Slashdot Mirror
Microsoft Update Slips In a Firefox Extension
An anonymous reader writes "While doing a weekly scrub of my Windows systems, which includes checking for driver updates and running virus scans, I found Firefox notifying me of a new add-on. It's labelled 'Microsoft .NET Framework Assistant,' and it 'Adds ClickOnce support and the ability to report installed .NET versions to the web server.' The add-on could not be uninstalled in the usual way. A little Net searching turned up a number of sites offering advice on getting rid of the unrequested add-on." The unasked-for extension has been hitchhiking along with updates to Visual Studio, and perhaps other products that depend on .NET, since August. It appears to have gone wider recently, coming in with updates to XP SP3.
Remember Sony?
Bite me
This definitely goes into the "WTF?" category.
The higher the technology, the sharper that two-edged sword.
Microsoft gives us updates all the time and we trust them to fix bugs and security holes. Firefox not coming with their extension is not in the scope of bugs and security holes they should fix. When they overstep their bounds like this ON TOP of an application(esp. a free software application) what might they be doing in their proprietary code under the application? Whatâ(TM)s next, an OpenOffice extension to make sure Microsoft never has an $ where their s is?
Classic move. People noticed. Two steps forward 10 steps back, eh?
Obligatory blog plug: http://www.caseybanner.ca/
Yea, more spyware. Now on FireFox instead of Internet Explorer. :P
The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
It most definitely IS unexpected, because I was never notified anywhere that a MICROSOFT update would entail installing an addon to a completely NON-Microsoft product.
.NET framework, I'm subject to whatever else MS wants to do to my computer? Nay, sir, nay.
Just because I installed the
Here's to the crazy ones
Although it's not the best approach that could have been taken it is a good sign. If Microsoft can no longer ignore Firefox then all those sites that still require IE to function will begin to follow.
Microsoft just can't resist the urge to use it's position as the marketplace leader for desktop OSes to be a dick.
That doesn't matter at all. Type in any .DLL file you can think of, and you will see all the "Remove Spyware Now!" type sites that catalog DLL files. Buried in the actual relevant content of the site, hidden beneath all the "Spyware is dangerous, you may have spyware" boilerplate content is a row in a table telling you that the DLL file you searched for is safe. You can't just trust results like that.
It's Funny, i have had the same issue with apple update, i find it requesting to install updates for programs that weren't installed in the first place, seems like the same thing but different company...
Unless that cat is the American public and the time since the last time you caught them is greater than the time since the last episode of American Idol.
I hate printers.
I was never notified that an ADOBE product would entail installing an addin to a completely NON-Adobe product. Get with the times. Companies install addons to "complementary" products (web browsers, office suites, etc).
I'm pretty sure that during the install for Adobe Reader you're given the option to install the browser plugin or not (maybe the most you have to do is go into "Custom install)... with the .NET addon all that happened as far as I can see is that I installed pending updates, rebooted, and bam the addon was there
Do you see how that's a different situation than installing an app that adds a browser plugin?
Here's to the crazy ones
It does matter because the sites are different. The ones that come up for Microsoft Framework Assistant are forum postings, articles and blogs instead of autogenerated bull-honky.
Why are you so amazed? Your control over your computer is illusory when you use closed-source programs -- especially ones that call back home and install "updates"
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
it seems very for malware to be installed like this
Maybe I'm looking at this the wrong way, but shouldn't Firefox stop extensions being installed this way?
You are (purposely?) missing the entire point. The average Firefox may CHOOSE to install flash, but that is their choice. If Microsoft wants to make a Firefox extension, then they need to put it in the directory just like everyone else.
Spooooon!!!!!
People think that Microsoft is a software company that is sometimes abusive. But it isn't, in my opinion. Microsoft is an abuse company that delivers abuse using software.
[root@localhost ~]# apt-get update apt-get: ET phone home
Yeah, damn those closed source OS's
Make SELinux enforcing again!
Maybe because...
Just one of those is enough to make something bad.
Game! - Where the stick is mightier than the sword!
What part of "can't uninstall" confuses you?
3 things about computers: they're alive, they're self-aware, and they hate your guts.
I'm seriously confused as to why this is upsetting considering that the average Firefox user installs plugins ...
The point isn't that MSFT is creating FF plugins.
The point is that MSFT is silently forcing plugins without telling us what they do.
This whole thing would have been a non-issue if they had
But MSFT is too arrogantly stupid to do that.
"I don't know, therefore Aliens" Wafflebox1
Then I assume that you have the source for the plugin, no?
