling me... and only because I'm quite strict with what I install on my system. This isn't Microsoft up to their old tricks, it's just them keeping up with the Joneses, and forcing me to keep up with everyone with an agenda. What else is new?
I do have Silverlight installed, too, but at least the installer for that told me it would work with multiple browsers. Thank goodness the Mozilla people had the fine sense to let people see plugins and extensions, unlike IE6 and friends. Quite a few time I've had to fix someone's compter by hacking out IE extensions from the system registry, and that's not pleasant at all.
I see your point, but there's a big difference between me choosing to install the flash plug-in in my firefox installation vs having Microsoft choose to install their own plug-in in my installation of firefox.
If the benefits afforded to me by this plug-in were clear and made sense, I would have installed it myself with out much hesitation. My understanding is though that this plug-in is of no direct benefit to the owner of the firefox installation, only to those who want to know what versions of .NET I have installed on the underlying OS.
I see it kind of like a local council sending someone to sit in my driveway, and report what kind of car I drive, and when I drive it, without asking me before hand... it's of no direct inconvenience to me, but I certainly feel as if I'm being put under needless scrutiny. On the other hand, if the local council informed me of their wish to send someone to sit in my drive way and record these details, and gave me the reasons why they were doing it, I'd probably have much less issue with it.
This is a violation of trust more than anything else, and Microsoft thinking that because they technically (as per EULA) own the software on your computer, that by extension, they own everything on it. /car analogy
5468652047616D65
there is a doc about that extension, written by M$:
http://msdn.microsoft.com/en-us/library/cc716877.aspx
according to that site, its present sice *July* 2008
As a computer, I find your faith in technology amusing.
(1) Firefox is not a Microsoft application. It is installed at the will and whim of the end-user. And the end-user should have control over what is installed into their Firefox.
(2) Microsoft has every opportunity to give that end user A CHOICE. Yet, typically of Microsoft, they chose not to do so. That was the WRONG decision. And that is how most people view their work machines today: it belongs to me, by damn, and you had better ask me before installing something. As a computer professional, who depends on controlling software versions and so on to guarantee compatibility, this is not an option for me. I insist upon it. Companies that violate that policy are not my friends. They do NOT make my life easier, they make it much more difficult.
(3)They have no right to assume that I want their goddamned "Clickonce" thing to work. Maybe I don't. And in fact, the OP was not about installing it via the web at all, it was about it being installed automatically in the background via SPs and SP updates. This isn't about clicking on a link at all. Please read first before you offer an opinion.
(4) This is NOT about adding a mime-type handler. It is about installing a mime-type handler that some users may not want, secretly, in the background, without asking for permission. And for a BROWSER that isn't even their own product. Not only is this unacceptable to me (because I must always be in control of what is installed on my work machines), it is also typical of Microsoft's arrogant attitude toward their users.
My high-horse is not strictly MS-specific, as you would know if you actually read what I wrote! If any other company did this, I would oppose it just as vehemently. It is just that Microsoft is famous for doing this kind of thing, and here is yet one more example.
Odds are, "ozphx", that I was using Microsoft products professionally before you were out of elementary school. If you don't have a direct counterargument to mine, then please go elsewhere.
Oh... by the way. I agree that including the Google toolbar in Java updates is unethical, too. But at least a choice *IS* offered, and that during a voluntary install. In the case under discussion, it was stated that this software is being added unannounced, as part of an update, without any such option being provided. So there is a bit of a difference.
The issue is that they're modifying non-Microsoft software I've installed without asking for my permission.
I use Firefox because it's more secure than Internet Explorer, for example an application can't install itself with minimal interaction, just because it's an ActiveX control signed by someone.
The "extension" Microsoft sneaks into third-party software enables ClickOnce, which essentially introducing almost the exact same security vulnerability ActiveX introduces to IE.
It's slightly better in that these are standalone apps per se, not necessarily controls any web page can call.
