Slashdot Mirror
Microsoft Update Slips In a Firefox Extension
An anonymous reader writes "While doing a weekly scrub of my Windows systems, which includes checking for driver updates and running virus scans, I found Firefox notifying me of a new add-on. It's labelled 'Microsoft .NET Framework Assistant,' and it 'Adds ClickOnce support and the ability to report installed .NET versions to the web server.' The add-on could not be uninstalled in the usual way. A little Net searching turned up a number of sites offering advice on getting rid of the unrequested add-on." The unasked-for extension has been hitchhiking along with updates to Visual Studio, and perhaps other products that depend on .NET, since August. It appears to have gone wider recently, coming in with updates to XP SP3.
Remember Sony?
Bite me
This definitely goes into the "WTF?" category.
The higher the technology, the sharper that two-edged sword.
Microsoft gives us updates all the time and we trust them to fix bugs and security holes. Firefox not coming with their extension is not in the scope of bugs and security holes they should fix. When they overstep their bounds like this ON TOP of an application(esp. a free software application) what might they be doing in their proprietary code under the application? Whatâ(TM)s next, an OpenOffice extension to make sure Microsoft never has an $ where their s is?
Classic move. People noticed. Two steps forward 10 steps back, eh?
Obligatory blog plug: http://www.caseybanner.ca/
The add-on is automatically installed when you install the latest version of the .net framework. Microsoft Update does NOT automatically install this add-on. In order for it to be installed you had to explicitly choose to install the .net framework.
Honestly, had they mandated silverlight, and included this in the silverlight install, I think they may have gotten it to most of the users that they would need to have it anyway, and pissed less people off in the process. Welcome to the new (steve) microsoft, same as the old (bill) microsoft.
Ya know, since Bill is long gone, I think the Microsoft icon could use an upgrade. I have an idea. It has to do with a chair, Steve Ballmer, and his ass.
They are gathering intelligence on how to build on of these "web browsers".
Yea, more spyware. Now on FireFox instead of Internet Explorer. :P
The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
Are you sure? Did you actually mean .Net 3.5 SP1? That's what just installed it on my machine. I've never seen XP SP3 install it.
Although it's not the best approach that could have been taken it is a good sign. If Microsoft can no longer ignore Firefox then all those sites that still require IE to function will begin to follow.
Never forget.
Forgetting is key to getting caught again. You can only catch a cat in the same trap once.
Help stamp out iliturcy.
One hint that this "extension" is unwanted garbage is that when you Google (google: Microsoft Framework Assistant) for it and the top links are pages about how to remove it. Then the first link from your site (microsoft.com) is also a forum that mentions getting rid of it...
Anyway, here's how to remove it.
http://www.robertnyman.com/2009/01/26/microsoft-force-installs-firefox-extension/
Microsoft just can't resist the urge to use it's position as the marketplace leader for desktop OSes to be a dick.
It's Funny, i have had the same issue with apple update, i find it requesting to install updates for programs that weren't installed in the first place, seems like the same thing but different company...
Some of the recent updates for Java SE have included "Java Quick Starter". And for those with Ubuntu, there are a number of things that show up in the Add-ons list that are not explained well.
Has anyone noticed a performance hit to Firefox or anything? Any critical need to remove it?
Not that I'm happy that it was put on my system and that it can't be removed through the accepted addon system with Firefox, but I'm wondering if its really worth the trouble and for what reasons other than the standard "MS is evilllll", "They're spying on us", or what is sure to become a new spin on a popular internet meme "Microsoft raped my web browser".
I saw this thing today while trying to fix an ailing Vista laptop. WTF!? And I couldn't get rid of it. I was thinking that my GF's son somehow got this thing installed but maybe it wasn't his fault afterall. God, I hate Microsoft.
!First. Fail!
...not first, fail not? ugh, this is why I prefer using the bitwise oprtator (~) instead, although in /. lore this is instead in jokes used to mean "home", per the bash usage instead of the one's complement.
Or, I just need to get out more. After asking why all the guys were buying wings and beer on the same day in throngs at the grocery store, I found out the last super bowl was indeed not 32.
The "raison d'etre" of the plug-in when installing latest the .NET framework is to provide support for "Click-Once" deployment of web-enabled applications via Firefox. This is no different than the Java SE installing it's plug-in for Java applets, or Adobe Reader installing it's plug-in for viewing PDFs directly within the browser. It has no effect on the browser at all unless you try to open a Click-Once application link specifically. This also isn't new; the plug-in has been available on Windows Update for at least half a year.
it's slipping spyware/crapware into a competitor's product? That's even worse than Sony and many others (where you can usually opt out or at least you know where it's coming from). Microsoft is stooping very, very low these days. They deserve another conviction... soon.
Custom electronics and digital signage for your business: www.evcircuits.com
You mean call it out specifically in the install of .NET, I think you may have a point there.
However, it is sad that it is needed at all, even if for acceleration purposes. It means that .NET relies on something only specifically available before in IE. Uncool. No uninstall- unforgivable. My guess is that they will fix it.
And rootkit comparisons? Jesus. Nothing close.
quis custodiet ipsos custodes
it seems very for malware to be installed like this
Maybe I'm looking at this the wrong way, but shouldn't Firefox stop extensions being installed this way?
You are (purposely?) missing the entire point. The average Firefox may CHOOSE to install flash, but that is their choice. If Microsoft wants to make a Firefox extension, then they need to put it in the directory just like everyone else.
Spooooon!!!!!
Are you blind? The purpose of the plugin is written in the summary, the article, and in the plugin description.
People think that Microsoft is a software company that is sometimes abusive. But it isn't, in my opinion. Microsoft is an abuse company that delivers abuse using software.
Maybe because...
Just one of those is enough to make something bad.
Game! - Where the stick is mightier than the sword!
What part of "can't uninstall" confuses you?
3 things about computers: they're alive, they're self-aware, and they hate your guts.
I'm seriously confused as to why this is upsetting considering that the average Firefox user installs plugins ...
The point isn't that MSFT is creating FF plugins.
The point is that MSFT is silently forcing plugins without telling us what they do.
This whole thing would have been a non-issue if they had
But MSFT is too arrogantly stupid to do that.
"I don't know, therefore Aliens" Wafflebox1
Then I assume that you have the source for the plugin, no?
If you dont have the source, how can you be sure what exactly it's attaching to? I know if I was Microsoft, I'd attach to parts of the rendering engine and screw around with things. It'd be an easy way to make Firefox seem slower and buggier. And, why disable the "Uninstall" button? Looks rather fishy to me.