If you dont have the source, how can you be sure what exactly it's attaching to? I know if I was Microsoft, I'd attach to parts of the rendering engine and screw around with things. It'd be an easy way to make Firefox seem slower and buggier. And, why disable the "Uninstall" button? Looks rather fishy to me.
I mean, if Firefox is prone to crashing at random times on random websites, wouldnt you think users would go back to IE?
Given the ample, well documented evidence of bad behavior by MS, failing to consider evil behavior by MS is a clear example of "fool me once, shame on you, fool me twice....". Just because the "evil behavior" is not so obvious yet, doesn't mean that there is not such a motive behind this action.
The real "Libtards" are the Libertarians!
I find it interesting that people here are so outraged at MS installing an extension for third party software, particularly a web browser. Think about how many completely non-Mozilla related products install a Firefox extension - PDF readers, media players, etc. I'll take as an example Adobe Reader, which installs a plugin for in-browser viewing when you install the desktop app (I hate Adobe Reader too, but it's a high-profile example). Firefox is not an Adobe product at all! yet we aren't yelling at that. Additionally, MS already has components installed in FF. Silverlight and the Windows Presentation Foundation are both MS products that are commonly installed in Firefox as plugins, to enable apps that take advantage of Silverlight and .NET browser features to operate in Firefox and friends as well as Internet Explorer. This plugin seems to serve a similar purpose of allowing .NET-powered web apps (which MS wants to be common in the future) to operate in Firefox as well as Internet Explorer. It seems like we should appreciate this move towards interoperability on MS's part - the alternative is only supporting Internet Explorer for web apps.
So it's really nothing abnormal to install an extension in a third party browser. This leaves us with only one issue, the fact that it was distributed via updates to other applications. I refute this as being a major issue for the exact same reason - quite a few programs update/install Firefox extensions as part of their normal update procedure - I raise Foxit Reader as an example, which as of v3.0 automatically installs a Firefox plugin. No one's yelling about that.
A significant question here: If it wasn't Microsoft, would anyone be nearly as angry?
I might be stupid, but that's a risk we're going to have to take.
I've noticed several of these uninstall-proof extensions lately. How about the Mozilla folks tweaking the extension model to allow an uninstall option?
The government can't save you.
A lot of you will hate me for this...
MS doing this is them trying to ensure that Firefox will work with their web apps (or, web apps built with their technology). Now, granted that they are taking liberties they should not. It would be better to just make the plugin easy to get and install. Consider however that they are doing this so their technology will work on a standards-compliant browser. That's not nothing. It IS dysfunctional in a passive-aggressive way (aggressive-passive?). On the other hand MS is trying to make the browsing experience BETTER for people who use .Net with Firefox. I'm not so sure this is a bad thing. maybe poorly executed...but...there's an argument for saying it's not.
Look, if you were running Ubuntu, installed Opera, and automatically got plugins from Synaptic for Opera that added new functionality would you complain?
Then again, the convoluted removal process should be reconsidered.
Everybody and their mother does that:
1) Quicktime/iTunes ...
2) Acrobat/Flash/etc
3) RealPlayer
4) Skype
5)
In fact that's what the whole system of extensions and plugins was *designed* to do. Accommodate 3rd party functionality that wasn't built-in to the browser itself.
And that's a GoodThing (TM).
The bad is that you can't uninstall it (easily). But you can always disable it...
the adobe products are SPECIFICALLY browser helpers... that's the point of Flash or Acrobat Reader to be plugged in to your browser. There's even a spot in the browser for them to do this.
Microsoft is trying to "fix" Firefox compatibility with .Net tools, that's the big problem people have. On one hand they are adding in the tools needed for Firefox to function properly on Microsoft web pages like any other browser plug-in vendor would. On the other hand Microsoft is doing this without announcing it, and the manor in which they slipped this in is of questionable motive. Remember they had a motto years ago..."DOS ain't done till Lotus won't run" Firefox and others had/have no such intentions.
Microsoft isn't trying to fuck up your web browser, they're enabling ClickOnce functionality via a plugin. You can tell what it's doing because it works exactly as is expected.
Conspiracy theories are not needed here. True, they should have enabled Uninstall, but jumping the gun is absolutely ridiculous.
Fucking up your ACID test via plugin in order to make IE seem better? Are you frakkin' serious? There's absolutely no possible way the community wouldn't notice that, and it'd be a ridiculous waste of time.
If I were Microsoft, I'd fire you for such a terrible idea.
