Slashdot Mirror
Microsoft Update Quietly Installs Firefox Extension
hemantm writes "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."
What, you think you know better than MICROSOFT what should be on your machine?
The new extension allows Firefox to experience the same rich vulnerabilities that IE users have come to expect!
this is old news.. That extension was "added" at least a year ago i think..
Microsoft .NET Framework Assistant 1.0 .NET framework versions to the web server.
Adds ClickOnce support and the ability to report installed
I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it. I really don't like the sound of ClickOnce either! Isn't this the mentality that has gotten IE users in trouble time and time again?!
.NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).
I don't have a problem with the
My work here is dung.
I read about this on Slashdot a couple weeks ago.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
What ever next!?
I wonder if Mozilla know about this? Probably done with their consent as it can only be a good thing, but whats next? Firefox updates on Windows Update?
The .net-Update has "installed" this Add-On secretly for a few months now, as far as I know. It just got into the "normal" Windows auto-update stream, thus annoying more and more people? Or am I somehow mistaken?
Microsoft trying to take over the world by shady practices? Yeah, right...
"I have never let my schooling interfere with my education." --Mark Twain
Tools > Add-Ons > Plugins > Disable all Microsoft plugins.. and Adobe Acrobat's, QuickTimes & anythiing else that looks suspicious
"A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.
Earlier this year, Microsoft shipped a bundle of updates known as a "service pack" for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.
Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC.""
*Sigh*
Several companies have pulled this stunt where they stealh in an addon and disable the uninstall button. Firefox makes this too easy and needs to change how it handles addons which are not installed expressly via the user.
If this was part of a "routine security update" then it's getting easier to understand why there are so many unpatched Windows machines out there. Things like this may seem minor but they really erode the trust that must be present in order to allow a vendor to automatically push system updates. It always did amaze me that whenever major worms come out and infect millions of PCs, they do it using vulnerabilities that have already been patched some time ago. I'm wondering how much this lack of trustworthiness has to do with it.
It is a miracle that curiosity survives formal education. - Einstein
The next thing will be Microsoft to automatically update Firefox :-P (even in Linux flavors...)
Until the skies turn blue...
Until the air of freedom strikes us...
Man, this is so unfair to us Ubuntu users
.xpi
Someone please send me the
at the same time it was Firefox that quietly allowed it to happen. "I admit that maybe I missed the point", he said as he rushed home to check his Windows machine.
http://www.annoyances.org/exec/show/article08-600
Note that Oracle (nee Sun) is also doing this with a Java extension.
Rich And Stupid is not so bad as Working For Rich And Stupid.
http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx
I noticed this on a work machine and read about it last week. Instead of trying to manually remove the extension (the Uninstall button is disabled for this one and only extension) I simply disabled it. Starting that same day, the machine (2.3 Ghz dual core Vista with 4 GB RAM) has begun locking up hard when using Firefox. This doesn't happen with IE or any other software. It locked up 5 times on me with Firefox within 1 hour, and has not locked up at all since then, as I have not used Firefox. It is abundantly clear the problem is related to Firefox, and the only thing I did with Firefox was disable the extension and restart.
Has anyone else experienced anything like this after disabling the .NET extension? I'm curious how deeply this extension hooks into the OS and if it is capable of freezing up the entire OS. Firefox, on its own, should not be capable of locking up the entire machine.
Better known as 318230.
Would everyone who voted this old news to the front page kindly line up...thank you.
*SLAP*
*SLAP*
*SLAP*
*SLAP*
(etc...)
Now, don't do it again!
ClickOnce makes it possible to install applications over the web (WoWAceUpdater was an example of this) at the user's demand, it will not automagically download .NET-capable trojans to send back personal information. If you're truly paranoid and wish to disable it, the instructions are pretty simple and can be found by googling.
On that note, Java's JRE does the exact same thing (adds a firefox extension without the using knowing about it, and reports back version).
Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.
I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it.
But do you know what your browser is already sending? Mine is sending this:
"Windows NT 5.1" is Windows XP, and "Gecko" is the HTML/CSS engine used by Firefox, Iceweasel, SeaMonkey, Fennec, etc. Sites can query the versions of various addons that handle an object type, such as Java SE and Flash Player, by embedding such an object. What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?
From TFA:
Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC."
This is unbelievably evil, even for Microsoft. Has Steve Ballmer lost his flippin' mind?
I'm not sure the "Firefox allowed this to happen" argument is a completely valid one here. The people installing the add-on quietly in this case are the same people that make the operating system, and thereby the conditions that Firefox runs on.
We don't know what kind of obscure tricks they used to get this to work on *their own operating system*, obviously they are in control of it and can do pretty much they want. An application can't offer protection against tampering with the operating system by it's creators who have full control over their obscure source code.
Not exactly..
You have to explicitly acquire the JRE and install it, and the first version you install includes the firefox extension, subsequent updates may update functionality you already installed.
It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I sure hope they come up with a way to run ActiveX in Firefox, I want seamless integration of my botnet...
Brett
As clearly no one posting here knows anything about it here is some info:
http://msdn.microsoft.com/en-us/library/t71a733d(VS.80).aspx
These are not "web" apps, this is for deploying a client side .NET app, and keeping it updated, it is not a vulnerability.
The fact that microsoft enabled .net support into my firefox simply can't get my upset. I'm just happy that they actually took time to code an addon for their biggest competitor. As long as the addon does something useful, why should I care? Horray, Thanks M$.
rape.
--Jimmy Carr (iirc)
Don't worry it says it only reports the installed .NET framework versions so websites can decide what version of garbage they can spew to your browser.
After all, we all know here on /. that we can trust that description implicitly given Microsoft's past history of 20 years of good karma, open and friendly practice and just nice old fashioned values.
Gah, I find the mere concept of this nauseating. It further illustrates that even now the idea of a standard web experience across operating systems and browsers is a pipe dream, because nobody codes to the lowest common denominator and the standards are too fragmented.
In my system I also have the "Java Quick Starter" (from Sun), and I already removed the Skype add-on.
As a Firefox extension developer, I've received several complaints about disappearing toolbar buttons, and the answer is always the same: check for the Skype extension that was installed without your consent, and uninstall it. Plus, navigating the browser history was a lot slower, and removing that add-on solved the problem (the Skype extension will scan the page contents to substitute phone numbers by Skype actions).
This is not limited to Firefox, as this stuff has been happening in Internet Explorer for a long, long time. Still, it would be nice if Firefox would protect its users from non-authorized extensions, warning of what was installed, and providing a easy way to uninstall/disable it.
Speed Dial for Firefox
Sun is still an independent company; the sale hasn't been completed yet, AFAIK.
this is the reason why i run on a cracked xp installation, M$ obviously doesn't deserve the consumer base they have, and I sure as hell will not let them fuck up my computer
It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.
Yup, we have microsoft to thank for that...
Isn't this the mentality that has gotten IE users in trouble time and time again?!
And now it will get Firefox users in trouble time and time again.
It's a win-win situation for them.
factor 966971: 966971
Ok, just checked since there was an "update", and I was able to uninstall the plug-in via the Firefox Add-On's window. Rabid /.'s can calm down now.
BIG diff: The Java plugin is not to allow silent installs of software. It's a small service to load core Java to make applets start faster.
I've been using Vista for a awhile now, and my machine is up to date, and yet I don't have this addon.
ClickOnce makes it possible to install applications over the web (WoWAceUpdater was an example of this) at the user's demand
This has been possible since the first EXE file was sent over HTTP. You click once to download the installer, and once the download finishes, you choose Run in the download manager. Why should it be even easier for less-knowledgeable end users to install fake video codecs that include fake antivirus software complete with a fake virus?
I guess this was released nearly a month ago, but here's the update that lets you uninstall it: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab
I'll take this opportunity to just say... http://www.srware.net/en/software_srware_iron.php It's like Chome, without the Google.
however, who knows what else this does.
There are no .NET libraries in the kernel. It's all user space. Just like Java, .NET runs in a sandbox - web applets cannot touch or see your disk.
This is a dupe.
...).
http://tech.slashdot.org/article.pl?sid=09/02/01/2143218
Even so, it's important to point out the transgressions of companies like Microsoft (SCO, Apple, Google,
This allows an extension to be installed:
- Without notification
- Without the option to "uninstall"
- (apparently, from the article) With the ability to install more things to your PC (which I thought Extensions were forbidden to do, and only Plugins [eg: Flash] could do)
This is clearly a bug in Firefox, and a fix should be released immediately.
I'd think that firstly Firefox should default to considering the extension "unauthorized" and put up a big scary warning like "Unauthorized extension detected: An external program has installed an extension in a manner which bypasses Firefox's normal security features. It is recommended that you click "uninstall" below, unless you are absolutely sure you know what you are doing"
But there's no framework in Firefox (that I am aware of) for such an authorized/unauthorized check to be established. (It would mean defaulting everything except this Microsoft extension to "trusted")
Sounds like a move by Microsoft to say "see! Open source isn't safe! Look what we could do!" once Firefox releases a fix that says "Warning: Unauthorized extension signed by 'Microsoft Corp' detected!"
-- 'The' Lord and Master Bitman On High, Master Of All
What is annoying is that it's installed without warnings or questions asked. The good part may be that it provides (or could provide) some functionality and M$ is finally acknowledging the percentage of Firefox users out there.
But to do that, you have to click twice! That's so old-fashioned...
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
It was nice of the poster to put this up, for those of us who weren't here the first time and don't have several hours do spend digging through the archives...
"Our goal each year should be to increase the number of goals we set for ourselves!"
Opera just won't run anymore for me. "Sure let's graft ourselves to the competition that we know of... and just break everyone who won't let us attach."
How you got modded up as insightful is amazing.
Have you ever taken a look at your User Agent string? It sends your browser and your operating system to the server, and in many cases, it can send extensions that exist in your browser. Examples:
Mozilla/5.001 (windows; U; NT4.0; en-US; rv:1.0) Gecko/25250101
Or my current user agent:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; en-us) AppleWebKit/528.18.1 (KHTML, like Gecko) Version/4.0 Safari/528.17
Unless you're setting your User-Agent to something like, "ImABrowser (Some computer; Some proc; Some OS; Some language)" stop sounding the alarm.
Funny is, the real thing they stole the feature (Sun Java) does it very happily without having anything installed to "extensions" or "plugins". Java Webstart. Of course, it is ages ahead of the copier too.
Understand why Apple carefully picks the term "Photocopier" when talks about Redmond? They can't/don't make the exact copy, it is always backwards compared to the real thing just like photocopy.
There is something called "file types" on all operating systems down to Symbian on handhelds. You register filetype with helper app and expect browser to pick it from that database. It works on my Symbian S60 128MB RAM having handset :)
I'm Running Firefox on the Windows 7 RC, and v 1.1 of the Microsoft .NET Framework Assistant has the "Uninstall" button enabled. Looks like this was an old-news thing that's been fixed.
I applaud Microsoft for their work in Vista & Windows 7 in separating userspace from kernelspace
Hahahaha .. oh .. hahahaha .. oh oh .. wait .. mwaaahahahaha. The bestest clueless comment I have read in a very long time. Congrats, dude. Well done. Pishi eshe.
Same article with same title a while back. You should also add "Quicktime Quietly Installs Firefox Extension" or "Adobe Quietly Installs Firefox Extension"
-- if you mod me down, I will become more powerful than you can possibly imagine
i had "windows presentation foundation" installed too, with no details at all what it did or any obvious way of deleting it
eventually i navigated to
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation
and deleted everything in it and it was all gone
Mozilla needs to put a stop to this being possible and at least advise the user on the info screen what DLL is responsible and a way to forcibly remove it
Err what? That's like saying JAR files right in the kernel, complete bollocks. The .NET CLR runs in ring 3 like any other user program, and loads libraries once it runs.
There people go marginalizing Opera again and not giving us those fancy plugings that garbage up the system leaving us with our small compacts browser just as pristine as its always been.
While I emphatically disagree with the practice of slipping a modification for a seperate program in with other updates, rather than being explicitly seperated out and accepted in the clear, your bit about
It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.
is misleading. Of course JRE doesn't ship with the OS. It doesn't ship with any OS. It's a product made by a company seperate from the OS's manufacturer. It's like bitching about a .pdf reader not coming with the OS, and when you go get it, it plugs in to your browser to read .pdfs in the browser window, but the .jpg viewer that came with the OS gains .pdf support through a later update, and causes .pdf links in your browser to open in it instead after you install the update. Would it have been nice to know about this before it was installed? Yeah. Can you turn the feature off? Yes. Can you remove it? Yeah, but it takes mucking about in shit you'd rather not. All this is is an update to the OS that was unadvertised. Take it in stride, and just disable it.
Canada: The US's more awesome sibling.
Another populist slashdotter AC plays the old game and wins.
What really makes Adobe Acrobat reader and Quicktime "suspicious"? Having MPEG1/3/4/PDF embedding functionality along with the TIFF coming with legitimately installed software plugin coming from legitimate companies is suspicious how?
You forgot Realplayer btw, it would give your little AC post +10 informative. Guess what, WE KNOW how to disable or rm plugins. It is the ultimate unethical method of MS we argue about. The nature of company and things they are capable of doing is another matter too. Adobe/Apple won't say "lets crash that stupid little browser", they won't deliberately do it but MS is certainly capable of doing such stuff. How do I know? Look to US Court documents.
Has Steve Ballmer lost his flippin' mind?
Objection: Assumes organs not yet entered into evidence.
The .NET libraries are not built-in to the kernel.
In addition, they are not installed by default in Windows XP. A user must either download them from the Microsoft Download Center or choose them as an optional update in Windows Update. Windows Vista includes versions up to .NET 3.0 because some operating system components rely on the framework. The update in question is an automatic update in Windows Vista.
...If you're not already using a FOSS operating system, (Linux or FreeBSD) you probably should be.
Microsoft bet on people not wanting to exercise personal responsibility; that is how they make their money. Windows makes life easier for you by providing you with a scenario where you don't need to take a month or so of your time to customise an open source operating system in order for it to be exactly the way you want it.
However, understand that like with anything else, an exchange is happening here. You want them to provide you with convenience, to make it easy for you, and to basically do pretty much everything for you. They therefore have every right (because you've given it to them) to screw you in whatever manner they feel like. If you uncompromisingly, unthinkingly give them responsibility for your welfare, don't be surprised when they do something which isn't in your best interests.
You can't have it both ways. You can't buy a fast food operating system and relinquish responsibility to a corporation in that manner on the one hand, and then expect it is going to be entirely and exclusively beneficial to you on the other.
It is a law of the universe; there is no free lunch, and in one way or another, you pay for everything.
Maybe now Firefox will now run in "IE" compatibility mode so I can "correct" all my CSS 2.0 compliant code to render correctly on Redmond's browser.
Seems MS didn't factor in the beta releases of Firefox. To get rid of it on 3.5B4, uninstall works from the add-ons window.
Funny how broken compatibility makes it work like it's supposed to.
Frink: Nice try floyd, but you were designed for scrubbing, and scrubbing is what you shall do.
I'm grinding and gnashing my teeth, but not for the reasons everyone else is.
OK, I hate to defend Microsoft, but they absolutely stated this Firefox extension was to be installed in the release notes for the patch; http://www.microsoft.com/downloads/details.aspx?FamilyID=CECC62DC-96A7-4657-AF91-6383BA034EAB&displaylang=en
Also, as I recall this patch was one of those ones that requires you to click "Agree" or somesuch before installation despite setting to automatically download and install updates.
All of this crap occurs because people don't bother to read release notes any more. They would rather someone else take responsibility for their machines. Well you know what? Microsoft does just that, on a requested and as-needed basis. If you'd rather manage your own patches, then damn it... do it. But do it properly; read the bloody release notes so you know what's going on your machine. If you would rather Microsoft take that responsibility for your machine from you, then do that... but don't bitch when they do something you don't expect because you asked them to just take care of it for you.
Now, I'm not saying there's not other issues at play here; like installing a patch into a competing product and the potential ethical concerns therein... but can this not be construed as (a) a tacit approval of Firefox as a "valid" third-party browser and (b) an attempt to ensure that the user who requested that Microsoft take charge of their experience get the best experience possible?
OK, I will say before I get lynched that I don't really like this too much, myself... I don't much appreciate when people do stuff to my machines that I don't like... but I also accept that this is inevitable. If you turn ANY part of your systems management over to a third party, sometimes they're going to do things that you disagree with. This is only even vaguely newsworthy because it doesn't happen that often. At least, not as often as it could.
If you really don't like it, disable it. And if you don't want this happening again, then start doing your patching the old fashioned way; by downloading the patches by hand and installing them. But don't start crying when they do something unexpected because you didn't read the agreement you agreed to, or read the release notes to understand what the patch is doing.
This is NOT a failure of Microsoft OR Firefox. This is a failure of the user community who would rather hand off their systems management to a third party, and the "advanced" user community who just blindly install patches and updates with no attempt to research the implications of said update.
Me? I'm primarily a Mac and Gentoo user... and yes, I understand that on my Mac I'll get updates from Apple that do much the same stuff as this... but I also read the release notes that are handily downloaded with the patches... that way I know what to expect. With Gentoo, I do the same. I use Windows at work, and manage a large network of systems... and yes, this patch was deployed to my client base... and yes, the Firefox users have the .NET plugin... and yes, they can disable it if they like. In our regression testing, the plugin appeared to have little to no impact on the client system other than adding yet another add on to the list.
Comment removed based on user account deletion
Understand why Apple carefully picks the term "Photocopier" when talks about Redmond?
Cos they realize calling it a Xerox machine goes into all sortsa places Apple doesn't want to go. : p
This guy's the limit!
"Windows 7 isn't done until Firefox won't run."
Knowledge is power. Knowledge shared is power multiplied.
just quietly disabled it.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
From TFA-
ZOMG!!! Teh Registrzor!!! U kan op3n whole in Teh Spaze Thyme Continual!!!
Won't someone think of the chidrens?
You can always upgrade to Windows Mojave.
As much as people hate MS, is this really any different from a Linux distribution releasing patches specific to that distribution? Would we complain then?
While I emphatically disagree with the practice of slipping a modification for a seperate program in with other updates, rather than being explicitly seperated out and accepted in the clear, your bit about
It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.
is misleading.
The plugin offers access to the java api. If you don't update the plugin too, it stops working ;) So Sun has the choice of catering to people like you, and having broken java browser plugins all over the place, or updating the plugin with the jre and having it keep working, though admittedly, client side java is pretty broken even when it "works". It's likely that even if they gave you the choice of updating jre separate from the plugin, you wouldn't notice that it was broken due to your simplex mode of excluding everything but core functionality during updates, since a lot of the time, java updates break existing applets anyway.
Admittedly, if I were in charge at Sun, I'd do the same thing. Client side java barely works as it is. You really don't need your browser plugin to be out of sync with the rest of the jvm on zillions of clients and add to the mess.
To use your .pdf support analogy, would you rather that Adobe give you the option to only update Acrobat Reader, if not updating the plugin broke it? This analogy actually works with java, since the Adobe browser plugin is pretty hopelessly sucky too.
-Viz
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
After 25 years of working for/with/against Microsoft Windows. I just had enough.
Isn't that a distinction without a difference to most users?
I'd wager that in nearly every case where a user installs the java VM themselves, it's because they tried to install/run an app that required it and were told that they needed the Runtime, with a link to download or include as part of the current install process.
And I'd wager that in nearly all of those instances, the user has at best a cursory idea of what the Java VM is.
The fact is.. all this is doing is adding 50 bytes to your 500 byte UserAgent string, and supporting ClickOnce which is a distribution method identical to that used by Java and very similar to what's now used in Adobe Air.
This is clearly a bug in Firefox, and a fix should be released immediately. I'd think that firstly Firefox should default to considering the extension "unauthorized" and put up a big scary warning like "Unauthorized extension detected:
None of this is technically possible. Windows update runs with administrative privileges, and there is nothing firefox, or any application can stop it from doing. Firefox could make it harder for microsoft to add an addon, but it would basically be some kind of drm-style security-by-obscurity race against reverse engineering. This is a social, not a technical problem.
To save you all the trouble of reading the previous Slashdot discussion, I have summarized it below.
What does this Firefox extension do?
1.) It installs a BHO (Browser Helper Object) .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)"
2.) The
A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality.
"BHO can be used to install additional features or functions that are useful, it can also be exploited to install features or functions that are malicious. Some applications, such as the Google or Yahoo toolbars, are examples of good BHO's. But, there are also many examples of BHO's which are used to hijack your Web browser home page, spy on your Internet activities and other malicious actions."
The author on this site goes on to say: "If you are really concerned about bad BHO's and their affect on the overall security of your computer, you can just switch browsers. BHO's are unique to Microsoft's Internet Explorer and do not impact other Web browser applications such as Firefox."
Now that Microsoft has infected Firefox with this extension, his advice in the line above is obsolete!
The following phrases were copied and pasted wholesale, directly from the previous Slashdot discussion without attribution (except in one case where I copied the entire text of one submitter's comment).
The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
It most definitely IS unexpected, because I was never notified anywhere that a MICROSOFT update would entail installing an addon to a completely NON-Microsoft product.
How are they allowed to get away with this? Isn't installing BHOs that are not asked for and cannot be uninstalled without hacking pretty much the definition of malware?
Microsoft modified *another company's products*. What's next? MS is going to start adding updates to VLC player or Utorrent or OpenOffice or WordPerfect?!?!? They shouldn't be messing with non-microsoft products.
Microsoft is doing this in an update without notifying its users (as far as has been reported) that this update will be modifying third party software with no easy way to prevent or uninstall the change.
The true question here is not how to uninstall it. The question everyone should be asking is: is it messing with other settings in firefox, reporting back to MS what other extensions I use, monitoring my web traffic, going to break my browser, new security holes?
Ok Microsoft, you are making automatic changes to software written by other companies without permission or request of the user. I don't care if you say it's just an extension, you didn't ask me!
The precedent has already been established that the OS can be configured to require the local administrator to give explicit permission for each patch to be applied; the outrage here is that this time, that choice was not offered, and the affected software was neither part of the operating system nor even a Microsoft product.
For those of you who are assuming it's probably safe (and admittedly, you're probably right), there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument
1) Send Mozilla Firefox team a cake .NET add-on through Windows Updates
2) Quietly install
3) *classified*
4) Profit!
It is pitch black. You are likely to be eaten by a grue.
Wow. As an attorney, if I worked for Microsoft I'm not sure I could make that argument with a straight face. I can imagine the judge either growing redder by the moment, or breaking down into hysterical laughter.
I'm just thinking that if this update is making Registry changes, then the plug-in is Windows-only, and it means that Firefox users on Windows will now have a different browsing experience than Firefox users of other platforms.
So, the plug-in accomplishes two things for Microsoft: 1) it promotes the .NET platform to a wider audience, and 2) it promotes Windows as being the superior OS to run Firefox in.
It's a win-win scenario for Microsoft. Firefox can continue to gain marketshare, but Microsoft will have their tentacles in it, making sure that the adoption of Firefox does not lead to a platform-agnostic world. And it rewards the .NET developers for investing in Microsoft-only technologies.
I think you nailed it. Microsoft has accepted Firefox as a standard and it is dealing with this problem the usual way.
I would not be surprised if next thing they are going to distribute Silverlight for Firefox in a similar fashion.
What is this nonsense? No part of .NET runs in kernel mode.
Lots of other things do though, like windowing and graphics. Are you saying the browser shouldn't be allowed to display a window or draw any graphics because that calls into kernel mode?
This is such bullshit. In reality it's completely irrelevant whether something is running in kernel mode or not, or if it's running as an administrator or a standard user. A program needs no special rights to steal all your files and personal data, access the internet, make itself automatically start, or make you part of a botnet. All this can be done as a standard user.
This is unethical in my humble opinion but hey this is Microsoft.All things are lawful but not all things are advantageous!
On that matter, SJobs was really right. Xerox can come up with the coolest thing ever invented which happens every time and yet can't sell it. I mean we are lucky they stole... err acquired engineering teams :)
Just install Firefox 3b4, the add on is not compatible :-), although Firefox 3 is really slow
And of-course this is a short-term solution.
null
The difference is that ClickOnce doesn't install it the same way regular setups work. I'm too lazy to link the details (you are as well, so why would I give a shit?), but it's something about .NET, auto-updates and the like. Just look it up.
Hey people. We hashed this one out back in February.
The blogosphere's just been celebrating Groundhog Day for the past 4 months, I guess.
We are the 198 proof..
your bit about
It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.
is misleading. Of course JRE doesn't ship with the OS. It doesn't ship with any OS. It's a product made by a company seperate from the OS's manufacturer. It's like bitching about a .pdf reader not coming with the OS, and when you go get it, it plugs in to your browser to read .pdfs in the browser window, but the .jpg viewer that came with the OS gains .pdf support through a later update, and causes .pdf links in your browser to open in it instead after you install the update.
I think that was his point. Comparing Java JRE to this Firefox add-on isn't accurate, BECAUSE Java is a totally separate program you go out and deliberately get, and then install, and it happens to install an add-on to your browser (and IIRC tells you so in the install wizard). OTOH, the .NET add-on is being installed by a security update to the OS, without notifying you that they're changing functionality in a separate program.
Don't you wish your girlfriend was a geek like me?
It is a law of the universe; there is no free lunch, and in one way or another, you pay for everything.
Funny. I thought that paying Microsoft a lot of money for their product was the cost of the "lunch". Just because they can screw people doesn't mean that they are on any sort of moral high ground when they do. Not everybody is adept at reading and understanding the fine print like some of us happen to be. I can't stand the argument that we have nobody to blame but ourselves in a society where it is impossible for any one person to learn all the trades and skills necessary to function today. I don't know how to fix a car engine or perform surgeries, so I have to rely on others to do their jobs responsibly, and I'll be damned if I'm going to be made to feel guilty for not being a mechanic or a surgeon. Nor will I ever say that being raped is your own fault if you can't be bothered to learn martial arts or carry a gun. There is a reasonable expectation of decency from others in our society, and when that expectation is violated, there should be penalties.
I'm not seeing nearly enough penalties dished out these days. I almost wish I'd taken up law enforcement so I could prosecute top-flight political assholes. Because we certainly don't have a V or a Batman looking out for us.
-FL
The difference is that ClickOnce doesn't install it the same way regular setups work.
I've looked it up on MSDN: it's more like Java Web Start. Your app runs in a sandbox and gets only "Internet zone" privileges unless the user grants more privileges. It's unclear from the MSDN page whether an Authenticode digital signature from a trusted CA is absolutely required to prompt the user for elevation; if so, it'll be difficult for free software developers to use this deployment method without having to pay $200 per year to a CA for the privilege of updating his app.
I trust any random non-porn, non-cracking website more than Microsoft. This is a no-brainer: They're a monopoly and I KNOW they're out to get me.
I use two different OS's that both ship with a JRE by default, and I don't understand why that would keep them from integrating with additional software I install, or providing plug-ins after I've installed said 3rd party software.
What harm or discomfort do these extensions cause?
Crybabies.
Well I just wanted to tell everyone that every house I've lived in has had a light switch that does nothing, so I thought I would add one to your ceiling. Don't worry, it will be out of the way.
Does it hurt anything? No, does it piss you the hell off to know there is a light switch on your ceiling now for no reason and you didn't ask to have it put there? You're damn right.
Does NoScript prevent .NET applets from running unless I explicitly trust the site? If so, then no big deal as I would have gladly downloaded this functionality separately had I know it existed (which is what I have to do with Java on all my Windows boxes).
You also might notice that both Silverlight 2 and Office 2007 add plugins to Firefox, again behavior that is congruent with at least Adobe Acrobat and Flash. And - happy day - their execution is controlled by NoScript, so I don't mind that at all.
If anything, I'm glad to see Microsoft supporting alternative browses. I'm almost certain that these efforts are driven by anti-trust judgements against them in a number of different jurisdictions, but that's fine with me, too.
I'm proud of my Northern Tibetian Heritage
Microsoft rely on the average user being kept dumb. The more the user knows about day to day computing, the more they can make the decisions Microsoft make on their behalf because they understand them, at least on a basic level. Other OS's find ways to get decent defaults but do ask the users for confirmation on stuff, with help options available; taking the approach of trying to educate the user to some degree and giving them control. We have a LONG way to go before this is working perfectly, but at least some are trying.
This may be the wine talking on a Monday night, but the average user,both Mac and PC, IS dumb!
I have met many users with Mac systems- some are smart and know whats going on, but the majority are dumb, and cannot use their Mac any better than they could use a PC.
At least MS is trying to protect their dummies, although I (as a somewhat tech-savvy user) don't like the "ARE YOU SURE YOU WANT TO DO THIS?"
