Slashdot Mirror
Microsoft Update Quietly Installs Firefox Extension
hemantm writes "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."
this is old news.. That extension was "added" at least a year ago i think..
Microsoft .NET Framework Assistant 1.0 .NET framework versions to the web server.
Adds ClickOnce support and the ability to report installed
I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it. I really don't like the sound of ClickOnce either! Isn't this the mentality that has gotten IE users in trouble time and time again?!
.NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).
I don't have a problem with the
My work here is dung.
Several companies have pulled this stunt where they stealh in an addon and disable the uninstall button. Firefox makes this too easy and needs to change how it handles addons which are not installed expressly via the user.
If this was part of a "routine security update" then it's getting easier to understand why there are so many unpatched Windows machines out there. Things like this may seem minor but they really erode the trust that must be present in order to allow a vendor to automatically push system updates. It always did amaze me that whenever major worms come out and infect millions of PCs, they do it using vulnerabilities that have already been patched some time ago. I'm wondering how much this lack of trustworthiness has to do with it.
It is a miracle that curiosity survives formal education. - Einstein
Not exactly..
You have to explicitly acquire the JRE and install it, and the first version you install includes the firefox extension, subsequent updates may update functionality you already installed.
It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Firefox, on its own, should not be capable of locking up the entire machine.
you must be new to Windows
The fact that microsoft enabled .net support into my firefox simply can't get my upset. I'm just happy that they actually took time to code an addon for their biggest competitor. As long as the addon does something useful, why should I care? Horray, Thanks M$.
Ok, just checked since there was an "update", and I was able to uninstall the plug-in via the Firefox Add-On's window. Rabid /.'s can calm down now.
Firefox is a competitor to Microsoft. Automatically installing extensions to your competitor's products really is an innovative idea. I wonder if Microsoft has a patent on this?
This could be misused, though.
How about Microsoft not taking liberties with my computer and installing spyware in the first place? Why should one NEED to "do a little research" in the first place, you god damned apologist retard?
This allows an extension to be installed:
- Without notification
- Without the option to "uninstall"
- (apparently, from the article) With the ability to install more things to your PC (which I thought Extensions were forbidden to do, and only Plugins [eg: Flash] could do)
This is clearly a bug in Firefox, and a fix should be released immediately.
I'd think that firstly Firefox should default to considering the extension "unauthorized" and put up a big scary warning like "Unauthorized extension detected: An external program has installed an extension in a manner which bypasses Firefox's normal security features. It is recommended that you click "uninstall" below, unless you are absolutely sure you know what you are doing"
But there's no framework in Firefox (that I am aware of) for such an authorized/unauthorized check to be established. (It would mean defaulting everything except this Microsoft extension to "trusted")
Sounds like a move by Microsoft to say "see! Open source isn't safe! Look what we could do!" once Firefox releases a fix that says "Warning: Unauthorized extension signed by 'Microsoft Corp' detected!"
-- 'The' Lord and Master Bitman On High, Master Of All
What is annoying is that it's installed without warnings or questions asked. The good part may be that it provides (or could provide) some functionality and M$ is finally acknowledging the percentage of Firefox users out there.
It's not YOUR PC though, the hardware is but Microsoft own the copy of Windows running on it, you only own a license to use Windows under their terms and conditions. Under those terms Microsoft can do whatever they want with the consent of the owners.....which is themselves.
How about being able to trust that when MS installs ".Net Framework 3.5 SP1" it's a service pack to the framework that I use for development and execution of applications, without having to worry that they might bundle something else in with that update, completely unrelated to what they tell me they install?
i had "windows presentation foundation" installed too, with no details at all what it did or any obvious way of deleting it
eventually i navigated to
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation
and deleted everything in it and it was all gone
Mozilla needs to put a stop to this being possible and at least advise the user on the info screen what DLL is responsible and a way to forcibly remove it
Then this is a problem with Firefox, not IE, that it let's plugins be installed without user intervention. At the least it should warn upon next start that "Blah has been installed, do you want to enable it?"
The Internet Book Database
They sure have patent on breaking other people's SW interacting with their SW
Yeah, but it has to have expired by now... "DOS isn't done until Lotus won't run".
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
...If you're not already using a FOSS operating system, (Linux or FreeBSD) you probably should be.
Microsoft bet on people not wanting to exercise personal responsibility; that is how they make their money. Windows makes life easier for you by providing you with a scenario where you don't need to take a month or so of your time to customise an open source operating system in order for it to be exactly the way you want it.