Echo'ed.
If someone in a suit on the street forced you to wear a band-aid on your shoulder, you'd ask them what was up with them. If someone wanted on the street was "vaccinating" everyone walking by, you'd turn and run the other way.
Firefox is a standards-compliant program that does things via standard API's. MS is going behind Firefox's back and putting stuff in places where Firefox can't write/delete files. You do *NOT* want FF to be able to write/delete all over your system. That is one reason it's safer than IE.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
To be fair, we'd only be criticizing them slightly less had they done both of those points. They just made our rationalization a heck of a lot easier by discarding any sense of caution or respect.
Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
Just nitpicking, but it doesn't just "make it think" you're using - you actually are using IE with IE Tab - that tab contains an instance of IE itself (which gets annoying when your proxy settings are different between the two)
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan
couldn't the microsoft clickonce website detect that the user is running firefox and recommend the extensions to them at that point, rather than just failing until the user gets around to installing an update which they wouldn't expect to contain this helper extension?! wouldn't that be verging on sane?
AFAIK the add-ons (incl. updates) hosted at addons.mozilla.org must go through a review procedure before being pushed to update channel. If so, why doesn't Mozilla sign the reviewed packages (while not signing the pending ones) and only allow the user installing the signed ones? This is similar to what all Linux distros are doing.
This doesn't rule out 3rd party add-ons that don't go through the Mozilla review procedure. Firefox should include only the official Mozilla public key by default, but a user can import 3rd-party developers' keys by themselves. If you don't trust a particular developer (for example, Microsoft) or can't verify its identity, just don't import the key and there will be no way for the add-on to install. Importing/deleting public keys should be done with root- or admin-privilege just like updating Firefox itself.
Colorless green Cthulhu waits dreaming furiously.
Guess nobody here runs Java or Flash.
They don't even show up in the add-ons list.
paintball
Agreed :)
1 Question: Why not pushing this as a separate update?
"You look like you need a car analogy"
This is like sending in your Microsoft car for servicing at Microsoft and having the Microsoft mechanic install an extension to your "Firefox" add-on car radio - which you installed yourself, because you wanted an alternative to the embedded Microsoft Car Radio (which cannot be removed without disabling a large part of the car).
An extension that allows you to listen to the New & Wonderful Microsoft Radio Stations, and all installed without asking your permission first.
Just because you chose to add that extension on your built-in Microsoft Car Radio, does not give them the right to install it on your non-Microsoft Car Radios, WITHOUT YOUR PERMISSION.
After all many of us have the Firefox Car Radio just so that we can avoid listening to the Microsoft Radio Stations by accident or mistake or "Just Because Microsoft thinks it's time for you to". When we want to listen to those stations we use the Microsoft Car Radio.
So far I have managed to install the Java crap on various computers without having the google tool bar installed without my permission - they made it optional and I usually deselect all such options.
MS deserves a bashing for this. They are trespassing and are arguably doing an "unauthorised modification" to your computer system, which is a Computer Crimes offense in many countries.
They'd probably get away by giving the various usual excuses. After all, the Sony bunch got away without being jailed even though they did something worse.
Unauthorized modification of one to a few hundred computers and it's "hacking/vandalism", and if caught you can go to jail.
Unauthorized modification of millions of computers and it's called "useful and allowing firefox adoption".
Maybe some are exaggerating their ire that MS installed something as a FF extension. And if it was ONLY this, the story would have been laughed at by the majority of moderate people. But the fact you are missing which make people angry is the extension could not be uninstalled. How many of those extension above you cite are uninstallable ? They would be as guilty, but I have the feeling this is not the case.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
It seems you've found a glaring Firefox security problem there, that ought to be reported immediately.
If it is possible to silently install add-ons, how long will it take until someone finds a way to send you one via Exchange? One that, say, logs your keystrokes whenever you visit a URL starting with "https://", such as your online banking site?
