Microsoft Update Quietly Installs Firefox Extension

hemantm writes "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."

Surprise!

[jeffb+(2.718)]

What, you think you know better than MICROSOFT what should be on your machine?

Re:Surprise!

[The+Grim+Reefer2]

What, you think you know better than MICROSOFT what should be on your machine?

Well they did release Vista.

Re:Surprise!

[Smidge207]

What, you think you know better than MICROSOFT what should be on your machine?

Well they did release Vista.

Well, they did release Bob.

Re:Surprise!

[The+Grim+Reefer2]

What, you think you know better than MICROSOFT what should be on your machine?

Well they did release Vista.

Well, they did release Bob.

...And Clippy, and Windows 98 ME...

Re:Surprise!

[danieltdp]

Just to be precise: windows Me came after windows 98. Those are two different versions.

Re:Surprise!

[fatray]

Firefox is a competitor to Microsoft. Automatically installing extensions to your competitor's products really is an innovative idea. I wonder if Microsoft has a patent on this?

This could be misused, though.

Re:Surprise!

[AnalPerfume]

It's not YOUR PC though, the hardware is but Microsoft own the copy of Windows running on it, you only own a license to use Windows under their terms and conditions. Under those terms Microsoft can do whatever they want with the consent of the owners.....which is themselves.

Re:Surprise!

[anjilslaire]

Well, they did release DOS.

Yes, they *released* it, but did not created it.

Re:Surprise!

[should_be_linear]

They sure have patent on breaking other people's SW interacting with their SW (Office formats, MS Java, Grub/Lilo support, ... ) so how about giving them little bit of their own medicine? (Breaking .NET plugin with next Firefox update). I know, I know, not gonna happen...

Re:Surprise!

[Ilgaz]

If Firefox was an evil company of some sort, they would deliberately add some functionality to make browser break when their extension installed from their back and call a good lawyer company. For a software/app at market share of Firefox, I can guarantee millions of dollars in return although I am not a lawyer.

MS should pray that they don't seem interested in such things and of course, source is open to look/review. E.g. it is not Microsoft.

If it sounded too childish or tin foil, just check that story http://www.theregister.co.uk/1999/11/05/how_ms_played_the_incompatibility/ . It is not a IT urban legend, it is actually documented in court.

Re:Surprise!

[fishyfool]

I think the OP's point is like XP was Windows nt5.1 to Windows 2k's nt5.0 (hint, just an update) and that Windows7 is just an update to Windows Vista, that ME was just an update to Windows 98 osr2.5.

Re:Surprise!

[Ilgaz]

I always wondered if they ever thought "If we didn't acquire quick and dirty OS and go with our own". If you look at the quality of their code on Mac and releases in those ages, it is clearly ages ahead of the clone of the clone they acquired.

Remember, they had UNIX license directly from AT&T too and selling it as Xenix. It really looks like they try to code Unix again in a different sense but fail, over and over. Judging from OS X Office releases, they wouldn't be a bad Unix/NeXT coding company either.

Re:Surprise!

[causality]

I always wondered if they ever thought "If we didn't acquire quick and dirty OS and go with our own". If you look at the quality of their code on Mac and releases in those ages, it is clearly ages ahead of the clone of the clone they acquired.

Remember, they had UNIX license directly from AT&T too and selling it as Xenix. It really looks like they try to code Unix again in a different sense but fail, over and over. Judging from OS X Office releases, they wouldn't be a bad Unix/NeXT coding company either.

Didn't Microsoft have some sort of agreement with SCO (of all people) that prevented them from entering the Unix market? What I don't know is whether that exclusively means "bearing the Unix trademark" or if that also covers "unix clones".

Otherwise your comment reminded me of that old saying, "those who fail to understand Unix are doomed to re-implement it, poorly."

Re:Surprise!

[vandit2k6]

I think the OP's point is like XP was Windows nt5.1 to Windows 2k's nt5.0 (hint, just an update) and that Windows7 is just an update to Windows Vista, that ME was just an update to Windows 98 osr2.5.

No, I am sorry ME was complete downgrade to Win 98!

Re:Surprise!

[danieltdp]

MMm. You mean *from* Win98, right?

Re:Surprise!

[Amazing+Quantum+Man]

They sure have patent on breaking other people's SW interacting with their SW

Yeah, but it has to have expired by now... "DOS isn't done until Lotus won't run".

Re:Surprise!

[The+Archon+V2.0]

...And Clippy, and Windows 98 ME...

And Commodore BASIC.

Re:Surprise!

[rvw]

It's not YOUR PC though, the hardware is but Microsoft own the copy of Windows running on it, you only own a license to use Windows under their terms and conditions. Under those terms Microsoft can do whatever they want with the consent of the owners.....which is themselves.

Which is complete and utter bullshit!!! They can state whatever they want in their licenses, but I think you are completely wrong, and at least here in Europe national or EU laws will overrule such conditions. They may still own Windows, but they may not do whatever they like on my or any other computer.

Re:Surprise!

[Thornburg]

I think the OP's point is like XP was Windows nt5.1 to Windows 2k's nt5.0 (hint, just an update) and that Windows7 is just an update to Windows Vista, that ME was just an update to Windows 98 osr2.5.

You've got your Windows 9x's confused. Win 95 had an "OSR 2.5" (4.00.950C), Win 98 had "SE" (4.10.2222A).