However, understand that like with anything else, an exchange is happening here. You want them to provide you with convenience, to make it easy for you, and to basically do pretty much everything for you. They therefore have every right (because you've given it to them) to screw you in whatever manner they feel like. If you uncompromisingly, unthinkingly give them responsibility for your welfare, don't be surprised when they do something which isn't in your best interests.
You can't have it both ways. You can't buy a fast food operating system and relinquish responsibility to a corporation in that manner on the one hand, and then expect it is going to be entirely and exclusively beneficial to you on the other.
It is a law of the universe; there is no free lunch, and in one way or another, you pay for everything.
I'm grinding and gnashing my teeth, but not for the reasons everyone else is.
OK, I hate to defend Microsoft, but they absolutely stated this Firefox extension was to be installed in the release notes for the patch; http://www.microsoft.com/downloads/details.aspx?FamilyID=CECC62DC-96A7-4657-AF91-6383BA034EAB&displaylang=en
Also, as I recall this patch was one of those ones that requires you to click "Agree" or somesuch before installation despite setting to automatically download and install updates.
All of this crap occurs because people don't bother to read release notes any more. They would rather someone else take responsibility for their machines. Well you know what? Microsoft does just that, on a requested and as-needed basis. If you'd rather manage your own patches, then damn it... do it. But do it properly; read the bloody release notes so you know what's going on your machine. If you would rather Microsoft take that responsibility for your machine from you, then do that... but don't bitch when they do something you don't expect because you asked them to just take care of it for you.
Now, I'm not saying there's not other issues at play here; like installing a patch into a competing product and the potential ethical concerns therein... but can this not be construed as (a) a tacit approval of Firefox as a "valid" third-party browser and (b) an attempt to ensure that the user who requested that Microsoft take charge of their experience get the best experience possible?
OK, I will say before I get lynched that I don't really like this too much, myself... I don't much appreciate when people do stuff to my machines that I don't like... but I also accept that this is inevitable. If you turn ANY part of your systems management over to a third party, sometimes they're going to do things that you disagree with. This is only even vaguely newsworthy because it doesn't happen that often. At least, not as often as it could.
If you really don't like it, disable it. And if you don't want this happening again, then start doing your patching the old fashioned way; by downloading the patches by hand and installing them. But don't start crying when they do something unexpected because you didn't read the agreement you agreed to, or read the release notes to understand what the patch is doing.
This is NOT a failure of Microsoft OR Firefox. This is a failure of the user community who would rather hand off their systems management to a third party, and the "advanced" user community who just blindly install patches and updates with no attempt to research the implications of said update.
Me? I'm primarily a Mac and Gentoo user... and yes, I understand that on my Mac I'll get updates from Apple that do much the same stuff as this... but I also read the release notes that are handily downloaded with the patches... that way I know what to expect. With Gentoo, I do the same. I use Windows at work, and manage a large network of systems... and yes, this patch was deployed to my client base... and yes, the Firefox users have the .NET plugin... and yes, they can disable it if they like. In our regression testing, the plugin appeared to have little to no impact on the client system other than adding yet another add on to the list.
I don't doubt plenty of EULAs have illegal terms in them, Microsoft are not alone in this practice. Apple seem worse in this regard with "not allowed to install on non-Apple hardware" and "not allowed as a virtual PC" but like any other agreement, until someone has the money to risk fighting it in court it stands. Pystar tried with one of these clauses and was struck down in the US court. Yes there's a lot more going on there than just one clause but huge mega-rich corporations rely on bullying people into just accepting and paying, not fighting.
Still, if you feel as a loyal citizen to fight Microsoft on the terms of their EULA in the firm knowledge that "right" will win over a huge lobbying / lawyering budget then be my guest, be a good citizen on behalf of all Windows license holders. I wish you the best of luck, and remember to check down the back of the sofa for every last euro, you're gonna need them.
Windows is built to remove as many user decisions as possible on the idea that users shouldn't have to be techy to use a PC. This means stuff is enabled and allowed by default. Over the years Microsoft have been nailed for that practice, and have gradually put in fixes to many of them, often far too little and far too late. These features are essentially Microsoft making the decision for the user which on the face of it can be seen as training wheels to keep you safe, but in reality gives malware writers an open goal to aim at, and they have done BIG TIME. It's why Windows is a malware magnet and why NO other OS follows Microsoft's design lead.
Active X enabled on IE by default? Execute code from websites without asking by default? Run as Administrator by default? Install applications without even informing the user by default?