Firefox needs to validate its add-ons and make sure the list can't be manipulated without user interaction.
Assorted stuff I do sometimes: Lemuria.org
USB Mass Storage Driver is a driver for USB memory sticks/HDD.
Yet I didn't need to read the source code to do that.
This extension does what? It certainly doesn't mention changing the browser string and no reason for it to do so. And it's "a framework" I.e. doesn't *actually* do something.
If I don't use C I don't install the compiler.
I don't use .NET.
And this is why my XP system has not been updated in two years now. The PC's working, Microsoft won't support the OS much longer, and Microsoft is known for messy and intrusive changes. Ain't no way I'm letting them near my computer now.
Yes, that means I have dozens of unplugged security holes, but then there are dozens of unplugged holes even after updating - plus the messy changes into the bargain. Ultimately I'm probably safer relying on a NAT router and a virus scanner than on system fixes.
Now that Microsoft are happy to use Windows Update to "update" other organisation's software, perhaps they'd care to install some too?
Well, obviously Firefox does not obstruct the possibility for some other random application to install a Firefox plug-in as part of the install process.
How does a Firefox user have any assurance that it's a good idea for them to manually install a given plug-in in any case?
As far as I can see, it's just because people "like" Firefox that they choose to believe it's all perfect. It's just like Apple, or Google, or $FlavourOfTheYear
This story is as much about Firefox insecurity as Microsoft surrepticiousness in my opinion.
-- *~()____) This message will self-destruct in 5 seconds...
1. I don't WANT that clickonce thing, im sure there is/will be some way to exploit that.
2.They should fix their own stuff.
3.Yeah, yeah, many install stuff without asking, but how many of them have their own browser they don't want to fix?
4.I just don't like that they do it hidden, without asking or giving you an option. AND they still have the balls to make it uninstall proof. Thats just to much.
I think they shouldn't do this. ALSO, Microsoft said open source is CANCER or something (old news) and now, out of the sudden, they CARE about us? I always hated them (i use windows only for gaming purposes), and now i do way more.
By reading this you agree to give me (Noxn) 1 dollar.
Java did exactly the same thing here: An extension called "Java Quick Starter" that cannot be uninstalled. And from comments around, so do Skype and several other applications.
So, the question should be "Why Firefox allows extensions that can't be uninstalled", but as usual /. prefers to avoid the more important issue in exchange for a cheap shot at MS.
...new add-on...unrequested...unasked-for...hitchhiking...gone wider...coming in with updates...
God damn, ok, we get that you for some reason don't like .NET extensions in firefox, you don't have to beat us over the head with it.
Mozilla should include a Linux OS extension with Firefox then. And install it by default! :D
Given that I am almost the archetypical luser (too thick to run linux on my desktop), how do I find if this piece of crud in on my system? I'm a tad nervous about messing about with the registry if I don't have to.
Islam Delenda Est
The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
Some of us are too smart to run a Microsoft controlled operating system. If you do, you've already handled over all your keys and alarm codes.
Not much sense in complaining that someone also left a window open then.
Seriously, why to make this a big thing? Change your settings and don't automatically install every update that Microsoft recommends. This way you can control whatever extensions, critical updates, special offers that comes into your system.
One thing that shows that Microsoft is becoming a better company, is that it is starting to offer product support over other browsers and platforms. ClickOnce applications are a rapidly and useful way to distribute small applications across a company, but it requires you to use Internet Explorer. With this update, the user can stick to his preferred Firefox browser while accessing applications that were made to take advantage of ClickOnce support.
Don't you think that Slashdot overreacted too much?
Just wanted to say it once.
These complaining people are ones who purposefully avoided using Microsofts web browser for their own reasons. Now they find that Microsoft is interfering with the web browser that they chose instead. Reason for them to be upset especially as this modification cannot be easily uninstalled by most people.