Re:Surprise!

[AnalPerfume]

I don't doubt plenty of EULAs have illegal terms in them, Microsoft are not alone in this practice. Apple seem worse in this regard with "not allowed to install on non-Apple hardware" and "not allowed as a virtual PC" but like any other agreement, until someone has the money to risk fighting it in court it stands. Pystar tried with one of these clauses and was struck down in the US court. Yes there's a lot more going on there than just one clause but huge mega-rich corporations rely on bullying people into just accepting and paying, not fighting.

Still, if you feel as a loyal citizen to fight Microsoft on the terms of their EULA in the firm knowledge that "right" will win over a huge lobbying / lawyering budget then be my guest, be a good citizen on behalf of all Windows license holders. I wish you the best of luck, and remember to check down the back of the sofa for every last euro, you're gonna need them.

Windows is built to remove as many user decisions as possible on the idea that users shouldn't have to be techy to use a PC. This means stuff is enabled and allowed by default. Over the years Microsoft have been nailed for that practice, and have gradually put in fixes to many of them, often far too little and far too late. These features are essentially Microsoft making the decision for the user which on the face of it can be seen as training wheels to keep you safe, but in reality gives malware writers an open goal to aim at, and they have done BIG TIME. It's why Windows is a malware magnet and why NO other OS follows Microsoft's design lead.

Active X enabled on IE by default? Execute code from websites without asking by default? Run as Administrator by default? Install applications without even informing the user by default?

All of these and more suggest Microsoft want to be the ones making decisions on behalf of their license holders. From a loyal Microsoft point of view that could be that they want to look after you and have your interests at heart, to protect you from the bad people. Like any other corporation, Microsoft don't give a shit about it's license holders, their priorities lie firmly with THEIR interests, with THEM making as much money as possible. This is hampered when you allow others the control you once held, you then have to convince them to do something you could have done on their behalf with no discussion or notification.

Microsoft rely on the average user being kept dumb. The more the user knows about day to day computing, the more they can make the decisions Microsoft make on their behalf because they understand them, at least on a basic level. Other OS's find ways to get decent defaults but do ask the users for confirmation on stuff, with help options available; taking the approach of trying to educate the user to some degree and giving them control. We have a LONG way to go before this is working perfectly, but at least some are trying.

Re:Surprise!

[Opportunist]

Really? How?

Oh, lemme think... an unethical company could push an insecure framework into the plugin list of a competing browser so they can claim that the average Firefox installation is at least as insecure as the average IE... nah, who'd do that?

Re:Surprise!

[Opportunist]

Would you please point me to the relevant part of (any) Windows EULA where it reads "we'll do what we want with your system and installed programs"?

Can't?

I can't either. So it's not part of the contract and thus nothing I agreed with. And I'm not even going to the legal binding effects of EULAs, considering I can't read them before purchase. So please, can the BS, the legal shit around software is already stinking enough as it is.

Re:Surprise!

[AnalPerfume]

"EULAs generally have few, if any, illegal terms in them. Mostly because few EULAs were ever tested in courts. That doesn't automatically mean that they're legally binding. Mostly, again, because few have ever been tested in courts."

This is exactly my point.

The company who wrote the EULA for their product will treat it as legally binding until a court tells them it's not. They wrote it for exactly that purpose. They will use threats / bullying etc to try and get people to accept it rather than fight it, because they may just lose the fight, and therefor lose the right to continue using it to extort more money.

Re:Surprise!

[jythie]

Well, they installed changes to another companies application without asking the user first,.. these changes, while more convient, open up security holes (the down side of 'just work' technologies) that many people go to firefox specifically to get away from.... and then they make it difficult to uninstall (anything that requires an average user to modify the registry manually counts as difficult and dangerous). Big deal or not I could see why people would be pissed, esp network admins that do not want this kind of functionality on their network.

Re:Surprise!

[hairyfeet]

Please do NOT call ME an "update" to Win98SE. WinME was a total train wreck, I know, because I was one of the poor bastards that got an HP Pavilion with the "new" WinME. I could literally start the PC and start a countdown. It would crash within three minutes of getting to the desktop without touching it.

So please, don't compare Win98SE, which with a little tweaking was actually pretty stable and with a little DOS work or the right tool could be stripped down and rebuilt like a hotrod for gaming. With WinME the best thing you could do was take it out back and put it down like a lame horse. In fact I became friend with the owner of the last shop I worked at by showing him my evil WinME box and asking for help. He just smiled and said "you are gonna hand me $25 for one of those dead boxes in the corner and come back and thank me the next day." Are you nuts? WTF? Why would I want to pay $25 bucks for a dead box and why would I thank you for it? "Because there is probably one or two good parts on it and more importantly it has a Win2K disc and CAL taped to the top. Trust me, you WILL thank me the next day". Sure enough I walked in with my head held down and he just looked up and smiled and said "Well? lets here it" Thank you for selling the dead box with the Win2k disc. I haven't had a single crash since.

So please, don't compare the two. I still have a Win98SE box i keep for games and it is still stable as long as you don't overtax it with too much multitasking. The only thing WinME was ever good for, even after numerous attempts at tweaking and stripping trying to get it stable, was that its discs kept those nasty rings off my computer table when I was drinking a cold Pepsi. The only way you can consider those two OSes related is the same way I look at WinXP VS WinVista- Win98SE and WinXP was the normal ones while WinME and WinVista was the retarded cousins drooling on themselves that you hope don't make a mess on your carpet.

