Slashdot Mirror
Microsoft Update Quietly Installs Firefox Extension
hemantm writes "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."
this is old news.. That extension was "added" at least a year ago i think..
Microsoft .NET Framework Assistant 1.0 .NET framework versions to the web server.
Adds ClickOnce support and the ability to report installed
I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it. I really don't like the sound of ClickOnce either! Isn't this the mentality that has gotten IE users in trouble time and time again?!
.NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).
I don't have a problem with the
My work here is dung.
Several companies have pulled this stunt where they stealh in an addon and disable the uninstall button. Firefox makes this too easy and needs to change how it handles addons which are not installed expressly via the user.
If this was part of a "routine security update" then it's getting easier to understand why there are so many unpatched Windows machines out there. Things like this may seem minor but they really erode the trust that must be present in order to allow a vendor to automatically push system updates. It always did amaze me that whenever major worms come out and infect millions of PCs, they do it using vulnerabilities that have already been patched some time ago. I'm wondering how much this lack of trustworthiness has to do with it.
It is a miracle that curiosity survives formal education. - Einstein
Firefox, on its own, should not be capable of locking up the entire machine.
you must be new to Windows
Firefox is a competitor to Microsoft. Automatically installing extensions to your competitor's products really is an innovative idea. I wonder if Microsoft has a patent on this?
This could be misused, though.
I don't doubt plenty of EULAs have illegal terms in them, Microsoft are not alone in this practice. Apple seem worse in this regard with "not allowed to install on non-Apple hardware" and "not allowed as a virtual PC" but like any other agreement, until someone has the money to risk fighting it in court it stands. Pystar tried with one of these clauses and was struck down in the US court. Yes there's a lot more going on there than just one clause but huge mega-rich corporations rely on bullying people into just accepting and paying, not fighting.
Still, if you feel as a loyal citizen to fight Microsoft on the terms of their EULA in the firm knowledge that "right" will win over a huge lobbying / lawyering budget then be my guest, be a good citizen on behalf of all Windows license holders. I wish you the best of luck, and remember to check down the back of the sofa for every last euro, you're gonna need them.
Windows is built to remove as many user decisions as possible on the idea that users shouldn't have to be techy to use a PC. This means stuff is enabled and allowed by default. Over the years Microsoft have been nailed for that practice, and have gradually put in fixes to many of them, often far too little and far too late. These features are essentially Microsoft making the decision for the user which on the face of it can be seen as training wheels to keep you safe, but in reality gives malware writers an open goal to aim at, and they have done BIG TIME. It's why Windows is a malware magnet and why NO other OS follows Microsoft's design lead.
Active X enabled on IE by default? Execute code from websites without asking by default? Run as Administrator by default? Install applications without even informing the user by default?
All of these and more suggest Microsoft want to be the ones making decisions on behalf of their license holders. From a loyal Microsoft point of view that could be that they want to look after you and have your interests at heart, to protect you from the bad people. Like any other corporation, Microsoft don't give a shit about it's license holders, their priorities lie firmly with THEIR interests, with THEM making as much money as possible. This is hampered when you allow others the control you once held, you then have to convince them to do something you could have done on their behalf with no discussion or notification.
Microsoft rely on the average user being kept dumb. The more the user knows about day to day computing, the more they can make the decisions Microsoft make on their behalf because they understand them, at least on a basic level. Other OS's find ways to get decent defaults but do ask the users for confirmation on stuff, with help options available; taking the approach of trying to educate the user to some degree and giving them control. We have a LONG way to go before this is working perfectly, but at least some are trying.
Really? How?
Oh, lemme think... an unethical company could push an insecure framework into the plugin list of a competing browser so they can claim that the average Firefox installation is at least as insecure as the average IE... nah, who'd do that?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
To save you all the trouble of reading the previous Slashdot discussion, I have summarized it below.
What does this Firefox extension do?
1.) It installs a BHO (Browser Helper Object) .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)"
2.) The
A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality.
"BHO can be used to install additional features or functions that are useful, it can also be exploited to install features or functions that are malicious. Some applications, such as the Google or Yahoo toolbars, are examples of good BHO's. But, there are also many examples of BHO's which are used to hijack your Web browser home page, spy on your Internet activities and other malicious actions."
The author on this site goes on to say: "If you are really concerned about bad BHO's and their affect on the overall security of your computer, you can just switch browsers. BHO's are unique to Microsoft's Internet Explorer and do not impact other Web browser applications such as Firefox."
Now that Microsoft has infected Firefox with this extension, his advice in the line above is obsolete!
The following phrases were copied and pasted wholesale, directly from the previous Slashdot discussion without attribution (except in one case where I copied the entire text of one submitter's comment).
The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
It most definitely IS unexpected, because I was never notified anywhere that a MICROSOFT update would entail installing an addon to a completely NON-Microsoft product.
How are they allowed to get away with this? Isn't installing BHOs that are not asked for and cannot be uninstalled without hacking pretty much the definition of malware?
Microsoft modified *another company's products*. What's next? MS is going to start adding updates to VLC player or Utorrent or OpenOffice or WordPerfect?!?!? They shouldn't be messing with non-microsoft products.
Microsoft is doing this in an update without notifying its users (as far as has been reported) that this update will be modifying third party software with no easy way to prevent or uninstall the change.
The true question here is not how to uninstall it. The question everyone should be asking is: is it messing with other settings in firefox, reporting back to MS what other extensions I use, monitoring my web traffic, going to break my browser, new security holes?
Ok Microsoft, you are making automatic changes to software written by other companies without permission or request of the user. I don't care if you say it's just an extension, you didn't ask me!
The precedent has already been established that the OS can be configured to require the local administrator to give explicit permission for each patch to be applied; the outrage here is that this time, that choice was not offered, and the affected software was neither part of the operating system nor even a Microsoft product.
For those of you who are assuming it's probably safe (and admittedly, you're probably right), there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument
Well, they installed changes to another companies application without asking the user first,.. these changes, while more convient, open up security holes (the down side of 'just work' technologies) that many people go to firefox specifically to get away from.... and then they make it difficult to uninstall (anything that requires an average user to modify the registry manually counts as difficult and dangerous). Big deal or not I could see why people would be pissed, esp network admins that do not want this kind of functionality on their network.