That explains why .NET 3.5 SP1 was tagged as a 'high-priority,' and thus completely automatic and unnotified, install for anyone who allows Automatic Updates self-governance.
It clearly wasn't a security update: I only have .NETs v1 and v2 installed, and yet I still got a notification to install the SP1 update for .NET v3.5! Luckily, I don't automatically trust Microsoft with anything. I told it to ignore the update and never show it to me again.
Basically, MS is once again abusing the high-priority update channel, just like they did with the Genuine Advantage Notification tool. Don't let anyone tell you differently. They are treating machines set to update automatically like a spammer treats his botnet.
--
Toro
The microsoft "helper" plugin cannot be uninstalled like the java or adobe plugins. And since it behaves differently in that respect, I wonder if the .NET "Click-Once" apps trigger all those "security" warning popups like applets do? Maybe this uninstallable characteristic is related to getting around the windows "security" model. If that's the case, then microsoft will be able to call it "a feature".
As in creature feature.
3 things about computers: they're alive, they're self-aware, and they hate your guts.
Given Microsoft's track record with security, I worry:
- Windows user installs Firefox to avoid IE's security flaws. .NET functionality allows websites to host .NET executables.
- Microsoft silently installs a plugin onto Firefox that reports the browser includes
- Hackers discover a way to exploit this.
- Thus, Firefox is now less secure thanks to Microsoft.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Installing software on my computer -- especially software that is designed to make YOUR software work better, at the possible expense of others -- without my knowledge or consent is UNETHICAL . Period. And deliberately making uninstall difficult? INEXCUSABLE!!!
Shame on MS. They have been through this before and should know better. Bad. Bad. Negative points. Sad, sad negative Karma.
This is where Microsoft shows its true colors. They believe that as long as you are running Windows, they actually have RIGHTS regarding your desktop and the software you run.
They think they have a right to re-configure the software you use, for their own convenience and profit. That they can install things and you should have no say in the matter.
I am serious. On the corporate level (not most individual employees, I am sure), they really think that way. The evidence is incontrovertible.
Which used to serve them well. But which, in today's environment, is suffering a greater and greater disconnect with reality. I am sure you have noticed this yourself... the most obvious explanation for Microsoft's accelerating loss of market share is simply that they have lost touch with the realities of the market: their users' wants and needs, and, not to make too small a point of it, their business ethics.
I am not surprised at all.
Anybody remember when Windows "Genuine Advantage" validation software was getting slipped in as part of "critical updates" for things like the Microsoft Flash Player patch? It wasn't really that long ago.
You don't seriously expect Microsoft to *not* do these sorts of things on what they consider to be *their* systems, do you?
Well, Yes, MS does automatically install this program. The dotnet update 3.5 SP1 was listed as a critical security update, I have this on two servers that IE can't even access the web on. Firefox is only on it to check an internal website and monitor/access the web interfaces to routers and switches. The update installed the thing as it wasn't there before and yes, I check quite often. It also hasn't attempted to do anything on the internet yet because I monitor port access and nothing out of the ordinary has came up.
So if you had automatic updates on, it would have been installed without you choosing to install it. If you manually install automatic updates, there is no warning of it being installed. Critical updates shouldn't be adding new features or changing the way other software works unless it's specifically to address a security problem. Adding functionality to Firefox isn't a security fix.
Now it doesn't matter if you get this with any DotNet install now because you didn't in the past. Up until this month, it didn't even exist as far as I know. And just because it installs with dotnet now doesn't mean I agreed to installing it a year ago when I installed the last dotnet package to suppose a program we are using.
(1) Firefox is not a Microsoft application. It is installed at the will and whim of the end-user. And the end-user should have control over what is installed into their Firefox.
(2) Microsoft has every opportunity to give that end user A CHOICE. Yet, typically of Microsoft, they chose not to do so. That was the WRONG decision. And that is how most people view their work machines today: it belongs to me, by damn, and you had better ask me before installing something. As a computer professional, who depends on controlling software versions and so on to guarantee compatibility, this is not an option for me. I insist upon it. Companies that violate that policy are not my friends. They do NOT make my life easier, they make it much more difficult.
(3)They have no right to assume that I want their goddamned "Clickonce" thing to work. Maybe I don't. And in fact, the OP was not about installing it via the web at all, it was about it being installed automatically in the background via SPs and SP updates. This isn't about clicking on a link at all. Please read first before you offer an opinion.