You want your "shit" to just work? Guess what so do the rest of us. For some of us that includes not having Microsoft arbitrarily taking control and modifying 3rd party software that WE installed and configured how WE want it on OUR computer. The computer does not belong to Microsoft and they should not treat it as if it does.
I gave up on IE long ago because an update to IE 5.x disabled my ability to access the internet with ANY program. Why would a browser update block ALL internet applications from working? Fortunately I had a backup from the day before the update occurred and was able to fix it. Then I moved on to Mozilla. Now I use Firefox on Linux.
It is what a proctogist looks at!
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Apple did something similar - though not quite as sinister. They were shoving Safari for Windows down the automatic update pipe. It's annoying and akin to SPAMMING. Has anyone requested or opted in to receiving this update?
Or, I just need to get out more. After asking why all the guys were buying wings and beer on the same day in throngs at the grocery store,
I need to read more carefully, but the image of guys wearing thongs buying beer and wings in grocery stores is really hard to get out of my mind.
dpkg -l | grep .NET returns nothing.
Oh, wait...
Ubuntu on primary work desktop since Dapper Drake (2006).
Microsoft copies Apple, but never quiet hits the mark. It's supposed to be a FULL browser, MS... not just a plugin. ;)
Here is a question for you. After you install a pdf reader do you become upset that it installs a plugin in firefox so it can view PDF files? That is all this thing is.
Look in your firefox options. Click the application tab. Click on the label at the top of the actions list. Look for the "Use Windows Presentation Foundation" entries. There are two of them. Change them to whatever you want.
KB951847 (Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update) installs this e(vil)xtension without so much as a by-your-leave. Simple instructions on how to remove it can be found here: Microsoft force-installs Firefox extension
Microsoft are acting more and more like the kings of old who claimed Divine Right to justify their tyranny.
Power does not corrupt - power attracts the corrupt.
This is a PLUGIN. Not an ADDON. Addons have uninstall buttons. Plugins do not. Uninstall .NET 3.5 of which this is a part, or follow my instructions in this post to disable it.
The point is that MSFT is silently forcing plugins
Period, end of statement.
If a burglar left a list of every item he stole from you, you still wouldn't be happy about the break-in, right?
You're right, though: an uninstall option would greatly improve things. An opt-out option would be even better. An opt-in would be perfect.
For a fast removal of the .NET Framework Assistant 1.0 from Firefox, save the following text as decrap.reg and run:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"=-
To run this from a command line (like a login script on all your machines):
regedit.exe /s decrap.reg
Feel free to modify and add the strings of any other extensions you want to auto-kill...
Microsoft has also added to the Firefox prefs.js config file, located at C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\XXXXXXXX.default, where USERNAME is the user profile and XXXXXXXX is random characters. You will find these entries added to the file:
user_pref("general.useragent.extra.microsoftdotnet", "(.NET CLR 3.5.30729)");
user_pref("microsoft.CLR.clickonce.autolaunch"
You can remove these lines manually after closing all Firefox windows.
You can type about:config in the URL bar, and filter for 'microsoft' if you want to see what the slimeballs have been adding to your browser.
(high posting so you can find this...)
& Extend...
Comment removed based on user account deletion
How about a Firefox extension that cleanly and removes the MS extension? Updates to it could look for MS's future attempts to drop in unrequested extensions.
Agreed, what MS is doing is TERRIBLE!
That said, if this was the other way around. Some 3rd party software installing something into / on top of some other software, people would be screaming of security holes and blasting MS or whoever for their shoddy software.
So where are the folks calling out FF for allowing this to happen?
-Mark
Dovie'andi se tovya sagain.
Okay, MS didn't do the right thing by making it obvious that it was installing it (prompting etc) but...
This only gets install without your knowledge if you don't review the updates they are pushing on your system. It is (to extend the above car analogy) like you took you car to the mechanic for maintenance, and when he provided you a list of possible things you might want to have done you just signed the approval form blindly.