Re:Surprise!

[The+Grim+Reefer2]

Removing it is a trivial task for anyone who knows enough to care.

I agree with everything you stated except for the above sentiment. I never understand why such a disproportionate number of people in IT, compared to other fields, think this way. Just imaging if you were in an accident and the EMS crew showed up and said, "Eh, he's still conscious, anyone who knows enough to care could stitch those lacerations up".

Re:Surprise!

[RobDude]

It's a catch-22.

If MS makes it so that .Net/ClickOnce/Silverlight or anything else, ONLY works in IE; people get upset that MS is being anti-competitive.

If MS does make it so that everyone can use .Net/ClickOnce/Silverlight or anything else, then MS is just trying to force EVERYONE to use their technologies.

I'm completely okay with MS giving out an addon that gives you .Net Framework functionality when you install/update the .Net Framework.

---

Why would FireFox want to support ClickOnce? Because FireFox is a web-browser. FireFox has no offering that competes with something like ClickOnce. Before MS released this patch, there were already (unofficial, not-supported) addons that provided the same functionality. (https://addons.mozilla.org/en-US/firefox/addon/1608)

FireFox supports the IFRAME. A tag that MS just made up, that didn't conform to any standards. Why did FireFox support it? Because FireFox wanted it's users to be able to use FireFox for anything they could use IE for. ClickOnce is no different. If a user wants to have the .Net Framework/wants to use ClickOnce on their machine - why *wouldn't* FireFox want support for it to be there?

Not supporting it means people HAVE to use IE to get that functionality.

---

Beyond that, you don't *have* to edit the registry to remove it. That's a hack.

When the plug-in gets installed, it's not for an individual user; it's for the entire system. Other FireFox plug-ins behave the same way. You can't remove those either, not directly, from FireFox. Because FireFox is treating you as an individual user. You, as a user, can disable the Add-on.

Everything else about the .Net Framework is also installed for everyone on the system. The same way security patches are installed. Individual users on the machine don't have to each update critical windows crap.

You can go here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab

(That's right, Microsoft.com)

And you can download an update that will make the addons to FireFox work on a per-user level. At which point, FireFox allows you to easily uninstall it with the in-FireFox GUI.

I haven't tested it, but I'm fairly confident removing the .Net Framework will remove the FireFox addons as well.

So again, I'm *not* saying Microsoft is in the right here. But I am saying, 99% of the people I hear talking about this are grossly over-reacting.

We're talking about an Update to the .Net Framework that added .Net functionality to FireFox. If you didn't install the Update, you wouldn't get the functionality.

At best, this is a reminder to turn off 'Automatic Updates' if you don't trust Microsoft to be updating your files. It's hardly a case of Microsoft trying to 'discredit' FireFox or anything else.

Re:Surprise!

[RobDude]

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab [microsoft.com] .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the ClickOnce technology that is included in the .NET Framework. The .NET Framework Assistant is added at the machine-level to enable its functionality for all users on the machine. As a result, the Uninstall button is shown as unavailable in the Firefox Add-ons list because standard users are not permitted to uninstall machine-level components. In this update for .NET Framework 3.5 SP1 and in Windows 7, the .NET Framework Assistant will be installed on a per-user basis. As a result, the Uninstall button will be functional in the Firefox Add-ons list.

This was released on 5/6/2009

Again, seems like a giant over-reaction.

The article was written 5/30/2009.

You'd think the author would take a few seconds before sticking his foot in his mouth, again.

Re:Surprise!

[AnalPerfume]

After understanding the Linux "run as normal user" principle and how important it is for security I did actually try to apply that Linux user / admin separation on an XP install. You're right, it's a nightmare, with far too many regular user programs needing admin rights to run.

In fairness I believe Microsoft have learned the error of that approach and have been trying to find a way round it. The problem they have is that they've conditioned users too well. They keep using "we know you don't want to learn anything new" as a reason to stay with Microsoft rather than look at something else.

They even tried to patent sudo, even though they never invented it and don't use it.....but then since when has that stopped them using legal bullshit to attack and extort money from a competitor?

Third party app developers don't help the cause either by not programming their user apps to need regular user rights. On the other hand OEM installed Windows which most Windows users have, tend to be installed as admin anyway to it's a fair bet that every user will be running as an admin.

I have serious issues when the average Joe Sixpack can go into the system folder, delete and change stuff at random with NO knowledge about what he;s doing. My mate's lil cousin has been known to do that, randomly delete files in the System32 folder that he don't like the name of because he's bored, then he complains when his PC don't boot up.

It's important that these functions should be doable. It's vital that the user / admin rights stop the average user from doing it. Of course, if people (or remote websites) were stopped from being able to hose their PCs, lots of PC repair stores would lose a LOT of customers and a lot of income. It does help their revenue stream when a clean PC can be hosed by the following day and needs a repeat appointment.

Re:Surprise!