I mean, if Firefox is prone to crashing at random times on random websites, wouldnt you think users would go back to IE?
I find it interesting that people here are so outraged at MS installing an extension for third party software, particularly a web browser. Think about how many completely non-Mozilla related products install a Firefox extension - PDF readers, media players, etc. I'll take as an example Adobe Reader, which installs a plugin for in-browser viewing when you install the desktop app (I hate Adobe Reader too, but it's a high-profile example). Firefox is not an Adobe product at all! yet we aren't yelling at that. Additionally, MS already has components installed in FF. Silverlight and the Windows Presentation Foundation are both MS products that are commonly installed in Firefox as plugins, to enable apps that take advantage of Silverlight and .NET browser features to operate in Firefox and friends as well as Internet Explorer. This plugin seems to serve a similar purpose of allowing .NET-powered web apps (which MS wants to be common in the future) to operate in Firefox as well as Internet Explorer. It seems like we should appreciate this move towards interoperability on MS's part - the alternative is only supporting Internet Explorer for web apps.
So it's really nothing abnormal to install an extension in a third party browser. This leaves us with only one issue, the fact that it was distributed via updates to other applications. I refute this as being a major issue for the exact same reason - quite a few programs update/install Firefox extensions as part of their normal update procedure - I raise Foxit Reader as an example, which as of v3.0 automatically installs a Firefox plugin. No one's yelling about that.
A significant question here: If it wasn't Microsoft, would anyone be nearly as angry?
I might be stupid, but that's a risk we're going to have to take.
I've noticed several of these uninstall-proof extensions lately. How about the Mozilla folks tweaking the extension model to allow an uninstall option?
The government can't save you.
A lot of you will hate me for this...
MS doing this is them trying to ensure that Firefox will work with their web apps (or, web apps built with their technology). Now, granted that they are taking liberties they should not. It would be better to just make the plugin easy to get and install. Consider however that they are doing this so their technology will work on a standards-compliant browser. That's not nothing. It IS dysfunctional in a passive-aggressive way (aggressive-passive?). On the other hand MS is trying to make the browsing experience BETTER for people who use .Net with Firefox. I'm not so sure this is a bad thing. maybe poorly executed...but...there's an argument for saying it's not.
Look, if you were running Ubuntu, installed Opera, and automatically got plugins from Synaptic for Opera that added new functionality would you complain?
Then again, the convoluted removal process should be reconsidered.
Everybody and their mother does that:
1) Quicktime/iTunes ...
2) Acrobat/Flash/etc
3) RealPlayer
4) Skype
5)
In fact that's what the whole system of extensions and plugins was *designed* to do. Accommodate 3rd party functionality that wasn't built-in to the browser itself.
And that's a GoodThing (TM).
The bad is that you can't uninstall it (easily). But you can always disable it...
There is no reason why firefox shouldnt be able to download their windows updates in firefox!
Microsoft isn't trying to fuck up your web browser, they're enabling ClickOnce functionality via a plugin. You can tell what it's doing because it works exactly as is expected.
Conspiracy theories are not needed here. True, they should have enabled Uninstall, but jumping the gun is absolutely ridiculous.
Fucking up your ACID test via plugin in order to make IE seem better? Are you frakkin' serious? There's absolutely no possible way the community wouldn't notice that, and it'd be a ridiculous waste of time.
If I were Microsoft, I'd fire you for such a terrible idea.
That explains why .NET 3.5 SP1 was tagged as a 'high-priority,' and thus completely automatic and unnotified, install for anyone who allows Automatic Updates self-governance.
It clearly wasn't a security update: I only have .NETs v1 and v2 installed, and yet I still got a notification to install the SP1 update for .NET v3.5! Luckily, I don't automatically trust Microsoft with anything. I told it to ignore the update and never show it to me again.
Basically, MS is once again abusing the high-priority update channel, just like they did with the Genuine Advantage Notification tool. Don't let anyone tell you differently. They are treating machines set to update automatically like a spammer treats his botnet.
--
Toro
The microsoft "helper" plugin cannot be uninstalled like the java or adobe plugins. And since it behaves differently in that respect, I wonder if the .NET "Click-Once" apps trigger all those "security" warning popups like applets do? Maybe this uninstallable characteristic is related to getting around the windows "security" model. If that's the case, then microsoft will be able to call it "a feature".
As in creature feature.
3 things about computers: they're alive, they're self-aware, and they hate your guts.
And go right ahead and profile it. Don't forget your tinfoil hat. I'll bet my house nothing changes at all.
It seems Microsoft has finally gotten around to doing the second E in "Embrace, Extend and Extinguish" (literally).
All they have to do now is to make the FF addon force all links to iexplore.exe, and there's your extinguish.
Homonyms are fun!
You're driving your car, but they're riding their bikes there.
Given Microsoft's track record with security, I worry:
- Windows user installs Firefox to avoid IE's security flaws. .NET functionality allows websites to host .NET executables.
- Microsoft silently installs a plugin onto Firefox that reports the browser includes
- Hackers discover a way to exploit this.
- Thus, Firefox is now less secure thanks to Microsoft.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
The amount of venom/vitriol/nerdrage comments in this story is fucking astounding.
Install .NET 3.5 SP1 (the latest version of .NET) you get this firefox extension. It enables the use of ClickOnce within firefox. You guys know what clickonce is right?
http://en.wikipedia.org/wiki/ClickOnce#Firefox_extensions
One can only assume if you install .NET, you might actually want to run .NET apps, and some of them are deployed using ClickOnce. The FF extension is a convenience.
The only valid critique I see here is necessity for more people to prune back the Opt-In settings for Windows Update. The rest of you though..
Installing software on my computer -- especially software that is designed to make YOUR software work better, at the possible expense of others -- without my knowledge or consent is UNETHICAL . Period. And deliberately making uninstall difficult? INEXCUSABLE!!!
Shame on MS. They have been through this before and should know better. Bad. Bad. Negative points. Sad, sad negative Karma.
mumble... bitwise oprtator (~) mumble...
Lovely spelling as well, after all its not like every app using GNOME has spell-check now. And on such a detailed subject with no right being brought up in the same post as football, too! Why don't I either start writing my posts in binary or just tap some snipped ethernet wires together to make the binary datagrams/packets myself? Man I really need to get out more...
I, too, am a fan of British Columbia.