I know this is a good MS bashing opportunity, but I think people should take some responsibility for their own machines. If you blindly install all updates or have automatic updates configured to do it for you, you ARE giving MS rights to your desktop.
It's interesting how articles crop up in the media and the public goes into an uproar. It's possible that some may not fully understand the issue. My personal feeling is that Microsoft shouldn't jack with software that doesn't belong to them. It's my computer, it runs the way I want it to, don't install !@#! I don't want. But I also understand what ClickOnce is and I understand that it's the user-installed application that sends .NET version information back to the web server the application is installed from, not the browser and not the browser extension. So, the fact that it's there doesn't concern me so much, except for the resources that I know it's taking up.
About ClickOnce:
In ~ August, 2008, Microsoft released Visual Studio 2008 Service Pack One. Visual Studio 2005/2008 allows content creators to produce web applications based on a number of programming languages. These applications can be run as stand-alone or driven through web sites, either way, linked back to database servers, behaving similarly to Flash-based applications driven through Adobe Air. One of the technologies deployed with Visual Studio is ClickOnce, a system which allows the installed application to check for updates upon launch and prompt for new versions. The idea is that once the application is installed, it keeps itself up to date and the user doesn't have to continually mess with software revisions. Microsoft .NET 3.5 SP1 and VS 2008 SP1 releases silently install an extension for Mozilla Firefox, called .NET Framework Assistant, which "Adds ClickOnce support and the ability to report installed .NET versions to the web server."
The Problem:
Users are stating they were not told that the Firefox extension was being installed and are only finding out of its existence after-the-fact. To further complicate the issue, once installed, the extension appears with the uninstall button disabled. Users, who don't understand what ClickOnce is and don't understand what is meant by "the web server", are very upset about what this means and what information could be potentially outbound from their PC. Numerous forums list post after post from users who are extremely vocal about Microsoft's audacity of installing plug-ins to non-Microsoft applications and further providing no method for it's removal. While the tactics are dirty, Microsoft is not the first to do this. Sony used music CDs to install a virtually invisible "rootkit", DRM software to PCs to keep tabs on music placed on a host PC. Apple installs a host of applications as part of iTunes, which includes several resource consuming TSRs and Microsoft Outlook components, even if a user doesn't own an iPod.
The Technology:
ClickOnce in and of itself, is not a bad thing. Mini applications built on Visual Basic, VB.NET, C# and others, can be written with Visual Studio 200( x ) and delivered to a host PC through a web-installer. These applications require the Microsoft .NET framework to be installed and if set up correctly, when an update to the software is available, the user is automatically notified and the update applied, eliminating the burden of needing to check for updates. The extension for Firefox allows the user to visit a web page and see information about one of these applications, click on a link and be prompted for it's installation. This is not necessarily a bad thing. The extension simply allows the user access to the installer, it doesn't collect data and send it back to Microsoft or anywhere else. The installed application, upon launch, sends the currently installed version number back to the programmers web server and checks if a newer version is available. If a newer version is available, it notifies the user asks to be installed. The real problem is that Microsoft installed the extension without being asked and after being installed, disabled the uninstall button.
People are getting annoyed at MS for something that many applications have done for YEARS. How many people have installed apps that then go off and search for you web browser and "add functionality". Wow, MS did it, big f'n deal! I don't see this as a huge problem myself. So it installs it quitely, so it's hard to remove (perhaps my next few paragraphs might frame a "why"), so what? its not impossible.
If you want a reason to be peaved about this, here is a better one. Having worked for some big companies that do web development (from the perspective of creating websites that add functionality to their own business, not 3rd party developers writing apps for other business') most that I have dealt with have a list of "broswers we must support" which usually includes firefox, IE, safari as a minimum (not platforms, browsers). So now said businesses can say "ahh, we can write .net client side applications and it'll work and support all our browser support requirements". There in lies the problem, suddenly if your running firefox on linux, your screwed because mono and the associated chunks that would fulfil the req's under linux just aren't going to cut it.