All of these and more suggest Microsoft want to be the ones making decisions on behalf of their license holders. From a loyal Microsoft point of view that could be that they want to look after you and have your interests at heart, to protect you from the bad people. Like any other corporation, Microsoft don't give a shit about it's license holders, their priorities lie firmly with THEIR interests, with THEM making as much money as possible. This is hampered when you allow others the control you once held, you then have to convince them to do something you could have done on their behalf with no discussion or notification.
Microsoft rely on the average user being kept dumb. The more the user knows about day to day computing, the more they can make the decisions Microsoft make on their behalf because they understand them, at least on a basic level. Other OS's find ways to get decent defaults but do ask the users for confirmation on stuff, with help options available; taking the approach of trying to educate the user to some degree and giving them control. We have a LONG way to go before this is working perfectly, but at least some are trying.
Insightful? How in the world do you expect an application installed on an operating system to protect itself from another application that the operating system gives COMPLETE access to everything because said application is part of the operating system? How could they protect from that?
If you have total control over the computer, you can change files of another program as you wish. It is generally impossible to install an extension without the user's interaction -- unless you mess with Firefox' internal structures, which is what Microsoft here does.
A question "Blah has been installed, do you want to enable it?" would be wrong in all legitimate cases, since the user already elected to install the thing. A trojan (Windows Update here) can do whatever it wants anyway, if you add a confirmation flag the trojan will simply pre-enable it. Even a checksum (including proper cryptographic ones!) won't save you.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Really? How?
Oh, lemme think... an unethical company could push an insecure framework into the plugin list of a competing browser so they can claim that the average Firefox installation is at least as insecure as the average IE... nah, who'd do that?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Would you please point me to the relevant part of (any) Windows EULA where it reads "we'll do what we want with your system and installed programs"?
Can't?
I can't either. So it's not part of the contract and thus nothing I agreed with. And I'm not even going to the legal binding effects of EULAs, considering I can't read them before purchase. So please, can the BS, the legal shit around software is already stinking enough as it is.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is clearly a bug in Firefox, and a fix should be released immediately. I'd think that firstly Firefox should default to considering the extension "unauthorized" and put up a big scary warning like "Unauthorized extension detected:
None of this is technically possible. Windows update runs with administrative privileges, and there is nothing firefox, or any application can stop it from doing. Firefox could make it harder for microsoft to add an addon, but it would basically be some kind of drm-style security-by-obscurity race against reverse engineering. This is a social, not a technical problem.
To save you all the trouble of reading the previous Slashdot discussion, I have summarized it below.
What does this Firefox extension do?
1.) It installs a BHO (Browser Helper Object) .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)"
2.) The
A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality.
"BHO can be used to install additional features or functions that are useful, it can also be exploited to install features or functions that are malicious. Some applications, such as the Google or Yahoo toolbars, are examples of good BHO's. But, there are also many examples of BHO's which are used to hijack your Web browser home page, spy on your Internet activities and other malicious actions."
The author on this site goes on to say: "If you are really concerned about bad BHO's and their affect on the overall security of your computer, you can just switch browsers. BHO's are unique to Microsoft's Internet Explorer and do not impact other Web browser applications such as Firefox."
Now that Microsoft has infected Firefox with this extension, his advice in the line above is obsolete!
The following phrases were copied and pasted wholesale, directly from the previous Slashdot discussion without attribution (except in one case where I copied the entire text of one submitter's comment).
The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
It most definitely IS unexpected, because I was never notified anywhere that a MICROSOFT update would entail installing an addon to a completely NON-Microsoft product.
How are they allowed to get away with this? Isn't installing BHOs that are not asked for and cannot be uninstalled without hacking pretty much the definition of malware?
Microsoft modified *another company's products*. What's next? MS is going to start adding updates to VLC player or Utorrent or OpenOffice or WordPerfect?!?!? They shouldn't be messing with non-microsoft products.
Microsoft is doing this in an update without notifying its users (as far as has been reported) that this update will be modifying third party software with no easy way to prevent or uninstall the change.
The true question here is not how to uninstall it. The question everyone should be asking is: is it messing with other settings in firefox, reporting back to MS what other extensions I use, monitoring my web traffic, going to break my browser, new security holes?
Ok Microsoft, you are making automatic changes to software written by other companies without permission or request of the user. I don't care if you say it's just an extension, you didn't ask me!
The precedent has already been established that the OS can be configured to require the local administrator to give explicit permission for each patch to be applied; the outrage here is that this time, that choice was not offered, and the affected software was neither part of the operating system nor even a Microsoft product.
For those of you who are assuming it's probably safe (and admittedly, you're probably right), there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument
People who run updates for the .Net Framework are doing so because they want the .Net Framework's functionality on their machine.