This is where Microsoft shows its true colors. They believe that as long as you are running Windows, they actually have RIGHTS regarding your desktop and the software you run.
They think they have a right to re-configure the software you use, for their own convenience and profit. That they can install things and you should have no say in the matter.
I am serious. On the corporate level (not most individual employees, I am sure), they really think that way. The evidence is incontrovertible.
Which used to serve them well. But which, in today's environment, is suffering a greater and greater disconnect with reality. I am sure you have noticed this yourself... the most obvious explanation for Microsoft's accelerating loss of market share is simply that they have lost touch with the realities of the market: their users' wants and needs, and, not to make too small a point of it, their business ethics.
I am not surprised at all.
Winxp SP3 here, I don't have it...not 100% sure what the requirements are for it, though :?
"...Sleep comes like a drug in God's country Sad eyes, crooked crosses in God's country..."
Hell one of the plugins listed in my copy of firefox is Windows Genuine Advantage. I see no reason for that to exist in firefox. Also there are two Microsoft DRM things. However, all can be disabled. Running SP3 here as well as .NET 3.5, and i do not have the plugin/addon mentioned.
You are actually running IE.
I suffer from attention surplus disorder.
I dunno, say a decompiler?
3laws: No freebies, no backsies, GTFO.
Anybody remember when Windows "Genuine Advantage" validation software was getting slipped in as part of "critical updates" for things like the Microsoft Flash Player patch? It wasn't really that long ago.
You don't seriously expect Microsoft to *not* do these sorts of things on what they consider to be *their* systems, do you?
Here's a look at all the plugins I didn't want and had to disable:
Extensions: .NET Framework Assistant 1.0
- Java Quick Starter 1.0
- Microsoft
Plugins: - Adobe Acrobat
- Java(TM) Platform SE 6 U10
- Java(TM) Platform SE 6 U11
- Java(TM) Platform SE 6 U11 (Yes, again)
- Microsoft(R) DRM
- Microsoft(R) DRM (Yes, again)
- QuickTime Plug-in 7.4.5 (I'll send it to the external player, please)
- RealPlayer Version Plugin (RealAlternative, please)
- RealPlayer(tm) G2 LiveConnet-Enabled Plug-IN (32-bit)
- Windows Media Player Plug-in Dynamic Link Library
So far, that's Sun, Apple, Real, Adobe, and Microsoft messing with my browser without telling me... and only because I'm quite strict with what I install on my system. This isn't Microsoft up to their old tricks, it's just them keeping up with the Joneses, and forcing me to keep up with everyone with an agenda. What else is new?
I do have Silverlight installed, too, but at least the installer for that told me it would work with multiple browsers. Thank goodness the Mozilla people had the fine sense to let people see plugins and extensions, unlike IE6 and friends. Quite a few time I've had to fix someone's compter by hacking out IE extensions from the system registry, and that's not pleasant at all.
I see your point, but there's a big difference between me choosing to install the flash plug-in in my firefox installation vs having Microsoft choose to install their own plug-in in my installation of firefox.
If the benefits afforded to me by this plug-in were clear and made sense, I would have installed it myself with out much hesitation. My understanding is though that this plug-in is of no direct benefit to the owner of the firefox installation, only to those who want to know what versions of .NET I have installed on the underlying OS.
I see it kind of like a local council sending someone to sit in my driveway, and report what kind of car I drive, and when I drive it, without asking me before hand... it's of no direct inconvenience to me, but I certainly feel as if I'm being put under needless scrutiny. On the other hand, if the local council informed me of their wish to send someone to sit in my drive way and record these details, and gave me the reasons why they were doing it, I'd probably have much less issue with it.
This is a violation of trust more than anything else, and Microsoft thinking that because they technically (as per EULA) own the software on your computer, that by extension, they own everything on it. /car analogy
5468652047616D65
there is a doc about that extension, written by M$:
http://msdn.microsoft.com/en-us/library/cc716877.aspx
according to that site, its present sice *July* 2008
As a computer, I find your faith in technology amusing.
(1) Firefox is not a Microsoft application. It is installed at the will and whim of the end-user. And the end-user should have control over what is installed into their Firefox.
(2) Microsoft has every opportunity to give that end user A CHOICE. Yet, typically of Microsoft, they chose not to do so. That was the WRONG decision. And that is how most people view their work machines today: it belongs to me, by damn, and you had better ask me before installing something. As a computer professional, who depends on controlling software versions and so on to guarantee compatibility, this is not an option for me. I insist upon it. Companies that violate that policy are not my friends. They do NOT make my life easier, they make it much more difficult.
(3)They have no right to assume that I want their goddamned "Clickonce" thing to work. Maybe I don't. And in fact, the OP was not about installing it via the web at all, it was about it being installed automatically in the background via SPs and SP updates. This isn't about clicking on a link at all. Please read first before you offer an opinion.
(4) This is NOT about adding a mime-type handler. It is about installing a mime-type handler that some users may not want, secretly, in the background, without asking for permission. And for a BROWSER that isn't even their own product. Not only is this unacceptable to me (because I must always be in control of what is installed on my work machines), it is also typical of Microsoft's arrogant attitude toward their users.
My high-horse is not strictly MS-specific, as you would know if you actually read what I wrote! If any other company did this, I would oppose it just as vehemently. It is just that Microsoft is famous for doing this kind of thing, and here is yet one more example.
Odds are, "ozphx", that I was using Microsoft products professionally before you were out of elementary school. If you don't have a direct counterargument to mine, then please go elsewhere.
Oh... by the way. I agree that including the Google toolbar in Java updates is unethical, too. But at least a choice *IS* offered, and that during a voluntary install. In the case under discussion, it was stated that this software is being added unannounced, as part of an update, without any such option being provided. So there is a bit of a difference.
The issue is that they're modifying non-Microsoft software I've installed without asking for my permission.
I use Firefox because it's more secure than Internet Explorer, for example an application can't install itself with minimal interaction, just because it's an ActiveX control signed by someone.
The "extension" Microsoft sneaks into third-party software enables ClickOnce, which essentially introducing almost the exact same security vulnerability ActiveX introduces to IE.
It's slightly better in that these are standalone apps per se, not necessarily controls any web page can call.
Echo'ed.
If someone in a suit on the street forced you to wear a band-aid on your shoulder, you'd ask them what was up with them. If someone wanted on the street was "vaccinating" everyone walking by, you'd turn and run the other way.
Firefox is a standards-compliant program that does things via standard API's. MS is going behind Firefox's back and putting stuff in places where Firefox can't write/delete files. You do *NOT* want FF to be able to write/delete all over your system. That is one reason it's safer than IE.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
To be fair, we'd only be criticizing them slightly less had they done both of those points. They just made our rationalization a heck of a lot easier by discarding any sense of caution or respect.
Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
Just nitpicking, but it doesn't just "make it think" you're using - you actually are using IE with IE Tab - that tab contains an instance of IE itself (which gets annoying when your proxy settings are different between the two)
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan
AFAIK the add-ons (incl. updates) hosted at addons.mozilla.org must go through a review procedure before being pushed to update channel. If so, why doesn't Mozilla sign the reviewed packages (while not signing the pending ones) and only allow the user installing the signed ones? This is similar to what all Linux distros are doing.
This doesn't rule out 3rd party add-ons that don't go through the Mozilla review procedure. Firefox should include only the official Mozilla public key by default, but a user can import 3rd-party developers' keys by themselves. If you don't trust a particular developer (for example, Microsoft) or can't verify its identity, just don't import the key and there will be no way for the add-on to install. Importing/deleting public keys should be done with root- or admin-privilege just like updating Firefox itself.
Colorless green Cthulhu waits dreaming furiously.
I think that the problem here is that the update shouldn't have been treated as a "high priority" update, since there are those who did not want the .net framework 3.5.
Actually, I think a nicer solution would have been to simply make it a separate update. There is no good reason that this "feature" needs to be a PART of the .NET update, regardless of the version. Let me install .NET Framework x.x and any associated SPx to it, but let me UNSELECT things I don't want from that, such as plugins to my browser, which has nothing to do with what I use .NET for.
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan
Guess nobody here runs Java or Flash.
They don't even show up in the add-ons list.
paintball
What is ClickOnce and why should I be forced to have a plugin to support it? How is it supposed to work? If my browser crashes unexpectedly, how can you be sure it isn't the mysterious plugin that appeared?
I get jumpy when software starts appearing on my laptop that I didn't put there. It screams 'attack vector', especially when it hasn't been vetted by any agency or group I trust.
How does it do it's job? What information does it send? Why the FUCK did it feel the need to modify my agent string?
I'm going to dig through firewall logs and see what it sends.
Agreed :)
"You look like you need a car analogy"
This is like sending in your Microsoft car for servicing at Microsoft and having the Microsoft mechanic install an extension to your "Firefox" add-on car radio - which you installed yourself, because you wanted an alternative to the embedded Microsoft Car Radio (which cannot be removed without disabling a large part of the car).
An extension that allows you to listen to the New & Wonderful Microsoft Radio Stations, and all installed without asking your permission first.
Just because you chose to add that extension on your built-in Microsoft Car Radio, does not give them the right to install it on your non-Microsoft Car Radios, WITHOUT YOUR PERMISSION.
After all many of us have the Firefox Car Radio just so that we can avoid listening to the Microsoft Radio Stations by accident or mistake or "Just Because Microsoft thinks it's time for you to". When we want to listen to those stations we use the Microsoft Car Radio.
So far I have managed to install the Java crap on various computers without having the google tool bar installed without my permission - they made it optional and I usually deselect all such options.
MS deserves a bashing for this. They are trespassing and are arguably doing an "unauthorised modification" to your computer system, which is a Computer Crimes offense in many countries.
They'd probably get away by giving the various usual excuses. After all, the Sony bunch got away without being jailed even though they did something worse.
Unauthorized modification of one to a few hundred computers and it's "hacking/vandalism", and if caught you can go to jail.
Unauthorized modification of millions of computers and it's called "useful and allowing firefox adoption".
Maybe some are exaggerating their ire that MS installed something as a FF extension. And if it was ONLY this, the story would have been laughed at by the majority of moderate people. But the fact you are missing which make people angry is the extension could not be uninstalled. How many of those extension above you cite are uninstallable ? They would be as guilty, but I have the feeling this is not the case.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
It seems you've found a glaring Firefox security problem there, that ought to be reported immediately.
If it is possible to silently install add-ons, how long will it take until someone finds a way to send you one via Exchange? One that, say, logs your keystrokes whenever you visit a URL starting with "https://", such as your online banking site?
Firefox needs to validate its add-ons and make sure the list can't be manipulated without user interaction.
Assorted stuff I do sometimes: Lemuria.org
And this is why my XP system has not been updated in two years now. The PC's working, Microsoft won't support the OS much longer, and Microsoft is known for messy and intrusive changes. Ain't no way I'm letting them near my computer now.
Yes, that means I have dozens of unplugged security holes, but then there are dozens of unplugged holes even after updating - plus the messy changes into the bargain. Ultimately I'm probably safer relying on a NAT router and a virus scanner than on system fixes.
Now that Microsoft are happy to use Windows Update to "update" other organisation's software, perhaps they'd care to install some too?
I don't use .NET.
I bet you do.
Got Office 2003 ? Some of that is .NET code. Got Live Messenger ? Ditto. Nvidia or ATI graphics cards ? well, those DEFINITELY need .NET to work properly. Let's not forget all those extra bits of freeware you've also got, some of those will be .NET based as well.
As I understand it, this add-on just alters the useragent to declare that the PC it's running on is .NET capable (i.e. you got at least one version of the .NET framework installed). This is a good thing - as it means MORE sites that have .net extensions or controls will work in FF, meaning you can finally ditch IE completely (in theory).
Yes their installation methods were suspect - but remember MS's major user base is The Doe Family, who can just about turn their PC on and off. Do you really thing they know the answer to 'Do you really want to install the .NET Framework Assistant ?' - If course they wont know what that is, or whether they need it.
Does your mechanic, dentist, doctor, explain to you each and every thing they do to you or your car in intimate detail ? No.
The PC is becoming a closed box appliance. You can't fight this.
An finally, if you distrust MS SO much - why did you have Windows Updates on anyway!?
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
Well, obviously Firefox does not obstruct the possibility for some other random application to install a Firefox plug-in as part of the install process.
How does a Firefox user have any assurance that it's a good idea for them to manually install a given plug-in in any case?
As far as I can see, it's just because people "like" Firefox that they choose to believe it's all perfect. It's just like Apple, or Google, or $FlavourOfTheYear
This story is as much about Firefox insecurity as Microsoft surrepticiousness in my opinion.
