Slashdot Mirror
Microsoft Update Slips In a Firefox Extension
An anonymous reader writes "While doing a weekly scrub of my Windows systems, which includes checking for driver updates and running virus scans, I found Firefox notifying me of a new add-on. It's labelled 'Microsoft .NET Framework Assistant,' and it 'Adds ClickOnce support and the ability to report installed .NET versions to the web server.' The add-on could not be uninstalled in the usual way. A little Net searching turned up a number of sites offering advice on getting rid of the unrequested add-on." The unasked-for extension has been hitchhiking along with updates to Visual Studio, and perhaps other products that depend on .NET, since August. It appears to have gone wider recently, coming in with updates to XP SP3.
Remember Sony?
Bite me
This definitely goes into the "WTF?" category.
The higher the technology, the sharper that two-edged sword.
Microsoft gives us updates all the time and we trust them to fix bugs and security holes. Firefox not coming with their extension is not in the scope of bugs and security holes they should fix. When they overstep their bounds like this ON TOP of an application(esp. a free software application) what might they be doing in their proprietary code under the application? Whatâ(TM)s next, an OpenOffice extension to make sure Microsoft never has an $ where their s is?
Classic move. People noticed. Two steps forward 10 steps back, eh?
Obligatory blog plug: http://www.caseybanner.ca/
The add-on is automatically installed when you install the latest version of the .net framework. Microsoft Update does NOT automatically install this add-on. In order for it to be installed you had to explicitly choose to install the .net framework.
They are gathering intelligence on how to build on of these "web browsers".
Yea, more spyware. Now on FireFox instead of Internet Explorer. :P
The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
Are you sure? Did you actually mean .Net 3.5 SP1? That's what just installed it on my machine. I've never seen XP SP3 install it.
Although it's not the best approach that could have been taken it is a good sign. If Microsoft can no longer ignore Firefox then all those sites that still require IE to function will begin to follow.
Never forget.
Forgetting is key to getting caught again. You can only catch a cat in the same trap once.
Help stamp out iliturcy.
One hint that this "extension" is unwanted garbage is that when you Google (google: Microsoft Framework Assistant) for it and the top links are pages about how to remove it. Then the first link from your site (microsoft.com) is also a forum that mentions getting rid of it...
Anyway, here's how to remove it.
http://www.robertnyman.com/2009/01/26/microsoft-force-installs-firefox-extension/
Microsoft just can't resist the urge to use it's position as the marketplace leader for desktop OSes to be a dick.
It's Funny, i have had the same issue with apple update, i find it requesting to install updates for programs that weren't installed in the first place, seems like the same thing but different company...
Some of the recent updates for Java SE have included "Java Quick Starter". And for those with Ubuntu, there are a number of things that show up in the Add-ons list that are not explained well.
!First. Fail!
...not first, fail not? ugh, this is why I prefer using the bitwise oprtator (~) instead, although in /. lore this is instead in jokes used to mean "home", per the bash usage instead of the one's complement.
Or, I just need to get out more. After asking why all the guys were buying wings and beer on the same day in throngs at the grocery store, I found out the last super bowl was indeed not 32.
More like appending the version of the .NET CLR to the UA string, so that ClickOnce or XBAP applications can install through Firefox instead of requiring IE. I can testify (looking at my UA right now) that it does not change anything else and leaves the Firefox name intact.
Of course, to find this out you might have to research or think about your answer instead of assuming evil behavior on Microsoft's part...
If I have not seen as far as others, it was because giants were standing on my shoulders. --Hal Abelson
it seems very for malware to be installed like this
Maybe I'm looking at this the wrong way, but shouldn't Firefox stop extensions being installed this way?
You are (purposely?) missing the entire point. The average Firefox may CHOOSE to install flash, but that is their choice. If Microsoft wants to make a Firefox extension, then they need to put it in the directory just like everyone else.
Spooooon!!!!!