[sumdumass]

Windows 2000 was never intended to be a "general user" or "home user" platform and it's original launch date was intended to be in 97 or 98. When the NT 5 beta 2 was released, Microsoft was finally hammering home the notion that Windows NT 5.0 was being designed solely for businesses, not for individual users at home. Microsoft's Jim Allchin spoke of releases that would follow NT 5.0, such as NT 5.1 "Asteroid" and NT 6.0 "Neptune," which would feature a consumer edition. Post-NT 5.0, Windows would receive a maintenance-free user interface and a unified Web/Win32 API. "NT everywhere" was the theme of the show. (of course NT 5 is windows 2000)

In line with the Asteroid release containing a consumer edition, it was something like service pack one or two in windows 2000 before some of the more major problems with consumer level access was addressed.

Windows ME however was the original 98 to NT transition plan that Gates was talking of back in 1998. It's release was behind then rushed too. XP was the first planned and first implemented consumer lever transition to the NT style Kernel. The NT numerical names would have been windows 2000 as NT 5.0, Windows XP as 5.1, and Vista or the 2008 server as NT 6.0.

There was a rumor that MS was going to combine the best of windows CE with ME to create a consumer level NT platform but it was scrapped as marketing feared the slogan would become windows "CE ME NT": hard as a rock and dumb as a brick. Anyways, in the middle there, MS did come out with the windows "really good edition". This version was one of my favorites and you can even run a demo of it on that site.

Re:Surprise!

[hairyfeet]

Actually I can explain EXACTLY why it crashed, as being a PC repair guy off and on since Win3.xx I have had much experience in the area. I can also explain why yours worked and mine didn't.

You see the main difference between Win98SE and WinME was .VXDs VS WDM. I would bet if you had that machine and looked at the drivers that ALL the drivers were WDM. You were what we in the biz called "lucky bastards" because nearly all the OEMs just used the same VXDs that were SUPPOSED to be supported in WinME, or even worse like mine ended up this horrible fucking mess with half of the older drivers being VXD and half the newer being WDM. You see, in WinME in my experience VXD and WDM just don't play nice together. In fact they hate each other and will happily kill themselves and the OS with it due to conflicts.

So you see grasshopper, you were one of the lucky bastards that got a machine with WDM only drivers. MSFT in their infinite stupidity said that WinME could use both, so many OEMs(like that damned HP which is STILL running not ten feet from me with a rock solid Win2K) didn't bother writing drivers for their older chipsets. Instead they just reused the Win98SE drivers while only writing drivers for the newer hardware as WDM. That was a recipe for total disaster and why you could set your watch by how fast mine crash. The video chip was WDM, the audio VXD, and the network and modem was one of each. So it wasn't FUD, it was MSFT releasing an OS which really didn't support the drivers they say it did. If you had all WDM you were good. All VXD and you had about a 60/40% chance at being stable. A mix of the two? You're fucked. And that is what happend to me and way too many WinME owners. We got fucked.

Uhuh

[jav1231]

The new extension allows Firefox to experience the same rich vulnerabilities that IE users have come to expect!

Re:Uhuh

[ibookdb]

Then this is a problem with Firefox, not IE, that it let's plugins be installed without user intervention. At the least it should warn upon next start that "Blah has been installed, do you want to enable it?"

Re:Uhuh

[TheRaven64]

There is no way in which this can be implemented that could not be bypassed by a plugin that collusion from the OS (unless you have a TPM, but that just moves the problem one layer down). An update program designed to update the OS could very easily suppress the warning.

Re:Uhuh

[pizzach]

Then this is a problem with Firefox, not IE, that it let's plugins be installed through the filesystem without user intervention. At the least it should warn upon next start that "Blah has been installed, do you want to enable it?"

When you have access to the filesystem, and I assume Windows Update runs with full privileges, you can do whatever the hell you want. If MS really wanted to, they could be replacing libraries in the Firefox folder. In many ways this is similar to the argument that if a hacker has physical access to the machine, you're toast.

Having said that, a number of Linux distros have taken to including certain addons optionally or by default with a Firefox install. I don't really want to see this feature taken away and there is a very real purpose...to make mass management of Firefox installations easier.

Re:Uhuh

[KiloByte]

If you have total control over the computer, you can change files of another program as you wish. It is generally impossible to install an extension without the user's interaction -- unless you mess with Firefox' internal structures, which is what Microsoft here does.

A question "Blah has been installed, do you want to enable it?" would be wrong in all legitimate cases, since the user already elected to install the thing. A trojan (Windows Update here) can do whatever it wants anyway, if you add a confirmation flag the trojan will simply pre-enable it. Even a checksum (including proper cryptographic ones!) won't save you.

Re:Uhuh

[cbiltcliffe]

Again...exact same problem. How does the Firefox protect against trusted programs from flipping the bit that Firefox sets to say the extension has been installed properly?

Re:Uhuh

[DarkGreenNight]

Firefox did warn me about the installation on its following restart. I changed an option (to make it ask for permission to execute things) and then I disabled it.

Nonetheless I don't like a bit being forced to shallow this.

fairly sure that

[Pvt_Ryan]

this is old news.. That extension was "added" at least a year ago i think..

Re:fairly sure that

Yup. But not that long ago:

http://tech.slashdot.org/story/09/02/01/2143218/Microsoft-Update-Slips-In-a-Firefox-Extension

Someone should check these dupes...

Re:fairly sure that

[Taagehornet]

...and we've already discussed it here at least once: http://tech.slashdot.org/article.pl?sid=09/02/01/2143218

Re:fairly sure that

[mrsteveman1]

New Slashdot rule, forget TFA, don't even read the discussion until the 2nd or 3rd time around

Re:fairly sure that

[impaledsunset]

Are you sure that's the same one? There is no mention what extension it is in the summary (no, I didn't RTFS, but I asked a friend to read and summarize it for me). This might be a new one. Like one that makes Firefox use Trident, support ActiveX and use Bing as a default search! Oh noes! Just imagine! It could also include eat babies, remove Linux related stories from Slashdot, add DRM and even be incompatible with the GPL! Don't downplay it! That's serious!

Re:fairly sure that

[Ark42]

Apparently, MS released a v1.1 of the plugin, but it can't install if you left 1.0 disabled (like I did). If you re-enable the plugin, then go manually re-download and re-install the hotfix which included this plugin more recently, you will get v1.1 of the plugin, after which, you CAN uninstall it.
Note that disabling the plugin still leaves a string in your user-agent saying what version of .net you have installed, so either get it uninstalled, or go check and delete the right entry from general.useragent.extra.* in about:config

Re:fairly sure that

[morgan_greywolf]

The new twist is that the article's author just realized that the extension can't be easily uninstalled:

I'm here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult -- if not dangerous -- to remove, once installed.

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC." I'm not sure I'd put things in quite such dire terms, but I'm fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.

Big deal, you say? I can just uninstall the add-on via Firefox's handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the "uninstall" button on the extension. What's more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that -- if done imprecisely -- can cause Windows systems to fail to boot up.

The sad thing is that I think probably everyone missed this because this is not new behavior for Microsoft.

Re:fairly sure that

[Ilgaz]

So lets speak about what has changed in 1 year? Firefox developers still didn't implement some sort of "If some extension installed behind my back (offline), ask user about it in next launch" functionality. Of course, it is a community/open source project. I would suggest and ask for votes if I was really a Firefox user but I am not.

It is Microsoft and couple of ignorant developers currently installing local extensions, no malware or serious privacy issue yet. It is just inconvinience but things may change. Firefox is a very major player in browser business now and extensions can be very powerful. Users still run as "super user", even if they weren't, there is no precious data besides users home dir and browsing habits anyway. Understand what I am really afraid of?

It is simply "check whatever was there in last quit and what was added when I got first launched" functionality. Nothing fancy, nothing fascistic like app store. Oh if they look at source and haxor the functionality? That is the time you do a nice submission to ClamAV/Kaspersky/Symantec/MCafee and they will care for the rest.

Re:fairly sure that

[AnalPerfume]

The concept of "download and install an uninstaller to uninstall a program you never asked for but Windows allowed to be installed" seems very common on Windows. Just goes to show Windows is built for developers to exploit, rather than users to use. And people still call it a "personal" computer. I guess one more oximoron can't hurt.

Re:fairly sure that

[thePowerOfGrayskull]

New Slashdot rule, forget TFA, don't even read the discussion until the 2nd or 3rd time around

What do you mean, "new"?

Re:fairly sure that

[Nakor+BlueRider]

MS has instructions here for the extension's manual removal, for any who want them:
 
  How to manually remove the .NET Framework Assistant for Firefox

Re:fairly sure that

[gparent]

Yep, exactly like the Java VM. Idiot.

Re:fairly sure that

[camperdave]

Obviously he didn't read the memo the first two times around.

Re:fairly sure that

[adolf]

TFA, which almost nobody bothered to read, links to an MSDN blog (which even acknowledges and links to the previous Slashdot story), which absolutely nobody bothered to read. Because, if the submitter, or the editor, or anyone had bothered to do so, they'd realize what a total non-issue this is: It's already fixed, which is why it works fine for you, drinkypoo.

This blog states that the plugin was initially installed as a system-wide thing. And, with FF, users can't simply remove system-wide things by themselves. Which, of course, makes sense to anyone who has spent more than ten minutes working on a system with proper basic security. They detail a long-winded workaround.

Right. So. Then there's this:

Update (5/2009): We just release an update to .NET Framework 3.5 SP1 that makes the firefox plug in a per-user component. This makes uninstall a LOT cleaner.. none of the steps below are required once this update is installed.

I'd guess that you simply already have this newer version of the .NET package, which includes a Firefox plugin which is installed in a manner more in-keeping with what folks might normally expect, and accordingly can be uninstalled in a manner that folks might normally expect.

Re:fairly sure that

[HappySmileMan]

Firefox provides a way to install extensions which cannot be uninstalled, and that's MS' fault for using it? Interesting.

Show me an application that can stop the administrator of the computer from changing any of it's settings while not even running and I'll accept that you're right.
That is, if it's done without posing far more serious flaws (setuid root comes to mind).

And I did elaborate on how it could be done (admittedly not very well, but good enough to get the point across I would think, basically if installed by Administrator then User doesn't have permission to delete the files, kind of like every file on any operating system).

Re:fairly sure that

[MikeBabcock]

Are you unaware that most Linux distros don't use 'uninstall' software, but keep track of the files belonging to various 'packages' in a central database allowing the removal of any of said software at any time without any special third party software nor the permission of the installing package?

Re:fairly sure that

[jamstar7]

How is the Firefox team liable for something a 3rd party developer puts in their plugin? Isn't it up to the 3rd party developer to make the damned thing compatible?

If a 3rd party created a Firefox plugin that you can't turn off in Firefox, there sure as hell would be a bug or even a severe flaw in the design of the security sytem in Firefox. How can you claim anything else?

OK, the API is documented. If a developer decides to not follow the API, then Firefox is at fault? How so? Did the Mozilla Development Team stick a gun in his face and tell him "Hey, don't follow the API!' or something? I'm sorry, it's sounding like if I go get hammered at the bar then try to drive home while at 5-8 times the allowable blood alcohol level, it's not my fault, it's the fault of General Motors for building the Cavalier I drive.

Some Left Over Stupidity from the Last Millennium

[eldavojohn]

Wow, well, you know what can I say? I applaud Microsoft for their work in Vista & Windows 7 in separating userspace from kernelspace and then they just go and do something like this:

Microsoft .NET Framework Assistant 1.0
Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.

I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it. I really don't like the sound of ClickOnce either! Isn't this the mentality that has gotten IE users in trouble time and time again?!

I don't have a problem with the .NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).

Dupe

[MyLongNickName]

I read about this on Slashdot a couple weeks ago.

Re:Dupe

[MyLongNickName]

Ah, finally found the link. Sadly enough, Slashdot's search engine didn't find it but Google's did.

http://tech.slashdot.org/article.pl?sid=09/02/01/2143218

(would have posted sooner, but have to wait 5 minutes between posts)

Re:Dupe

Sadly enough, Slashdot's search engine didn't find it but Google's did.

Hey, be fair. Slashdot has only had a search feature for about 10 years - it takes time to make these things useful.

And their development team (Sid) has been feverishly at work all those years in order to bring us world-beating innovations the giant green "Reply to This" and "Parent" buttons (we has such a hard time finding those links before the advent of those buttons) and features to break certain browsers. Add to that the Herculean efforts to change the wait between AC posts (the "Slow Down, Cowboy" feature) from 2 minutes to an amount of time generated by a random number generator and added to 2 hours while telling us things like "it has only been 96 days and 14 minutes since you your last post - you must wait at least 2 minutes before posting" and you can see that Sid (who does this in his spare time between grade-school classes) has had a pretty full plate.

Oh, and Sid has discovered girls, so his mind is elsewhere these days (he has to adapt - he never had exposure to girls while working for Slashdot).

So, a little less of the bitching, if you please.

How to disable...

Tools > Add-Ons > Plugins > Disable all Microsoft plugins.. and Adobe Acrobat's, QuickTimes & anythiing else that looks suspicious

Re:How to disable...

[YesIAmAScript]

The article doesn't say you can't disable it. In fact, in the screenshot in the article, the disable button is clearly enabled.

The last .NET update did the same thing, put in an extension to FireFox that you couldn't uninstall, only disable. Java does the same thing, I have TWO Java SE FireFox extensions disabled in my list (neither can be uninstalled).

With this latest .NET update the uninstall button actually works for the .NET extension. At least on my Windows 7 machine.

Re:How to disable...

[Andy+Dodd]

It says nowhere in the article that you can't disable it, just that you can't uninstall it.

In fact, the screenshot in the article shows an active disable button, but not an active uninstall button.

In a previous post, someone said that this is due to admin privileges issues. Most extensions are installed by a user and reside in a user-accessible directory. Firefox allows for system-wide installation of extensions by pointing to them with a registry entry. System-wide-installed extensions fundamentally can't be uninstalled directly by a user without some sort of privilege escalation, which Firefox doesn't support. MS didn't explicitly disable uninstallation, it's just a side effect of being a system-wide installation.

Re:How to disable...

[maxume]

Yeah, this one is at HKLM/Mozilla/Firefox/Extensions.

I don't care about it, so I have no idea if deleting that key is sticky or not (perhaps some watchdog or another puts it back...).

Mozilla has, for some value of documented, documented this:

http://kb.mozillazine.org/Uninstalling_extensions#Windows_Registry_extension

Firefox needs to fix this.

[Jartan]

Several companies have pulled this stunt where they stealh in an addon and disable the uninstall button. Firefox makes this too easy and needs to change how it handles addons which are not installed expressly via the user.

Re:Firefox needs to fix this.

[MyLongNickName]

Hi. If you are running automatic updates, then by default, you have a process running on your computer with administrative privileges. So, you are proposing that Firefox somehow magically blocks that? Even if you find a way to do that, you would piss someone like me off. I am the defacto sysadmin for a small company. If I want auto update to run and update all computers, I do NOT want individual applications vetoing the updates. If I have a problem with an individual update, it is up to me to test the update before pushing it out to client computers. Simple as that.

It is goofy workarounds and disregarding of conventions that create the big messes.

Re:Firefox needs to fix this.

[Captain+Hook]

This isn't an update from Firefox's point of view, it's the installation of an add-on which has not be requested by the user, at the very least, Firefox should prompt the user at the next startup if a new add-on has been installed.

Re:Firefox needs to fix this.

[99BottlesOfBeerInMyF]

Hi. If you are running automatic updates, then by default, you have a process running on your computer with administrative privileges. So, you are proposing that Firefox somehow magically blocks that?

You make this sound impossible, but that's not the case. Firefox doesn't have to automatically load any plug-in in the right folder. It can keep a list of which ones the user has manually approved and only use those. It can keep that list in an encrypted config file if it has to to keep MS from manually editing it. That's not to say Mozilla should adopt this behavior, only that MS having an admin process does not mean they can realistically control the workings of software running.