-- *~()____) This message will self-destruct in 5 seconds...
Sorry, but you're saying that this is for people who are the "Doe Family", i.e. people who don't make decisions about their software, and just run what they're give.
Did the EU stuff become law whilst I wasn't looking? Firefox isn't installed by default, not for these users. So they're already know they've done something "custom", by installing firefox, it's not Microsoft's job to touch that, it's the person who installed firefox, or the people who make firefox.
1. I don't WANT that clickonce thing, im sure there is/will be some way to exploit that.
2.They should fix their own stuff.
3.Yeah, yeah, many install stuff without asking, but how many of them have their own browser they don't want to fix?
4.I just don't like that they do it hidden, without asking or giving you an option. AND they still have the balls to make it uninstall proof. Thats just to much.
I think they shouldn't do this. ALSO, Microsoft said open source is CANCER or something (old news) and now, out of the sudden, they CARE about us? I always hated them (i use windows only for gaming purposes), and now i do way more.
By reading this you agree to give me (Noxn) 1 dollar.
I always understood that any installation that takes place without the user giving some kind of permission was classified as viral behaviour.
www.nodicerpg.com - Some RP stuff for free, some not so for free, but still cheap.
...new add-on...unrequested...unasked-for...hitchhiking...gone wider...coming in with updates...
God damn, ok, we get that you for some reason don't like .NET extensions in firefox, you don't have to beat us over the head with it.
Mozilla should include a Linux OS extension with Firefox then. And install it by default! :D
Given that I am almost the archetypical luser (too thick to run linux on my desktop), how do I find if this piece of crud in on my system? I'm a tad nervous about messing about with the registry if I don't have to.
Islam Delenda Est
The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
Sounds like a good alternative.
"I bet you do"? Nonsense.
Some of us don't own a copy of Windows (nor a pirated copy).
These complaining people are ones who purposefully avoided using Microsofts web browser for their own reasons. Now they find that Microsoft is interfering with the web browser that they chose instead. Reason for them to be upset especially as this modification cannot be easily uninstalled by most people.
You want your "shit" to just work? Guess what so do the rest of us. For some of us that includes not having Microsoft arbitrarily taking control and modifying 3rd party software that WE installed and configured how WE want it on OUR computer. The computer does not belong to Microsoft and they should not treat it as if it does.
I gave up on IE long ago because an update to IE 5.x disabled my ability to access the internet with ANY program. Why would a browser update block ALL internet applications from working? Fortunately I had a backup from the day before the update occurred and was able to fix it. Then I moved on to Mozilla. Now I use Firefox on Linux.
It is what a proctogist looks at!
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Apple did something similar - though not quite as sinister. They were shoving Safari for Windows down the automatic update pipe. It's annoying and akin to SPAMMING. Has anyone requested or opted in to receiving this update?
An even more elegant solution:
Firefox already has support for launching a user-friendly way of adding plugins/addons/whathaveyou when it reaches a site that requires such things. MS could have easily approached Mozilla about adding this functionality for "clickonce."
"A witty saying proves nothing." - Voltaire
dpkg -l | grep .NET returns nothing.
Oh, wait...
Ubuntu on primary work desktop since Dapper Drake (2006).
That's what really stands out to me here. If this Microsoft extension was really above-the-board, they should have just gone to Mozilla and said: "Hey guys, look we've this extension here and we'd like to include it with Firefox because we think it will help websites be more compatible with Firefox." (assuming that's what it's for)
Covertly installing updates/modifications to another party's software is very bad form. I'd be just as pissed if a Firefox update installed some mysterious IE plugin or a game update installed some add-on to my IM software. When I download and install an update for a piece of software, I expect it to only update that program. Personally, I don't think it should even come with updates/add-ons for other software but if it does it damn well better ask me before installing it.
Here is a question for you. After you install a pdf reader do you become upset that it installs a plugin in firefox so it can view PDF files? That is all this thing is.
Look in your firefox options. Click the application tab. Click on the label at the top of the actions list. Look for the "Use Windows Presentation Foundation" entries. There are two of them. Change them to whatever you want.
I see everyone has forgotten the meeting Microsoft and the Mozilla Foundation had. This product was most likely years in development and testing.
----- You know you have ego issues when you register a domain in your name.
KB951847 (Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update) installs this e(vil)xtension without so much as a by-your-leave. Simple instructions on how to remove it can be found here: Microsoft force-installs Firefox extension
Microsoft are acting more and more like the kings of old who claimed Divine Right to justify their tyranny.
Power does not corrupt - power attracts the corrupt.
This is a PLUGIN. Not an ADDON. Addons have uninstall buttons. Plugins do not. Uninstall .NET 3.5 of which this is a part, or follow my instructions in this post to disable it.
Does your mechanic, dentist, doctor, explain to you each and every thing they do to you or your car in intimate detail ? No.
Dentists and doctors do, in fact, disclose everything they do in both medical transcriptions and billing... which you are entitled to take to another doctor for interpretation.
Secondarily, if a mechanic added a GPS tracker to my car without my knowledge or consent, you can bet that would be actionable in court. If the add-on caused my vehicle to operate differently and that "changed operation" caused an accident, you can also bet they'd be sued.. if not by your attorney, by the insurance company.
about:plugins
For a fast removal of the .NET Framework Assistant 1.0 from Firefox, save the following text as decrap.reg and run:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"=-
To run this from a command line (like a login script on all your machines):
regedit.exe /s decrap.reg
Feel free to modify and add the strings of any other extensions you want to auto-kill...
Microsoft has also added to the Firefox prefs.js config file, located at C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\XXXXXXXX.default, where USERNAME is the user profile and XXXXXXXX is random characters. You will find these entries added to the file:
user_pref("general.useragent.extra.microsoftdotnet", "(.NET CLR 3.5.30729)");
user_pref("microsoft.CLR.clickonce.autolaunch"
You can remove these lines manually after closing all Firefox windows.
You can type about:config in the URL bar, and filter for 'microsoft' if you want to see what the slimeballs have been adding to your browser.
(high posting so you can find this...)
& Extend...
Comment removed based on user account deletion
how do you know that's all it does? because it hasn't done anything else that you noticed?
The usual behavior of "The Doe Family" is not to alter the standard configuration of their software, no matter what. So, this explains why the software was added without their knowledge.
What it does not explain is why it has been made so difficult to remove it. Mom and Pop don't sit around reviewing add ons and then randomly deleting them, so its not like MS is protecting those users from themselves.