(4) This is NOT about adding a mime-type handler. It is about installing a mime-type handler that some users may not want, secretly, in the background, without asking for permission. And for a BROWSER that isn't even their own product. Not only is this unacceptable to me (because I must always be in control of what is installed on my work machines), it is also typical of Microsoft's arrogant attitude toward their users.
My high-horse is not strictly MS-specific, as you would know if you actually read what I wrote! If any other company did this, I would oppose it just as vehemently. It is just that Microsoft is famous for doing this kind of thing, and here is yet one more example.
Odds are, "ozphx", that I was using Microsoft products professionally before you were out of elementary school. If you don't have a direct counterargument to mine, then please go elsewhere.
Oh... by the way. I agree that including the Google toolbar in Java updates is unethical, too. But at least a choice *IS* offered, and that during a voluntary install. In the case under discussion, it was stated that this software is being added unannounced, as part of an update, without any such option being provided. So there is a bit of a difference.
[root@localhost ~]# apt-get update apt-get: ET phone home
You forgot one thing though
# su -
When's the last time any packets installed without your consent?
Absolute power corrupts absolutely. indymedia
What is ClickOnce and why should I be forced to have a plugin to support it? How is it supposed to work? If my browser crashes unexpectedly, how can you be sure it isn't the mysterious plugin that appeared?
I get jumpy when software starts appearing on my laptop that I didn't put there. It screams 'attack vector', especially when it hasn't been vetted by any agency or group I trust.
How does it do it's job? What information does it send? Why the FUCK did it feel the need to modify my agent string?
I'm going to dig through firewall logs and see what it sends.
Eh... well not under Extensions, but under Plugins. (I'm looking right at them right now.) Which is where I go to disable them, since they are the Great Satan. Well ok maybe not, but they are annoying. :-D
"You look like you need a car analogy"
This is like sending in your Microsoft car for servicing at Microsoft and having the Microsoft mechanic install an extension to your "Firefox" add-on car radio - which you installed yourself, because you wanted an alternative to the embedded Microsoft Car Radio (which cannot be removed without disabling a large part of the car).
An extension that allows you to listen to the New & Wonderful Microsoft Radio Stations, and all installed without asking your permission first.
Just because you chose to add that extension on your built-in Microsoft Car Radio, does not give them the right to install it on your non-Microsoft Car Radios, WITHOUT YOUR PERMISSION.
After all many of us have the Firefox Car Radio just so that we can avoid listening to the Microsoft Radio Stations by accident or mistake or "Just Because Microsoft thinks it's time for you to". When we want to listen to those stations we use the Microsoft Car Radio.
So far I have managed to install the Java crap on various computers without having the google tool bar installed without my permission - they made it optional and I usually deselect all such options.
MS deserves a bashing for this. They are trespassing and are arguably doing an "unauthorised modification" to your computer system, which is a Computer Crimes offense in many countries.
They'd probably get away by giving the various usual excuses. After all, the Sony bunch got away without being jailed even though they did something worse.
Unauthorized modification of one to a few hundred computers and it's "hacking/vandalism", and if caught you can go to jail.
Unauthorized modification of millions of computers and it's called "useful and allowing firefox adoption".
It seems you've found a glaring Firefox security problem there, that ought to be reported immediately.
If it is possible to silently install add-ons, how long will it take until someone finds a way to send you one via Exchange? One that, say, logs your keystrokes whenever you visit a URL starting with "https://", such as your online banking site?
Firefox needs to validate its add-ons and make sure the list can't be manipulated without user interaction.
Assorted stuff I do sometimes: Lemuria.org
Very poor assumption. I run firefox specifically to avoid making it so easy to install arbitrary code on my machine behind my back. I installed .net because one program I wanted to run (and purposefully installed) required it. As soon as I remember which one that was I'm going to start looking for an alternative, directly as a result of this hijacking in fact I'll be looking carefully for alternatives to ANY .net program, and whenever possible refusing to run .net programs EVEN IF THERE ARE NO ALTERNATIVES WITHOUT IT.
If you want to add an extension to MY copy of firefox, you need to ask my permission and respect my answer, whether it's yes or no. Leveraging their control of the OS to install it without even asking was a criminal attack they should be prosecuted for. (Yes, I know they wont, they're above the law, but if some 15 year old kid had done the same thing we both know he'd be risking gaol for it.) Doing this in such a way as to disable the uninstall button is just adding insult to injury.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I don't use .NET.
I bet you do.
Got Office 2003 ? Some of that is .NET code. Got Live Messenger ? Ditto. Nvidia or ATI graphics cards ? well, those DEFINITELY need .NET to work properly. Let's not forget all those extra bits of freeware you've also got, some of those will be .NET based as well.