People think that Microsoft is a software company that is sometimes abusive. But it isn't, in my opinion. Microsoft is an abuse company that delivers abuse using software.
Maybe because...
Just one of those is enough to make something bad.
Game! - Where the stick is mightier than the sword!
What part of "can't uninstall" confuses you?
3 things about computers: they're alive, they're self-aware, and they hate your guts.
I'm seriously confused as to why this is upsetting considering that the average Firefox user installs plugins ...
The point isn't that MSFT is creating FF plugins.
The point is that MSFT is silently forcing plugins without telling us what they do.
This whole thing would have been a non-issue if they had
But MSFT is too arrogantly stupid to do that.
"I don't know, therefore Aliens" Wafflebox1
Then I assume that you have the source for the plugin, no?
If you dont have the source, how can you be sure what exactly it's attaching to? I know if I was Microsoft, I'd attach to parts of the rendering engine and screw around with things. It'd be an easy way to make Firefox seem slower and buggier. And, why disable the "Uninstall" button? Looks rather fishy to me.
I mean, if Firefox is prone to crashing at random times on random websites, wouldnt you think users would go back to IE?
Given the ample, well documented evidence of bad behavior by MS, failing to consider evil behavior by MS is a clear example of "fool me once, shame on you, fool me twice....". Just because the "evil behavior" is not so obvious yet, doesn't mean that there is not such a motive behind this action.
The real "Libtards" are the Libertarians!
I find it interesting that people here are so outraged at MS installing an extension for third party software, particularly a web browser. Think about how many completely non-Mozilla related products install a Firefox extension - PDF readers, media players, etc. I'll take as an example Adobe Reader, which installs a plugin for in-browser viewing when you install the desktop app (I hate Adobe Reader too, but it's a high-profile example). Firefox is not an Adobe product at all! yet we aren't yelling at that. Additionally, MS already has components installed in FF. Silverlight and the Windows Presentation Foundation are both MS products that are commonly installed in Firefox as plugins, to enable apps that take advantage of Silverlight and .NET browser features to operate in Firefox and friends as well as Internet Explorer. This plugin seems to serve a similar purpose of allowing .NET-powered web apps (which MS wants to be common in the future) to operate in Firefox as well as Internet Explorer. It seems like we should appreciate this move towards interoperability on MS's part - the alternative is only supporting Internet Explorer for web apps.
So it's really nothing abnormal to install an extension in a third party browser. This leaves us with only one issue, the fact that it was distributed via updates to other applications. I refute this as being a major issue for the exact same reason - quite a few programs update/install Firefox extensions as part of their normal update procedure - I raise Foxit Reader as an example, which as of v3.0 automatically installs a Firefox plugin. No one's yelling about that.
A significant question here: If it wasn't Microsoft, would anyone be nearly as angry?
I might be stupid, but that's a risk we're going to have to take.
I've noticed several of these uninstall-proof extensions lately. How about the Mozilla folks tweaking the extension model to allow an uninstall option?
The government can't save you.
A lot of you will hate me for this...
MS doing this is them trying to ensure that Firefox will work with their web apps (or, web apps built with their technology). Now, granted that they are taking liberties they should not. It would be better to just make the plugin easy to get and install. Consider however that they are doing this so their technology will work on a standards-compliant browser. That's not nothing. It IS dysfunctional in a passive-aggressive way (aggressive-passive?). On the other hand MS is trying to make the browsing experience BETTER for people who use .Net with Firefox. I'm not so sure this is a bad thing. maybe poorly executed...but...there's an argument for saying it's not.
Look, if you were running Ubuntu, installed Opera, and automatically got plugins from Synaptic for Opera that added new functionality would you complain?
Then again, the convoluted removal process should be reconsidered.
Microsoft isn't trying to fuck up your web browser, they're enabling ClickOnce functionality via a plugin. You can tell what it's doing because it works exactly as is expected.
Conspiracy theories are not needed here. True, they should have enabled Uninstall, but jumping the gun is absolutely ridiculous.
Fucking up your ACID test via plugin in order to make IE seem better? Are you frakkin' serious? There's absolutely no possible way the community wouldn't notice that, and it'd be a ridiculous waste of time.
If I were Microsoft, I'd fire you for such a terrible idea.
That explains why .NET 3.5 SP1 was tagged as a 'high-priority,' and thus completely automatic and unnotified, install for anyone who allows Automatic Updates self-governance.
It clearly wasn't a security update: I only have .NETs v1 and v2 installed, and yet I still got a notification to install the SP1 update for .NET v3.5! Luckily, I don't automatically trust Microsoft with anything. I told it to ignore the update and never show it to me again.
Basically, MS is once again abusing the high-priority update channel, just like they did with the Genuine Advantage Notification tool. Don't let anyone tell you differently. They are treating machines set to update automatically like a spammer treats his botnet.
--
Toro
The microsoft "helper" plugin cannot be uninstalled like the java or adobe plugins. And since it behaves differently in that respect, I wonder if the .NET "Click-Once" apps trigger all those "security" warning popups like applets do? Maybe this uninstallable characteristic is related to getting around the windows "security" model. If that's the case, then microsoft will be able to call it "a feature".
As in creature feature.
3 things about computers: they're alive, they're self-aware, and they hate your guts.
Given Microsoft's track record with security, I worry:
- Windows user installs Firefox to avoid IE's security flaws. .NET functionality allows websites to host .NET executables.
- Microsoft silently installs a plugin onto Firefox that reports the browser includes
- Hackers discover a way to exploit this.
- Thus, Firefox is now less secure thanks to Microsoft.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Installing software on my computer -- especially software that is designed to make YOUR software work better, at the possible expense of others -- without my knowledge or consent is UNETHICAL . Period. And deliberately making uninstall difficult? INEXCUSABLE!!!
Shame on MS. They have been through this before and should know better. Bad. Bad. Negative points. Sad, sad negative Karma.
mumble... bitwise oprtator (~) mumble...
Lovely spelling as well, after all its not like every app using GNOME has spell-check now. And on such a detailed subject with no right being brought up in the same post as football, too! Why don't I either start writing my posts in binary or just tap some snipped ethernet wires together to make the binary datagrams/packets myself? Man I really need to get out more...
This is where Microsoft shows its true colors. They believe that as long as you are running Windows, they actually have RIGHTS regarding your desktop and the software you run.
They think they have a right to re-configure the software you use, for their own convenience and profit. That they can install things and you should have no say in the matter.
I am serious. On the corporate level (not most individual employees, I am sure), they really think that way. The evidence is incontrovertible.
Which used to serve them well. But which, in today's environment, is suffering a greater and greater disconnect with reality. I am sure you have noticed this yourself... the most obvious explanation for Microsoft's accelerating loss of market share is simply that they have lost touch with the realities of the market: their users' wants and needs, and, not to make too small a point of it, their business ethics.
I am not surprised at all.
Anybody remember when Windows "Genuine Advantage" validation software was getting slipped in as part of "critical updates" for things like the Microsoft Flash Player patch? It wasn't really that long ago.
You don't seriously expect Microsoft to *not* do these sorts of things on what they consider to be *their* systems, do you?
Here's a look at all the plugins I didn't want and had to disable:
Extensions: .NET Framework Assistant 1.0
- Java Quick Starter 1.0
- Microsoft
Plugins: - Adobe Acrobat
- Java(TM) Platform SE 6 U10
- Java(TM) Platform SE 6 U11
- Java(TM) Platform SE 6 U11 (Yes, again)
- Microsoft(R) DRM
- Microsoft(R) DRM (Yes, again)
- QuickTime Plug-in 7.4.5 (I'll send it to the external player, please)
- RealPlayer Version Plugin (RealAlternative, please)
- RealPlayer(tm) G2 LiveConnet-Enabled Plug-IN (32-bit)
- Windows Media Player Plug-in Dynamic Link Library
So far, that's Sun, Apple, Real, Adobe, and Microsoft messing with my browser without telling me... and only because I'm quite strict with what I install on my system. This isn't Microsoft up to their old tricks, it's just them keeping up with the Joneses, and forcing me to keep up with everyone with an agenda. What else is new?
I do have Silverlight installed, too, but at least the installer for that told me it would work with multiple browsers. Thank goodness the Mozilla people had the fine sense to let people see plugins and extensions, unlike IE6 and friends. Quite a few time I've had to fix someone's compter by hacking out IE extensions from the system registry, and that's not pleasant at all.
there is a doc about that extension, written by M$:
http://msdn.microsoft.com/en-us/library/cc716877.aspx
according to that site, its present sice *July* 2008
As a computer, I find your faith in technology amusing.
(1) Firefox is not a Microsoft application. It is installed at the will and whim of the end-user. And the end-user should have control over what is installed into their Firefox.
(2) Microsoft has every opportunity to give that end user A CHOICE. Yet, typically of Microsoft, they chose not to do so. That was the WRONG decision. And that is how most people view their work machines today: it belongs to me, by damn, and you had better ask me before installing something. As a computer professional, who depends on controlling software versions and so on to guarantee compatibility, this is not an option for me. I insist upon it. Companies that violate that policy are not my friends. They do NOT make my life easier, they make it much more difficult.
(3)They have no right to assume that I want their goddamned "Clickonce" thing to work. Maybe I don't. And in fact, the OP was not about installing it via the web at all, it was about it being installed automatically in the background via SPs and SP updates. This isn't about clicking on a link at all. Please read first before you offer an opinion.
(4) This is NOT about adding a mime-type handler. It is about installing a mime-type handler that some users may not want, secretly, in the background, without asking for permission. And for a BROWSER that isn't even their own product. Not only is this unacceptable to me (because I must always be in control of what is installed on my work machines), it is also typical of Microsoft's arrogant attitude toward their users.
My high-horse is not strictly MS-specific, as you would know if you actually read what I wrote! If any other company did this, I would oppose it just as vehemently. It is just that Microsoft is famous for doing this kind of thing, and here is yet one more example.
Odds are, "ozphx", that I was using Microsoft products professionally before you were out of elementary school. If you don't have a direct counterargument to mine, then please go elsewhere.
Oh... by the way. I agree that including the Google toolbar in Java updates is unethical, too. But at least a choice *IS* offered, and that during a voluntary install. In the case under discussion, it was stated that this software is being added unannounced, as part of an update, without any such option being provided. So there is a bit of a difference.
Echo'ed.
If someone in a suit on the street forced you to wear a band-aid on your shoulder, you'd ask them what was up with them. If someone wanted on the street was "vaccinating" everyone walking by, you'd turn and run the other way.
Firefox is a standards-compliant program that does things via standard API's. MS is going behind Firefox's back and putting stuff in places where Firefox can't write/delete files. You do *NOT* want FF to be able to write/delete all over your system. That is one reason it's safer than IE.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
And so the disabling of the "uninstall" button is totally cool with you?
Not sure which comments you were reading, but the ones I payed attention to were the ones that were ticked about the lack of any sort of notification prior, during or after the install, the lack of an opt-out and the intentional disabling of the uninstall button.
Wasn't there some laws being pushed that made this sort of covert install procedure illegal? Or did MS and Sony get those laws squashed?
What is ClickOnce and why should I be forced to have a plugin to support it? How is it supposed to work? If my browser crashes unexpectedly, how can you be sure it isn't the mysterious plugin that appeared?
I get jumpy when software starts appearing on my laptop that I didn't put there. It screams 'attack vector', especially when it hasn't been vetted by any agency or group I trust.
How does it do it's job? What information does it send? Why the FUCK did it feel the need to modify my agent string?
I'm going to dig through firewall logs and see what it sends.
Eh... well not under Extensions, but under Plugins. (I'm looking right at them right now.) Which is where I go to disable them, since they are the Great Satan. Well ok maybe not, but they are annoying. :-D
> The amount of venom/vitriol/nerdrage comments in this story is fucking astounding.
Why, because MS is so benevolent and competent and writes such secure code? No. The reason is because of their high-handed tactics, combined with their propensity for malicious behaviour. And please, forget the old saw about not assumimg malice when effing incompetence explains things; the results are the same.
The reaction would've been totally different if MS had promoted this plugin, and made its installation voluntary, and made uninstallation possible without registry hacking. Note that dozens of obscure extensions show up on https://addons.mozilla.org/en-US/firefox/ This is the "official channel" for people who want to enhance their Firefox. The extensions at this site are downloaded voluntarily by end-users who feel a need for them. And these extensions can be uninstalled by the same users who install them. MS merely needed to have asked the Mozilla folks to link to a specific MS webpage from their addons section, and things would've been copacetic.
Instead, MS chose to act like Apple. Remember the flak Apple caught for trying to sneak in Itunes and Safari for people who install/update Quicktime? We happen to be "equal-opportunity-bashers" here. MS acts like Apple, they catch flak like Apple.
Yes, I did RTFA. FFClickOnce makes automated installation of .NET code (the successor to Visual Basic) much easier. Have you ever heard the phrase "drive-by download"??? Many people fled from IE to FF specifically to avoid this very problem. Now MS throws in code that may enable this in FF. No thanks. BTW, there was a plugin for FF that provided ActiveX support for FF (For crying out loud... WHY?). Let's just say I wouldn't want it on my work machine either.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
"You look like you need a car analogy"
This is like sending in your Microsoft car for servicing at Microsoft and having the Microsoft mechanic install an extension to your "Firefox" add-on car radio - which you installed yourself, because you wanted an alternative to the embedded Microsoft Car Radio (which cannot be removed without disabling a large part of the car).
An extension that allows you to listen to the New & Wonderful Microsoft Radio Stations, and all installed without asking your permission first.
Just because you chose to add that extension on your built-in Microsoft Car Radio, does not give them the right to install it on your non-Microsoft Car Radios, WITHOUT YOUR PERMISSION.
After all many of us have the Firefox Car Radio just so that we can avoid listening to the Microsoft Radio Stations by accident or mistake or "Just Because Microsoft thinks it's time for you to". When we want to listen to those stations we use the Microsoft Car Radio.
So far I have managed to install the Java crap on various computers without having the google tool bar installed without my permission - they made it optional and I usually deselect all such options.
MS deserves a bashing for this. They are trespassing and are arguably doing an "unauthorised modification" to your computer system, which is a Computer Crimes offense in many countries.
They'd probably get away by giving the various usual excuses. After all, the Sony bunch got away without being jailed even though they did something worse.
Unauthorized modification of one to a few hundred computers and it's "hacking/vandalism", and if caught you can go to jail.
Unauthorized modification of millions of computers and it's called "useful and allowing firefox adoption".
Try the "Plugins" tab of the Add-on window as opposed to "Extensions". Both Flash and Java are listed and can be disabled.
And this is why my XP system has not been updated in two years now. The PC's working, Microsoft won't support the OS much longer, and Microsoft is known for messy and intrusive changes. Ain't no way I'm letting them near my computer now.
Yes, that means I have dozens of unplugged security holes, but then there are dozens of unplugged holes even after updating - plus the messy changes into the bargain. Ultimately I'm probably safer relying on a NAT router and a virus scanner than on system fixes.
Very poor assumption. I run firefox specifically to avoid making it so easy to install arbitrary code on my machine behind my back. I installed .net because one program I wanted to run (and purposefully installed) required it. As soon as I remember which one that was I'm going to start looking for an alternative, directly as a result of this hijacking in fact I'll be looking carefully for alternatives to ANY .net program, and whenever possible refusing to run .net programs EVEN IF THERE ARE NO ALTERNATIVES WITHOUT IT.
If you want to add an extension to MY copy of firefox, you need to ask my permission and respect my answer, whether it's yes or no. Leveraging their control of the OS to install it without even asking was a criminal attack they should be prosecuted for. (Yes, I know they wont, they're above the law, but if some 15 year old kid had done the same thing we both know he'd be risking gaol for it.) Doing this in such a way as to disable the uninstall button is just adding insult to injury.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I don't use .NET.
I bet you do.
Got Office 2003 ? Some of that is .NET code. Got Live Messenger ? Ditto. Nvidia or ATI graphics cards ? well, those DEFINITELY need .NET to work properly. Let's not forget all those extra bits of freeware you've also got, some of those will be .NET based as well.
As I understand it, this add-on just alters the useragent to declare that the PC it's running on is .NET capable (i.e. you got at least one version of the .NET framework installed). This is a good thing - as it means MORE sites that have .net extensions or controls will work in FF, meaning you can finally ditch IE completely (in theory).
Yes their installation methods were suspect - but remember MS's major user base is The Doe Family, who can just about turn their PC on and off. Do you really thing they know the answer to 'Do you really want to install the .NET Framework Assistant ?' - If course they wont know what that is, or whether they need it.
Does your mechanic, dentist, doctor, explain to you each and every thing they do to you or your car in intimate detail ? No.
The PC is becoming a closed box appliance. You can't fight this.
An finally, if you distrust MS SO much - why did you have Windows Updates on anyway!?
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
Well, obviously Firefox does not obstruct the possibility for some other random application to install a Firefox plug-in as part of the install process.
How does a Firefox user have any assurance that it's a good idea for them to manually install a given plug-in in any case?
As far as I can see, it's just because people "like" Firefox that they choose to believe it's all perfect. It's just like Apple, or Google, or $FlavourOfTheYear
This story is as much about Firefox insecurity as Microsoft surrepticiousness in my opinion.
-- *~()____) This message will self-destruct in 5 seconds...
It isn't. First time you start firefox after the update it tells you about the new add on and you can delete it or disable it on the spot. Before that it will not work. I've got the ms update and was surprised myself (as I only run on demand ms updates, and review before installing, and it did not say it was installing this add on bundled in .not update)
I always understood that any installation that takes place without the user giving some kind of permission was classified as viral behaviour.
www.nodicerpg.com - Some RP stuff for free, some not so for free, but still cheap.
Mozilla should include a Linux OS extension with Firefox then. And install it by default! :D
The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
dpkg -l | grep .NET returns nothing.
Oh, wait...
Ubuntu on primary work desktop since Dapper Drake (2006).
For a fast removal of the .NET Framework Assistant 1.0 from Firefox, save the following text as decrap.reg and run:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"=-
To run this from a command line (like a login script on all your machines):
regedit.exe /s decrap.reg
Feel free to modify and add the strings of any other extensions you want to auto-kill...
Microsoft has also added to the Firefox prefs.js config file, located at C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\XXXXXXXX.default, where USERNAME is the user profile and XXXXXXXX is random characters. You will find these entries added to the file:
user_pref("general.useragent.extra.microsoftdotnet", "(.NET CLR 3.5.30729)");
user_pref("microsoft.CLR.clickonce.autolaunch"
You can remove these lines manually after closing all Firefox windows.
You can type about:config in the URL bar, and filter for 'microsoft' if you want to see what the slimeballs have been adding to your browser.
(high posting so you can find this...)
Agreed, what MS is doing is TERRIBLE!
That said, if this was the other way around. Some 3rd party software installing something into / on top of some other software, people would be screaming of security holes and blasting MS or whoever for their shoddy software.
So where are the folks calling out FF for allowing this to happen?
-Mark
Dovie'andi se tovya sagain.