As far as im concerned thats the real reason to be very angry. Suddenly people can look at .net as a replacement for java (webstart/applets) and flash. This is NOT a good scenario given that at least adobe and sun do put some effort into making flash and java work with some consistency across platforms. Its not a stab at ruining firefox, its a stab at linux, bsd, solaris, etc. That is a much greater concern.
There are 500 comments in here and not one mentioning the "clickonce" technology made it to the top ?
Now I know why I stopped reading slashdot.
Microsoft has been installing plugins in firefox for a long time... so has Adobe, google (picasa), Apple(quicktime,itunes) and others. What freaks me out is how this issue is blown out of proportion for the wrong reason.
ClickOnce is similar to Java's webstart technology for those who understand Java and you can get more information here
http://msdn.microsoft.com/en-us/magazine/cc163973.aspx
If you let java do it, and apple do it and apple do it why are you so surprised that microsoft is doing it ? Is it because its part of Office suite ? And how is that different from Picasa or itunes ?
Please read before you reply to or rate comments on a website like this.
Just use Firefox Portable (Mozilla Firefox®, Portable Edition).
I have not had an issue with this MS extension. Possibly because Firefox is not listed as being installed anywhere, so when Microsoft goes to look for it, it cannot find it.
And barring that, its set up the same as an installed edition, and I could plop it on a CD or USB drive and carry it with me.
You mean you think not providing an extension would prompt the same complaints as having one installed surreptitiously? Let me assure you, tampering with *competing* 3rd party software without explicitly asking for my permission, no matter what you might be trying to do, is not equivalent.
Quack, quack.
Somehow a RealPlayer extension was installed in my FireFox browser, and I have no idea how it got there. It's called: RealPlayer Browser Record Plugin 1.0
The PC computing model is commercially dead. Microsoft is trying to transition to the game console business model. We sell you a Microsoft machine. You can buy Microsoft approved first and third party titles. We make sure everything works. You can turn your brain off.
The classic PC model (my computer, keep your hands off) will live on thanks to the power of open source but it will not sustain commercial products.
Do you actually work for a company that will listen to you when you recommend Linux over Windows? If so your job is the exception rather than the rule.
You keep saying that people should come up with solutions, yet most people are not in a position such that a viable solution to this would be listened to. That is not an issue where I work, but I have certainly seen it in other places. Most other places, in fact.
You are calling people ineffectual whiners when in fact they are just describing their actual business situation (or in my case, someone else's). THAT does nobody any good.
Safari is an Apple product, bundled with Apple's operating system. This whole thing was not in reference to Microsoft updating Internet Explorer (which it does on a regular basis). This was about Microsoft updating SOMEBODY ELSE'S product, without permission.
That is a completely different situation.
And just for the record, this is a nice straw man that you dug up. I did not say that Apple was not arrogant. I stated that Microsoft was. Again, two different things.
if what you meant (it's hard to tell) was that iTunes was actually installing Safari into Windows without permission, then guess what? They were stopped, weren't they? As they should have been. Which is the whole point here.
But the issue under discussion did not involve Apple, it involved Microsoft. If, as you appear to be saying, it was wrong for Apple to do it, well then it is just as wrong for Microsoft, yes? So why are you objecting to people saying so? You contradict yourself by implication. So who's the troll?
Luckily it doesn't work on 3.1 beta, so at least some people are safe ;)
...Bill Gates is in my house pointing a gun at me and making me use windows. I am typing this while he is using the rest room. OH GOD HES COMING BACK, AM I THINK HES GOING TO MAKE ME TURN ON OFFICE ASSISTANT...
HA! I just wasted some of your bandwidth with a frivolous sig!
I use PortableFirefox (available from www.portableapps.com) on all the Windows machines I administer. I use it for its convenient portablity, but a nice benefit is that it not detected by WU and doesn't get this "update".