But it's the price we have to pay for popularity.
Sorry, you Mac "non-dummies".
.
- aqk
F U
So am I the only one to remember this piece of news from February?
http://tech.slashdot.org/story/09/02/01/2143218/Microsoft-Update-Slips-In-a-Firefox-Extension
In other news, Microsoft fucking it's users.
What company's software did Microsoft illegally install changes to?
Firefox is a company? I thought it was supposed to be a _system_ web-browser -- designed to work with a users's web sites? If a user wants to use MS based utils and wants to install plug-ins to THEIR web browser, then shouldn't they have that right?
Er...so tell me again, what company's software did Microsoft illegally make changes to?
Doofus!
P.s. I hate various aspects of MS as much as the next Linux/unix/open-source/XP diehard -Vista DRM-hating, Win-7 = Vista-II with minor performance enhancements (but never benched against XP3) & likely to be included, enhanced, end-user management for law-enforcement similar to what's required on cell-phones (universal tracking, remote turn-on, remote activation, silent listening with a conference-phone microphone) -- but has yet to come to a PC near you. Everything Vista was for Hollywood & Content Producers, is the next evil place for MS to go with Windows...add remote capabilities for arbitrary 'law enforcement' to remotely control PC's that are off or behind firewalls and get capabilities remotely in league with the black market botnet masters...
They'll have to do it to protect the children! Child-pr0n is stored stenographically across millions of home computers! Of course the owners of all those computers are aiding, abetting and guilty of conspiracy -- thus able to be prosecuted and given the sentences of the maximums of the worst offender in each category. Given enough time, and the walls we build to keep our borders 'safe' will be repurposed to keep "us" in.
Idjot! :-)
Mozilla should release an immediate update that simply ignores the registry entry and prompts the user whether they want they want an additional security hole installed.
Maybe Firefox could silently filter Automatic Update installations to make sure they never install extensions again?
This same thing was reported here after the last big update release. Guess I'll wait, for my own entertainment, and see if it's reported again after the next Vista update package.
Haven't they learned, they should be brought to court already over this. I do not want any add-ons for firefox when I do a M$ update. I choose my firefox addons, not M$, and who is to say what that new addon really does, and once it's been installed, maybe there is something in the addon, that will never leave the registry or the PC, maybe it might be microsoft, trying their hand at a firefox logger
trying to log all firefox activity to see why FF is now the prefered client, hell......now I guess I have no choice but to get Lynx!
Thanks M$, I would not have made my next move without this one....Lynx...pure security!
This is old news.
"RealPlayer Browser Record Plugin" - hard to say how it came, but it has its uninstall button disabled, compalins about not beeing compatible with FF 3-something and this wont resolve by any standard update way.
OTOH, the .NET add-on is being installed by a security update to the OS, without notifying you that they're changing functionality in a separate program.
No, its not.
It's a security update to .NET, which you have already make an explicit choice to install on your machine.
It's also been out for like a year.
It's also (ClickOnce support in FF) something that there is HUGE demand for, and has been for years.
Funny is, the real thing they stole the feature (Sun Java) does it very happily without having anything installed to "extensions" or "plugins". Java Webstart. Of course, it is ages ahead of the copier too.
Dont you just love it when people get self-righteous about something that they're dead wrong about?
The reality is that the JRE DOES use a plugin.
In fact, if you took 8 seconds to look in the plugins of your FF, you'd see that Java did install one (or probably more) plugins to work within FF.
There is something called "file types" on all operating systems down to Symbian on handhelds. You register filetype with helper app and expect browser to pick it from that database. It works on my Symbian S60 128MB RAM having handset :)
No, it doesnt. What you're describing is how the OS Shell handles what applications to launch with what file types.
Having browsers very explicitly NOT do that was a major step forward in security, done many many years ago.
Message from Microsoft to Linux fans who run Firefox: And for your continuing enjoyment of our products on your PC, our next contributed Firefox Extension will automatically download and install MS Windows on your PC, delete Linux and then debit your credit card for the cost of a copy of Windows. How did we get to know your credit card number? -- oops that was because of a previous clandestine install of a Firefox extension that we wrote ourselves. Who says Microsoft does not encourage inter-platform connectivity?