Let's also bear in mind that the world would not end if the add-on was deleted. It's purely optional. So, there is absolutely no reason to make it impervious to uninstall.
That said, never attribute something to malice that can be adequately attributed to stupidity. Or in this case: corporate culture. My guess is that Microsoft designers just do crap like this by default without thinking about whether it is even needed first. You could fault MS for it, but its an affliction of all large, monolithic organizations.
Agreed, what MS is doing is TERRIBLE!
That said, if this was the other way around. Some 3rd party software installing something into / on top of some other software, people would be screaming of security holes and blasting MS or whoever for their shoddy software.
So where are the folks calling out FF for allowing this to happen?
-Mark
Dovie'andi se tovya sagain.
As far as I am aware this is a standard windows update. It would have been added in the usual update procedure which is authorised. The main problem is the fact that they installed it in a product which they did not make without explicitly saying that this was happening.
...
As I understand it, this add-on just alters the useragent to declare that the PC it's running on is .NET capable (i.e. you got at least one version of the .NET framework installed). This is a good thing - as it means MORE sites that have .net extensions or controls will work in FF, meaning you can finally ditch IE completely (in theory). ...
How the hell is Microsoft surreptitiously polluting a browser that tries to be standards-compliant with their non-compliant, deliberate-barrier-to-competition CRAP "a good thing"?
What fucking Earth on you on?
Some of us don't own a copy of Windows
Then this doesn't directly affect you.
Okay, MS didn't do the right thing by making it obvious that it was installing it (prompting etc) but...
This only gets install without your knowledge if you don't review the updates they are pushing on your system. It is (to extend the above car analogy) like you took you car to the mechanic for maintenance, and when he provided you a list of possible things you might want to have done you just signed the approval form blindly.
I know this is a good MS bashing opportunity, but I think people should take some responsibility for their own machines. If you blindly install all updates or have automatic updates configured to do it for you, you ARE giving MS rights to your desktop.
It's interesting how articles crop up in the media and the public goes into an uproar. It's possible that some may not fully understand the issue. My personal feeling is that Microsoft shouldn't jack with software that doesn't belong to them. It's my computer, it runs the way I want it to, don't install !@#! I don't want. But I also understand what ClickOnce is and I understand that it's the user-installed application that sends .NET version information back to the web server the application is installed from, not the browser and not the browser extension. So, the fact that it's there doesn't concern me so much, except for the resources that I know it's taking up.
About ClickOnce:
In ~ August, 2008, Microsoft released Visual Studio 2008 Service Pack One. Visual Studio 2005/2008 allows content creators to produce web applications based on a number of programming languages. These applications can be run as stand-alone or driven through web sites, either way, linked back to database servers, behaving similarly to Flash-based applications driven through Adobe Air. One of the technologies deployed with Visual Studio is ClickOnce, a system which allows the installed application to check for updates upon launch and prompt for new versions. The idea is that once the application is installed, it keeps itself up to date and the user doesn't have to continually mess with software revisions. Microsoft .NET 3.5 SP1 and VS 2008 SP1 releases silently install an extension for Mozilla Firefox, called .NET Framework Assistant, which "Adds ClickOnce support and the ability to report installed .NET versions to the web server."
The Problem:
Users are stating they were not told that the Firefox extension was being installed and are only finding out of its existence after-the-fact. To further complicate the issue, once installed, the extension appears with the uninstall button disabled. Users, who don't understand what ClickOnce is and don't understand what is meant by "the web server", are very upset about what this means and what information could be potentially outbound from their PC. Numerous forums list post after post from users who are extremely vocal about Microsoft's audacity of installing plug-ins to non-Microsoft applications and further providing no method for it's removal. While the tactics are dirty, Microsoft is not the first to do this. Sony used music CDs to install a virtually invisible "rootkit", DRM software to PCs to keep tabs on music placed on a host PC. Apple installs a host of applications as part of iTunes, which includes several resource consuming TSRs and Microsoft Outlook components, even if a user doesn't own an iPod.
The Technology:
ClickOnce in and of itself, is not a bad thing. Mini applications built on Visual Basic, VB.NET, C# and others, can be written with Visual Studio 200( x ) and delivered to a host PC through a web-installer. These applications require the Microsoft .NET framework to be installed and if set up correctly, when an update to the software is available, the user is automatically notified and the update applied, eliminating the burden of needing to check for updates. The extension for Firefox allows the user to visit a web page and see information about one of these applications, click on a link and be prompted for it's installation. This is not necessarily a bad thing. The extension simply allows the user access to the installer, it doesn't collect data and send it back to Microsoft or anywhere else. The installed application, upon launch, sends the currently installed version number back to the programmers web server and checks if a newer version is available. If a newer version is available, it notifies the user asks to be installed. The real problem is that Microsoft installed the extension without being asked and after being installed, disabled the uninstall button.
People are getting annoyed at MS for something that many applications have done for YEARS. How many people have installed apps that then go off and search for you web browser and "add functionality". Wow, MS did it, big f'n deal! I don't see this as a huge problem myself. So it installs it quitely, so it's hard to remove (perhaps my next few paragraphs might frame a "why"), so what? its not impossible.
If you want a reason to be peaved about this, here is a better one. Having worked for some big companies that do web development (from the perspective of creating websites that add functionality to their own business, not 3rd party developers writing apps for other business') most that I have dealt with have a list of "broswers we must support" which usually includes firefox, IE, safari as a minimum (not platforms, browsers). So now said businesses can say "ahh, we can write .net client side applications and it'll work and support all our browser support requirements". There in lies the problem, suddenly if your running firefox on linux, your screwed because mono and the associated chunks that would fulfil the req's under linux just aren't going to cut it.
As far as im concerned thats the real reason to be very angry. Suddenly people can look at .net as a replacement for java (webstart/applets) and flash. This is NOT a good scenario given that at least adobe and sun do put some effort into making flash and java work with some consistency across platforms. Its not a stab at ruining firefox, its a stab at linux, bsd, solaris, etc. That is a much greater concern.
There are 500 comments in here and not one mentioning the "clickonce" technology made it to the top ?
Now I know why I stopped reading slashdot.
Microsoft has been installing plugins in firefox for a long time... so has Adobe, google (picasa), Apple(quicktime,itunes) and others. What freaks me out is how this issue is blown out of proportion for the wrong reason.