They are ALLOWED because the fucks are doing it at the behest of varoius unnamed governments (or for their own needs, which will ultimately entail apprising the governments of unpublished abilities... recall the simpler ones like $ prompt sysadmins can use to BUST RIGHT ON IN on user accounts with the typical user being unaware. And, for fuck's sake WHY does ms have the shitty model of requiring the user to supply their password to the SYSADMIN so the SA can grant the user access to outlook share folders on another domain? Just another cultivation of "surrender or surrender and change your password...).
Why ELSE could they (ms) do this kind of shit with apparent impunity? Unfortunately, probably the same is happening with Open Source. We can be free of mshaft, but, to operate with relative, apparent freedom, we have to accept that there are mshaft analogs in the Open Source developer base whether white hat or black hat.
If Open Source is going to be allowed to operate, federal back doors will be present there, too. No matter how many eyes can FIND the back doors, the governments will always be in the upper position to demand access, and refusal means being branded with criminal or insurrectionist intentions. So, we pay a price, regardless of OS or flavor of OS of choice.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
* You asked for it when you downloaded the update saw it on the patch notes. You did read those, right?
* It doesn't make a point of it, EVERY plugin has just the 'disable' button. Java, Flash, every media player plugin you have, etc...
* http://en.wikipedia.org/wiki/ClickOnce Looks useful to me. I guess you like the extra steps of saving a .exe file, browsing to it, and double clicking.
* I believe this is the only point that's true, but it's only a bad thing to prejudiced people (honestly, people like you and racists are on the same level). Hate's fine, but hate with reason.
Hmmm, maybe it's cause I pirated my version, but when I installed it and came to the automatic dialog box asking me to enable automatic updates nobody from Microsoft appeared with a gun to make sure I did it. I guess that's for paying customers only. One would think that if they really wanted to force this they could have just not brought up that dialog box.
Ridiculously sarcastic counterpoints aside, your analogy is just terrible. How can you not see the gaping holes in it? Let me try: this is like hiring a maid to clean your house once a week and then crying to the internet when she leaves an extra bottle of 409 under the sink. Oh, and she left you a note about it, which you ignored. That's much better, no?
Wait.... you run as system administrator?
Sony installed a rootkit as part of DRM. MS is adding a .NET helper to FF -- in a way we can run around and look at what they could do "wrong"...like (any paranoid conservative) ... I mean they could install a FF addon that installs a rootkit FF addon to allow specific content to trigger the rootkit via any normal string of HTML -- while deleting the original addon with the MS signature on it. That would make it difficult to track the root kit back to the source (though not impossible, obviously).
HOWEVER, you could also look at the positive side -- Microsoft is, maybe, trying to SUPPORT Firefox by adding .NET compatibility code.
FWIW, it looks related to a patent lawsuit I think MS lost a while back concerning automatic execution of plugins embedded in a webpage - vs. being forced to "push" a button to activate the plugin. It was a bogus patent that MS should not have been required to honor, but hey...that didn't stop some court system from mucking it up.
Mozilla should simply release an update to Firefox which removes the offending plugin and resets the user agent string.
I know that's what I would do if another company was installing add-ons to my software without my user's consent.
- I never use automatic updates from microsoft for any microsoft product
- People should not blindly trust anyone / remote corporation to automatically update software on their machine, especially one that has blatantly shown the world that they are only interested in maintaining their monopoly and the interests of their corporate interests, instead of the end users...such as microsoft.
- People should not trust microsoft ever again, and should not have to begin with.
- I constantly advocate that people not use automatic update ever for anything.
- That stupid people get what they deserve for being too lazy and stupid to think and do things themselves.
I would like to say this should be the last nail in the coffin, but this has happened before many times, and caught many times, and brought to the forefront many times...yet people still use automatic updates. The problem isn't microsoft being evil...we've all known that. The real problem here is blatant stupidity on the part of the end user for even allowing this kind of access to the machine remotely.