Re:Firefox needs to fix this.

[BitZtream]

They aren't 'stealth'ing in an add or nor are they 'disabling' the uninstall button.

The 'uninstall' button is for user specific addons, not system wide add ons. The uninstall button has never worked for system wide addon installations. It is a feature, and a required one if you expect Firefox to actually get anywhere in the business world. This is done by adding a single registry key and can be done for ANY add on, regardless of who makes it or where it is installed.

It serves two purposes. First it allows things to install add ons before the browser is installed so that when you later install Firefox it will be aware of existing items and not require you to jump through hoops to get them to work. Second, it allows administrators and other software packages to install something globally, for all users of the host, without requiring each user to manually install the add on and keep it updated.

I'm sorry that this doesn't fall into your narrow little view of the world, but for the rest of us this sort of thing is a requirement to use Firefox in the business world.

Finally, there is a very simple solution. Don't install software that does things you don't want it to do. You're an idiot if you think there is anything what so ever that Firefox can do to stop this sort of thing. There isn't. Add ons will ALWAYS be able to install themselves with out notifying you, welcome to open source, EVERYONE can see how to do it, thats a feature of open source. There is nothing Mozilla can do to stop it short of releasing a version with some non-OSS component that can be used to prevent it from happening using digital sigs to verify that only allowed add ons are installed or not load them. And as soon as they do that Slashdot will be ranting and raving about freedom to do whatever the hell it wants.

You got your software freedom, you wanted everyone else to have the same access to the software as you do. Great, they do, now you get to deal with the consequences of that.

Its not like user add-ons can't do the EXACT SAME THING. All you need to do is remove write permissions from your own files when you startup and Firefox won't do shit when you tell it to uninstall it except throw an error. Any add on can do that, and Firefox is unlikely to ever 'fix' that problem as its one that Firefox shouldn't be responsible for.

You can fix the problem on your computer yourself to make sure this doesn't happen with some registry permissions in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla, take away all write/modify access to this key from everyone after you've installed Firefox. Problem solved. That is where various addons for Mozilla software can be installed globally by a system administrator.

As for Firefox removing that feature, go ahead and let that happen. Find out how many IT departments suddenly want even less to do with Firefox. I'm sure they'll love you for having it removed when they have to do something retarded like run a login script to roll out extensions rather than just pushing a registry change via group policy.

The worst part is that this gets modded insightful. This isn't fucking insightful, its ignorant, short sided and shows a complete lack of understanding about whats going on and why.

Whats worse is ignorant dipshit comments like this end up making me fucking defend Microsoft.

Get a clue, then start bashing, people with far more intelligence and understanding of this sort of thing work on it, not you, ever consider there MAY be a reason?

Re:Firefox needs to fix this.

[MyLongNickName]

If you work in a corporate environment and you rely on autoupdate to keep your systems patched, you're an idiot.

From my original post: 'If I have a problem with an individual update, it is up to me to test the update before pushing it out to client computers. Simple as that.'

So much for your reading skills.

Re:Firefox needs to fix this.

[Aurisor]

Add ons will ALWAYS be able to install themselves with out notifying you, welcome to open source

The fact that firefox is open-source has absolutely nothing to do with the ability of add-ons to install without a user's knowledge. A process running with superuser permissions (like windows update) could alter the state of any program on the machine, whether it be open-source or not.

As interesting as I found the information you brought to the table about firefox add-on handling, your stream of abuse and specious arguments made your post sound rather juvenile.

Next time, after you finish a post, take two minutes to walk around, cool off, and then come back and edit out all of the abuse and slander. That will make it much easier for the rest of us to read your posts.

Nice Security Update

[causality]

From the fine article:

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

If this was part of a "routine security update" then it's getting easier to understand why there are so many unpatched Windows machines out there. Things like this may seem minor but they really erode the trust that must be present in order to allow a vendor to automatically push system updates. It always did amaze me that whenever major worms come out and infect millions of PCs, they do it using vulnerabilities that have already been patched some time ago. I'm wondering how much this lack of trustworthiness has to do with it.

Re:Nice Security Update

[TheGratefulNet]

I don't do windows updates. the last 'tinyXP' install was it and whatever came with it, came with it. period.

on WGA at all and - again - whatever level its at, its at.

BUT - no wga is a godsend and having a custom windows that is almost entirely crap-free (as much as we can make it) means we don't have to trust papa MS to give up new updates. the updates started being untrustworthy and doubtful a few years ago (around WGA time, really).

since the wga days, I stopped doing online updates and did only a 'walkaround cdrom' update. even that dried up so I had to stop that procedure.

if windows gets borked, I reinstall from that point again (or some backup). I do most of my 'dangerous' stuff on a vnc session with the real net i/o going on on linux and bsd (and opensolaris). the win box is just a vnc-viewier and not much else in a net work context (no local browsing, almost ever!).

this way, I really dont' CARE about this or that security update on windows. I avoid dangerous activity on windows and my win install never changes 'from under me' as it would during various windows updates from MS!

I prefer a slightly older system (of patches) on xp than trusting each new update.

I will trust 'apt-get update' on those boxes and I'll trust the solaris updates, but I will NOT TRUST MS binary updates! not anymore. I'd rather re-install if things go bad than trust their ever-infringing updates.