As I understand it, this add-on just alters the useragent to declare that the PC it's running on is .NET capable (i.e. you got at least one version of the .NET framework installed). This is a good thing - as it means MORE sites that have .net extensions or controls will work in FF, meaning you can finally ditch IE completely (in theory).
Yes their installation methods were suspect - but remember MS's major user base is The Doe Family, who can just about turn their PC on and off. Do you really thing they know the answer to 'Do you really want to install the .NET Framework Assistant ?' - If course they wont know what that is, or whether they need it.
Does your mechanic, dentist, doctor, explain to you each and every thing they do to you or your car in intimate detail ? No.
The PC is becoming a closed box appliance. You can't fight this.
An finally, if you distrust MS SO much - why did you have Windows Updates on anyway!?
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
I always understood that any installation that takes place without the user giving some kind of permission was classified as viral behaviour.
www.nodicerpg.com - Some RP stuff for free, some not so for free, but still cheap.
Well allow me to add that it is NOT, I repeat NOT just Visual Studio. I don't have Visual Studio installed and this "extension" was installed along with the latest patch for DotNET V3.5. So pretty much anyone who has FF and has the latest version and patches for dotNET is affected.
How are they allowed to get away with this? Isn't installing BHOs that are not asked for and cannot be uninstalled without hacking pretty much the definition of malware? If some company like Gator or WhenU pulled this crap they would be busted. So why is MSFT allowed to pull this crap? And how do we know that this "extension" wouldn't cause problems or add bugs to FF? Seems like a great way to hamstring your competition to me. I just hope they get called to the mat for pulling this crap, because as far as I'm concerned this is the definition of malware. After all I didn't ask for it or give them permission to install it, they disabled the common way to remove it, and the only way to get rid of it was to hack both the reg and my prefs.js file. Sounds exactly like the kind of crap I deal with removing malware BHOs for customers.
ACs don't waste your time replying, your posts are never seen by me.
Not a big deal???
Microsoft modified *another company's products*. What's next? MS is going to start adding updates to VLC player or Utorrent or OpenOffice or WordPerfect?!?!? They shouldn't be messing with non-microsoft products.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Agreed, what MS is doing is TERRIBLE!
That said, if this was the other way around. Some 3rd party software installing something into / on top of some other software, people would be screaming of security holes and blasting MS or whoever for their shoddy software.
So where are the folks calling out FF for allowing this to happen?
-Mark
Dovie'andi se tovya sagain.
Yeah, the nerves of these software companies! I heard a company called Macromedia (well, Adobe now I guess) also installs updates to Internet Explorer and Firefox. Some kind of flash-thing. HOW DARE THEY?! ;-)
Harald
...
As I understand it, this add-on just alters the useragent to declare that the PC it's running on is .NET capable (i.e. you got at least one version of the .NET framework installed). This is a good thing - as it means MORE sites that have .net extensions or controls will work in FF, meaning you can finally ditch IE completely (in theory). ...
How the hell is Microsoft surreptitiously polluting a browser that tries to be standards-compliant with their non-compliant, deliberate-barrier-to-competition CRAP "a good thing"?
What fucking Earth on you on?
Do you know what bugs me about this browser plugin? The fact that Microsofts knowledgebase article on the update didn't mention it.
If they did it openly, it would have been recieved much better. But they go "stealth-mode", and install it without the user knowing.
Yes.
And if Microsoft had ASKED, I would have said, "No thanks; please leave my Mozilla browser alone." But they didn't even give me the choice. They used a Negative Option where they signed me up automatically, and if I want to get unsigned, I have to do it myself. Negative Options are generally considered illegal. See: http://www.consumeraffairs.com/news04/2005/negative_option.html
"Today, with "negative option" marketing, commerce can be anything but simple, and consumers can end up being charged for products or services they never intended to purchase...... In 2001, the Federal Trade Commission cracked down on negative option abuses, suing nine companies for charging customers credit cards for products or services without gaining their express approval.
"Negative option marketing is particularly troubling when marketers already have consumers' credit card or billing account information and can easily charge consumers' accounts without their permission or when marketers fail to disclose that consumers' credit card numbers will be transferred to another company and charged unless consumers call to cancel," the FTCs Elaine Kolish told Congress in November, 2001.
Although in this case Microsoft did not charge for the upgrade, I still find it offensive that they are modifying OTHER companies' programs without my permission. Microsoft should not be practicing negative option upgrades to non-microsoft products.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall