Slashdot Mirror
Microsoft Update Quietly Installs Firefox Extension
hemantm writes "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."
Tools > Add-Ons > Plugins > Disable all Microsoft plugins.. and Adobe Acrobat's, QuickTimes & anythiing else that looks suspicious
...and we've already discussed it here at least once: http://tech.slashdot.org/article.pl?sid=09/02/01/2143218
Ah, finally found the link. Sadly enough, Slashdot's search engine didn't find it but Google's did.
http://tech.slashdot.org/article.pl?sid=09/02/01/2143218
(would have posted sooner, but have to wait 5 minutes between posts)
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
http://www.annoyances.org/exec/show/article08-600
Note that Oracle (nee Sun) is also doing this with a Java extension.
Rich And Stupid is not so bad as Working For Rich And Stupid.
http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx
Well, Ubuntu users get the Ubuntu Firefox add-on which has actually conflicted and broken other popular add-ons like Tab Mix Plus. I never actually figured out what that add-on even does before I disabled it.
Reviewing just the first hour of video games.
ClickOnce makes it possible to install applications over the web (WoWAceUpdater was an example of this) at the user's demand, it will not automagically download .NET-capable trojans to send back personal information. If you're truly paranoid and wish to disable it, the instructions are pretty simple and can be found by googling.
On that note, Java's JRE does the exact same thing (adds a firefox extension without the using knowing about it, and reports back version).
This isn't an update from Firefox's point of view, it's the installation of an add-on which has not be requested by the user, at the very least, Firefox should prompt the user at the next startup if a new add-on has been installed.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.
I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it.
But do you know what your browser is already sending? Mine is sending this:
"Windows NT 5.1" is Windows XP, and "Gecko" is the HTML/CSS engine used by Firefox, Iceweasel, SeaMonkey, Fennec, etc. Sites can query the versions of various addons that handle an object type, such as Java SE and Flash Player, by embedding such an object. What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?
In my system I also have the "Java Quick Starter" (from Sun), and I already removed the Skype add-on.
As a Firefox extension developer, I've received several complaints about disappearing toolbar buttons, and the answer is always the same: check for the Skype extension that was installed without your consent, and uninstall it. Plus, navigating the browser history was a lot slower, and removing that add-on solved the problem (the Skype extension will scan the page contents to substitute phone numbers by Skype actions).
This is not limited to Firefox, as this stuff has been happening in Internet Explorer for a long, long time. Still, it would be nice if Firefox would protect its users from non-authorized extensions, warning of what was installed, and providing a easy way to uninstall/disable it.
Speed Dial for Firefox
Just to be precise: windows Me came after windows 98. Those are two different versions.
-- dnl
Apparently, MS released a v1.1 of the plugin, but it can't install if you left 1.0 disabled (like I did). If you re-enable the plugin, then go manually re-download and re-install the hotfix which included this plugin more recently, you will get v1.1 of the plugin, after which, you CAN uninstall it. .net you have installed, so either get it uninstalled, or go check and delete the right entry from general.useragent.extra.* in about:config
Note that disabling the plugin still leaves a string in your user-agent saying what version of
Morphing Software
They aren't 'stealth'ing in an add or nor are they 'disabling' the uninstall button.
The 'uninstall' button is for user specific addons, not system wide add ons. The uninstall button has never worked for system wide addon installations. It is a feature, and a required one if you expect Firefox to actually get anywhere in the business world. This is done by adding a single registry key and can be done for ANY add on, regardless of who makes it or where it is installed.
It serves two purposes. First it allows things to install add ons before the browser is installed so that when you later install Firefox it will be aware of existing items and not require you to jump through hoops to get them to work. Second, it allows administrators and other software packages to install something globally, for all users of the host, without requiring each user to manually install the add on and keep it updated.
I'm sorry that this doesn't fall into your narrow little view of the world, but for the rest of us this sort of thing is a requirement to use Firefox in the business world.
Finally, there is a very simple solution. Don't install software that does things you don't want it to do. You're an idiot if you think there is anything what so ever that Firefox can do to stop this sort of thing. There isn't. Add ons will ALWAYS be able to install themselves with out notifying you, welcome to open source, EVERYONE can see how to do it, thats a feature of open source. There is nothing Mozilla can do to stop it short of releasing a version with some non-OSS component that can be used to prevent it from happening using digital sigs to verify that only allowed add ons are installed or not load them. And as soon as they do that Slashdot will be ranting and raving about freedom to do whatever the hell it wants.
You got your software freedom, you wanted everyone else to have the same access to the software as you do. Great, they do, now you get to deal with the consequences of that.
Its not like user add-ons can't do the EXACT SAME THING. All you need to do is remove write permissions from your own files when you startup and Firefox won't do shit when you tell it to uninstall it except throw an error. Any add on can do that, and Firefox is unlikely to ever 'fix' that problem as its one that Firefox shouldn't be responsible for.
You can fix the problem on your computer yourself to make sure this doesn't happen with some registry permissions in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla, take away all write/modify access to this key from everyone after you've installed Firefox. Problem solved. That is where various addons for Mozilla software can be installed globally by a system administrator.
As for Firefox removing that feature, go ahead and let that happen. Find out how many IT departments suddenly want even less to do with Firefox. I'm sure they'll love you for having it removed when they have to do something retarded like run a login script to roll out extensions rather than just pushing a registry change via group policy.
The worst part is that this gets modded insightful. This isn't fucking insightful, its ignorant, short sided and shows a complete lack of understanding about whats going on and why.
Whats worse is ignorant dipshit comments like this end up making me fucking defend Microsoft.
Get a clue, then start bashing, people with far more intelligence and understanding of this sort of thing work on it, not you, ever consider there MAY be a reason?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
When you disable the extension Firefox does not load anything other than its manifest. It doesn't matter WHAT the extension does or how 'deeply the extension hooks into the OS', its not loaded. Your lockups are unrelated to this extension if you have it disabled. The could very well be related to any number of other things that change during patching, but this particular extension is not it.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I always wondered if they ever thought "If we didn't acquire quick and dirty OS and go with our own". If you look at the quality of their code on Mac and releases in those ages, it is clearly ages ahead of the clone of the clone they acquired.
Remember, they had UNIX license directly from AT&T too and selling it as Xenix. It really looks like they try to code Unix again in a different sense but fail, over and over. Judging from OS X Office releases, they wouldn't be a bad Unix/NeXT coding company either.
There is no way in which this can be implemented that could not be bypassed by a plugin that collusion from the OS (unless you have a TPM, but that just moves the problem one layer down). An update program designed to update the OS could very easily suppress the warning.
I am TheRaven on Soylent News
I think the OP's point is like XP was Windows nt5.1 to Windows 2k's nt5.0 (hint, just an update) and that Windows7 is just an update to Windows Vista, that ME was just an update to Windows 98 osr2.5.
You've got your Windows 9x's confused. Win 95 had an "OSR 2.5" (4.00.950C), Win 98 had "SE" (4.10.2222A).
TFA, which almost nobody bothered to read, links to an MSDN blog (which even acknowledges and links to the previous Slashdot story), which absolutely nobody bothered to read. Because, if the submitter, or the editor, or anyone had bothered to do so, they'd realize what a total non-issue this is: It's already fixed, which is why it works fine for you, drinkypoo.
This blog states that the plugin was initially installed as a system-wide thing. And, with FF, users can't simply remove system-wide things by themselves. Which, of course, makes sense to anyone who has spent more than ten minutes working on a system with proper basic security. They detail a long-winded workaround.
Right. So. Then there's this:
Update (5/2009): We just release an update to .NET Framework 3.5 SP1 that makes the firefox plug in a per-user component. This makes uninstall a LOT cleaner.. none of the steps below are required once this update is installed.
I'd guess that you simply already have this newer version of the .NET package, which includes a Firefox plugin which is installed in a manner more in-keeping with what folks might normally expect, and accordingly can be uninstalled in a manner that folks might normally expect.
Kid-proof tablet..
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab [microsoft.com] .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the ClickOnce technology that is included in the .NET Framework. The .NET Framework Assistant is added at the machine-level to enable its functionality for all users on the machine. As a result, the Uninstall button is shown as unavailable in the Firefox Add-ons list because standard users are not permitted to uninstall machine-level components. In this update for .NET Framework 3.5 SP1 and in Windows 7, the .NET Framework Assistant will be installed on a per-user basis. As a result, the Uninstall button will be functional in the Firefox Add-ons list.
This was released on 5/6/2009
Again, seems like a giant over-reaction.
The article was written 5/30/2009.
You'd think the author would take a few seconds before sticking his foot in his mouth, again.