ClickOnce is similar to Java's webstart technology for those who understand Java and you can get more information here
http://msdn.microsoft.com/en-us/magazine/cc163973.aspx
If you let java do it, and apple do it and apple do it why are you so surprised that microsoft is doing it ? Is it because its part of Office suite ? And how is that different from Picasa or itunes ?
Please read before you reply to or rate comments on a website like this.
The same mechanism that allows Ubuntu to install and update the Ubufox extension through apt allows Microsoft to do sleazy stuff like this. Can't get one without allowing the other (yeah, it sucks, whaddaya do).
Oh, and really, the "M$" "Mafia$oft" thing. Not cool, man. Make your argument and go your way, but don't go out of your way to make yourself look childish. (This friendly tip brought to you by someone who agrees with your message and would like to see it disseminated more effectively.)
Hey, I finally got my first freak! Took you long enough!
Actually in this case it's Wire Fraud and Misuse of a Computer. Just like Spore installing SecuROM without telling me and then allowing SecuROM to remove some of my Admin privileges without my expressed permission, Microsoft installing an update to Firefox without my knowledge and making it where I can't remove it by normal means without my permission is something they should be SUED TO DEATH over.
Mozilla needs to hit them with Antitrust litigation, the people affected by this undisclosed software addition need to be pressing to have Microsoft as an entity placed under arrest for what essentially amounts to hacking a person's system, and I'll nail their ass the same way EA's getting nailed.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
You mean you think not providing an extension would prompt the same complaints as having one installed surreptitiously? Let me assure you, tampering with *competing* 3rd party software without explicitly asking for my permission, no matter what you might be trying to do, is not equivalent.
Quack, quack.
There, fixed that for you.
So do you thinking that everyone who's not a computer geek is too stupid to be provided with a notice or an uninstaller or that Microsoft is too stupid to provide one?
If Microsoft can tamper with 3rd party software, perhaps some 3rd party software developer should nest an oblique clause in their EULA and remove that pesky ie extension once and for all?
Quack, quack.
Agreed, and sorry about that. I try not to stoop to that level, but thuggish, fraudulent, and illegal behavior has this tendency to anger me, and, when angry, I become rather less articulate.
Nonaggression works!
The PC computing model is commercially dead. Microsoft is trying to transition to the game console business model. We sell you a Microsoft machine. You can buy Microsoft approved first and third party titles. We make sure everything works. You can turn your brain off.
The classic PC model (my computer, keep your hands off) will live on thanks to the power of open source but it will not sustain commercial products.
Do you actually work for a company that will listen to you when you recommend Linux over Windows? If so your job is the exception rather than the rule.
You keep saying that people should come up with solutions, yet most people are not in a position such that a viable solution to this would be listened to. That is not an issue where I work, but I have certainly seen it in other places. Most other places, in fact.
You are calling people ineffectual whiners when in fact they are just describing their actual business situation (or in my case, someone else's). THAT does nobody any good.
Safari is an Apple product, bundled with Apple's operating system. This whole thing was not in reference to Microsoft updating Internet Explorer (which it does on a regular basis). This was about Microsoft updating SOMEBODY ELSE'S product, without permission.
That is a completely different situation.
And just for the record, this is a nice straw man that you dug up. I did not say that Apple was not arrogant. I stated that Microsoft was. Again, two different things.
So you're saying that the MS extension allows the browser to communicate the fact that it is ".NET capable" to web servers. Aside from the fact that having MS add a communication feature to FireFox reflexively makes me say "security hole", what advantage does this .NET capability buy me? Why do I care? Firefox was working fine as is; if a site was broken to Firefox, I assumed that it was run by stupid-heads, and I didn't want to buy their stuff (or whatever) anyway. I don't think that encouraging web authors to write sites that depend on .NET is necessarily a good thing. How will .NET improve the web, and how is it in our interests to have the web become dependent on this Microsoft proprietary technology. Could you explain what I'm missing?
Great men are almost always bad men--Lord Acton's Corollary
if what you meant (it's hard to tell) was that iTunes was actually installing Safari into Windows without permission, then guess what? They were stopped, weren't they? As they should have been. Which is the whole point here.
But the issue under discussion did not involve Apple, it involved Microsoft. If, as you appear to be saying, it was wrong for Apple to do it, well then it is just as wrong for Microsoft, yes? So why are you objecting to people saying so? You contradict yourself by implication. So who's the troll?
> Does your mechanic, dentist, doctor, explain to you each and every thing they do to you or your car in intimate detail ? No.
My mechanic, dentist, and doctor will, on request, explain each procedure they intend to do, why they feel it needs to be done, and how they intend to do it. If I wish, I can get a second opinion before the procedure is done, by going to another provider.
Microsoft is the only provider. They don't offer to explain in any detail what will be done. They don't explain in detail why it needs to be done.
Also, for each procedure done by the mechanic, et al, I pay per procedure. Microsoft, I've already paid.
Your analogy could stand some improvement.
> An finally, if you distrust MS SO much - why did you have Windows Updates on anyway!?
What, you'd prefer they run pre-SP1 Win XP? What parts of "monopoly" and "defective product" weren't clear?
...Bill Gates is in my house pointing a gun at me and making me use windows. I am typing this while he is using the rest room. OH GOD HES COMING BACK, AM I THINK HES GOING TO MAKE ME TURN ON OFFICE ASSISTANT...
HA! I just wasted some of your bandwidth with a frivolous sig!
I can safely say I don't use .net - I run Linux, and MS has written it so that it will, hands down, absolutely NOT run on my computer.
Have you apt-get/yum updated mono lately? I wonder if there's a mono-framework-addistant-mozilla-plugin-0.0.1.x86_64.deb/rpm
I use PortableFirefox (available from www.portableapps.com) on all the Windows machines I administer. I use it for its convenient portablity, but a nice benefit is that it not detected by WU and doesn't get this "update".
They are ALLOWED because the fucks are doing it at the behest of varoius unnamed governments (or for their own needs, which will ultimately entail apprising the governments of unpublished abilities... recall the simpler ones like $ prompt sysadmins can use to BUST RIGHT ON IN on user accounts with the typical user being unaware. And, for fuck's sake WHY does ms have the shitty model of requiring the user to supply their password to the SYSADMIN so the SA can grant the user access to outlook share folders on another domain? Just another cultivation of "surrender or surrender and change your password...).
Why ELSE could they (ms) do this kind of shit with apparent impunity? Unfortunately, probably the same is happening with Open Source. We can be free of mshaft, but, to operate with relative, apparent freedom, we have to accept that there are mshaft analogs in the Open Source developer base whether white hat or black hat.