The .Net Framework includes 'Click Once'. Click Once is deployment/installation tool that is supposed to make .Net stuff 'just work'. You can 'Click Once' from your web browser and have the application installed on your machine and working. Simple. Easy.
Microsoft included it for the BENEFIT of FireFox users. If you use FireFox and don't want the Click Once deployment functionality installed on your machine, you'd think people would avoid installing it on their machine?
When MS doesn't make their new toys (Click Once) play nice with other browsers, people attack them. When MS develops an add-on that adds desirable functionality to a competitors browser - again, people get upset.
Removing it is a trivial task for anyone who knows enough to care.
I dunno, personally, I don't see the problem. 'OMFG - I installed the .Net Framework on my machine and it added stuff that makes the .Net Framework work on my machine!!! I h4te Micro$uck!'
If FireFox wants to break support for ClickOnce in their browser, I'm sure they could. But then you are back to the days of IE6. 'Okay Users, we need to run this app on our local intranet. It uses ClickOnce - so you need to run IE and go to \\xyz\ourapp to run it. Don't use anything but IE though, because this only works with IE'.
Well, they installed changes to another companies application without asking the user first,.. these changes, while more convient, open up security holes (the down side of 'just work' technologies) that many people go to firefox specifically to get away from.... and then they make it difficult to uninstall (anything that requires an average user to modify the registry manually counts as difficult and dangerous). Big deal or not I could see why people would be pissed, esp network admins that do not want this kind of functionality on their network.
Again...exact same problem. How does the Firefox protect against trusted programs from flipping the bit that Firefox sets to say the extension has been installed properly?
"City hall" in German is "Rathaus" Kinda explains a few things......
Please do NOT call ME an "update" to Win98SE. WinME was a total train wreck, I know, because I was one of the poor bastards that got an HP Pavilion with the "new" WinME. I could literally start the PC and start a countdown. It would crash within three minutes of getting to the desktop without touching it.
So please, don't compare Win98SE, which with a little tweaking was actually pretty stable and with a little DOS work or the right tool could be stripped down and rebuilt like a hotrod for gaming. With WinME the best thing you could do was take it out back and put it down like a lame horse. In fact I became friend with the owner of the last shop I worked at by showing him my evil WinME box and asking for help. He just smiled and said "you are gonna hand me $25 for one of those dead boxes in the corner and come back and thank me the next day." Are you nuts? WTF? Why would I want to pay $25 bucks for a dead box and why would I thank you for it? "Because there is probably one or two good parts on it and more importantly it has a Win2K disc and CAL taped to the top. Trust me, you WILL thank me the next day". Sure enough I walked in with my head held down and he just looked up and smiled and said "Well? lets here it" Thank you for selling the dead box with the Win2k disc. I haven't had a single crash since.
So please, don't compare the two. I still have a Win98SE box i keep for games and it is still stable as long as you don't overtax it with too much multitasking. The only thing WinME was ever good for, even after numerous attempts at tweaking and stripping trying to get it stable, was that its discs kept those nasty rings off my computer table when I was drinking a cold Pepsi. The only way you can consider those two OSes related is the same way I look at WinXP VS WinVista- Win98SE and WinXP was the normal ones while WinME and WinVista was the retarded cousins drooling on themselves that you hope don't make a mess on your carpet.
ACs don't waste your time replying, your posts are never seen by me.
It is a law of the universe; there is no free lunch, and in one way or another, you pay for everything.
Funny. I thought that paying Microsoft a lot of money for their product was the cost of the "lunch". Just because they can screw people doesn't mean that they are on any sort of moral high ground when they do. Not everybody is adept at reading and understanding the fine print like some of us happen to be. I can't stand the argument that we have nobody to blame but ourselves in a society where it is impossible for any one person to learn all the trades and skills necessary to function today. I don't know how to fix a car engine or perform surgeries, so I have to rely on others to do their jobs responsibly, and I'll be damned if I'm going to be made to feel guilty for not being a mechanic or a surgeon. Nor will I ever say that being raped is your own fault if you can't be bothered to learn martial arts or carry a gun. There is a reasonable expectation of decency from others in our society, and when that expectation is violated, there should be penalties.
I'm not seeing nearly enough penalties dished out these days. I almost wish I'd taken up law enforcement so I could prosecute top-flight political assholes. Because we certainly don't have a V or a Batman looking out for us.
-FL
Mozilla should release an immediate update that simply ignores the registry entry and prompts the user whether they want they want an additional security hole installed.
Maybe Firefox could silently filter Automatic Update installations to make sure they never install extensions again?