If Open Source is going to be allowed to operate, federal back doors will be present there, too. No matter how many eyes can FIND the back doors, the governments will always be in the upper position to demand access, and refusal means being branded with criminal or insurrectionist intentions. So, we pay a price, regardless of OS or flavor of OS of choice.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
The usual behavior of "The Doe Family" is not to alter the standard configuration of their software, no matter what. So, this explains why the software was added without their knowledge.
The .net framework plug in is really no different than the Adobe Reader plugins. If you install reader, it automatically installs plugins for various installed browsers, so that they can use Adobe Reader.
If you install the latest .NET framework, it installs blugins for installed browsers, so that it can use it. If you don't install the framework, it doesn't install the plugin. You have a choice whether or not to install the framework; you can uninstall the framework, and the framework description even discloses what it is doing.
What exactly is your problem?
What it does not explain is why it has been made so difficult to remove it. Mom and Pop don't sit around reviewing add ons and then randomly deleting them, so its not like MS is protecting those users from themselves.
Its not 'so difficult to remove it'. You can uninstall the plugin manually, or remove the .net framework. The reason firefox can't uninstall it, is because it wasn't installed through firefox, and firefox doesn't have permission to modify software installed via 3rd party systems... like Windows update. Or apt-get. Yes, apt-get-- if you install a plugin through apt-get on Ubuntu, firefox can't uninstall it there either. So much for your conspiracy theory.
Let's also bear in mind that the world would not end if the add-on was deleted. It's purely optional. So, there is absolutely no reason to make it impervious to uninstall.
Its not impervious. Its just the result of being installed through windows update. The user can trivially disable it at the user level, because the decision to use a given plug-in is a simple user preference. However to actually uninstall it - you have to do that at the same privilege level it was installed at. Duh!
I don't know, but I noticed those fifteen minutes ago and promptly disabled them.
Although, plugins run only when something invokes them... e.g. there's a java plugin that starts up when the browser loads an applet, an Adobe Acrobat plugin that starts when you open a PDF, etc. Extensions run all the time (which is why the browser has to be restarted in order to enable/disable or install/uninstall them). I'm a bit more concerned about an extension than a plugin: an extension can interact with any page I view without me even knowing about it, whereas a plugin has to be triggered by the mime-type or by some element within the page.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
> As I understand it, this add-on just alters the useragent to declare that the PC it's running on is .NET capable (i.e. you got at least one version of the .NET framework installed). This is a good thing - as it means MORE sites that have .net extensions or controls will work in FF, meaning you can finally ditch IE completely (in theory).
So we can leave IE, but we're stuck with Windows? (Given that any Linux computer able to run .NET code won't exactly be using Windows update.) Great...
Keep in mind that what is a "good thing" was judged from Microsoft's point of view.
If more people use .NET for web stuff, more people buy Visual Studio.
WRONG... WRONG... WRONG... it is not a good thing in any sense of the word.
Do I want web developers using .net and making my non-dotnet-capable machines unusable. NO!
I don't want Microsoft fooling developers into using .net to develop web apps that are not standards compliant and are dependent upon Microsoft anything.
I would rather developers not use Flash, Silverlight, vbs, or any other technologies that require a non-open technology of any sort.
Imagine if MS starts publishing the .net proliferation and developers see that 95% of computers can run .net code in their browsers. Since that developer knows .net he decides that he will use .net thinking he doesn't care so much if he loses 5% of his traffic to compatibility issues. Now your iPhone, netbook, and most devices with embedded browsers won't work.
If MS want's .net in the browser, they should open it up and make it entirely up to the user to choose to install it. After all, it's not a web standard.
Sometimes the best solution is to stop wasting time looking for an easy solution.
Viral is when something hides in something else and self replicates. Trojan is where you have to take an action to get it, but it isn't what you thought it was. You manually let the horse in when you turned on updates or downloaded the particular update. But you didn't get what you expected. It doesn't self-replicate. It doesn't infect anyone else from your machine. It just rides in on something else.
Learn to love Alaska
I wonder if the .NET "Click-Once" apps trigger all those "security" warning popups like applets do?
ClickOnce is different from applets - it doesn't run in the browser. It's more akin to Java Web Start. It's not something that displays within the content of the page when you browse to a site - rather, it enables a site to publick ClickOnce installer links, that, when clicked, will display a dialog that prompts you to install an app into a sandbox. No, it does not get around Windows security - if anything, it's much more locked down than your typical desktop app, because of the sandbox.
Of course, you'd know all that, and a lot more, have you bothered to Google - Wikipedia article is pretty decent, for one, with screenshots and all. But I guess this is Slashdot, so...
I don't know that's all it does, but I'm not stupid enough to make up conspiracy theories about what it hasn't been proved to do when quite frankly the theory is stupid in the first place.
Sony installed a rootkit as part of DRM. MS is adding a .NET helper to FF -- in a way we can run around and look at what they could do "wrong"...like (any paranoid conservative) ... I mean they could install a FF addon that installs a rootkit FF addon to allow specific content to trigger the rootkit via any normal string of HTML -- while deleting the original addon with the MS signature on it. That would make it difficult to track the root kit back to the source (though not impossible, obviously).
HOWEVER, you could also look at the positive side -- Microsoft is, maybe, trying to SUPPORT Firefox by adding .NET compatibility code.
FWIW, it looks related to a patent lawsuit I think MS lost a while back concerning automatic execution of plugins embedded in a webpage - vs. being forced to "push" a button to activate the plugin. It was a bogus patent that MS should not have been required to honor, but hey...that didn't stop some court system from mucking it up.
- I never use automatic updates from microsoft for any microsoft product
- People should not blindly trust anyone / remote corporation to automatically update software on their machine, especially one that has blatantly shown the world that they are only interested in maintaining their monopoly and the interests of their corporate interests, instead of the end users...such as microsoft.
- People should not trust microsoft ever again, and should not have to begin with.
- I constantly advocate that people not use automatic update ever for anything.
- That stupid people get what they deserve for being too lazy and stupid to think and do things themselves.
I would like to say this should be the last nail in the coffin, but this has happened before many times, and caught many times, and brought to the forefront many times...yet people still use automatic updates. The problem isn't microsoft being evil...we've all known that. The real problem here is blatant stupidity on the part of the end user for even allowing this kind of access to the machine remotely.