Re:Nice Security Update

[AnalPerfume]

When Microsoft abuse the concept of "critical" in Windows updates to shove IE8 and WGA onto people's PC's knowing they most likely know nothing about it and have it set to automatically download and apply all critical updates it certainly does erode trust when they find out. On every Windows PC I have to deal with I NEVER allow automatic updates because I don't trust Microsoft to act in the users interests. I do updates manually, and always select "custom" to weed out the shit Microsoft are trying to push.

How inconsiderate!

[goldaryn]

Man, this is so unfair to us Ubuntu users

Someone please send me the .xpi

Re:How inconsiderate!

[hansamurai]

Well, Ubuntu users get the Ubuntu Firefox add-on which has actually conflicted and broken other popular add-ons like Tab Mix Plus. I never actually figured out what that add-on even does before I disabled it.

Re:How inconsiderate!

After a quick look at the source, this is what this extension does:

- Changing the start page
- When a plugin is missing, make the Ubuntu package system deal with it.
- In the extension manager add an option to download ubuntu-managed extensions (system-wide, apt-get controlled)
- When apt-get updates firefox, communicate need to restart it to the user.
- Add the ask.com search plugin (wtf?)

And yet...

[someyob]

at the same time it was Firefox that quietly allowed it to happen. "I admit that maybe I missed the point", he said as he rushed home to check his Windows machine.

Remove it!

[Dystopian+Rebel]

http://www.annoyances.org/exec/show/article08-600

Note that Oracle (nee Sun) is also doing this with a Java extension.

Re:Uhm... but this is old news, isn't it?

[asdf7890]

The .net-Update has "installed" this Add-On secretly for a few months now, as far as I know. It just got into the "normal" Windows auto-update stream, thus annoying more and more people? Or am I somehow mistaken?

It has certainly been around for some time, and I think it has been in updates that Joe Public gets automatically for a while too. My guess is that this reported has only just heard about it so to him (and presumably other too) is it new news.

At first it turned up as part of the Visual Studio install/servicepack, so developers got it first, I'm not sure when I first noticed it appearing on machines that had the relevant .Net libraries but no VS.

I don't have a problem with the add-in existing, or it being installed by default. But being installed by default with no opt-out and with the uninstall/disable options removed from the user, is either bad customer care or plain malice (though for all the noise my inner tin-foil-hat is making I can't think of anything logical that such malice would achieve for MS, so "not caring about the customer" is the more likely option).

How to remove

[NES+HQ]

In case anyone's wondering:

http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx

Anecdotal problem

[Dan+East]

I noticed this on a work machine and read about it last week. Instead of trying to manually remove the extension (the Uninstall button is disabled for this one and only extension) I simply disabled it. Starting that same day, the machine (2.3 Ghz dual core Vista with 4 GB RAM) has begun locking up hard when using Firefox. This doesn't happen with IE or any other software. It locked up 5 times on me with Firefox within 1 hour, and has not locked up at all since then, as I have not used Firefox. It is abundantly clear the problem is related to Firefox, and the only thing I did with Firefox was disable the extension and restart.

Has anyone else experienced anything like this after disabling the .NET extension? I'm curious how deeply this extension hooks into the OS and if it is capable of freezing up the entire OS. Firefox, on its own, should not be capable of locking up the entire machine.

Re:Anecdotal problem

[bennini]

Firefox, on its own, should not be capable of locking up the entire machine.

you must be new to Windows

Re:Anecdotal problem

[BitZtream]

When you disable the extension Firefox does not load anything other than its manifest. It doesn't matter WHAT the extension does or how 'deeply the extension hooks into the OS', its not loaded. Your lockups are unrelated to this extension if you have it disabled. The could very well be related to any number of other things that change during patching, but this particular extension is not it.

Attention!

Would everyone who voted this old news to the front page kindly line up...thank you.

*SLAP*

*SLAP*

*SLAP*

*SLAP*

(etc...)

Now, don't do it again!

Re:Microsoft patching 3rd party apps?

[ReverendLoki]

As far as I know, Mozilla puts no restrictions on who can release what sort of Add-Ons. In this equation, Microsoft controls the OS and the software update program; they needed no permission from Mozilla to push this out.

And as an Add-On, it's not really akin to patching a 3rd party app exactly. It's just a MS program that closely works and integrates with the publicly documented interface of a 3rd party app.

Re:Some Left Over Stupidity from the Last Millenni

ClickOnce makes it possible to install applications over the web (WoWAceUpdater was an example of this) at the user's demand, it will not automagically download .NET-capable trojans to send back personal information. If you're truly paranoid and wish to disable it, the instructions are pretty simple and can be found by googling.

On that note, Java's JRE does the exact same thing (adds a firefox extension without the using knowing about it, and reports back version).

It's a string in the user-agent

[tepples]

Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.

I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it.

But do you know what your browser is already sending? Mine is sending this:

User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

"Windows NT 5.1" is Windows XP, and "Gecko" is the HTML/CSS engine used by Firefox, Iceweasel, SeaMonkey, Fennec, etc. Sites can query the versions of various addons that handle an object type, such as Java SE and Flash Player, by embedding such an object. What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?

Re:It's a string in the user-agent

[mrsteveman1]

What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?

Because i don't want either one?

Re:It's a string in the user-agent

[slashd'oh]

You can go to "about:config" and clear the value of "general.useragent.extra.microsoftdotnet" to remove the "(.NET [...])" part of the UA string.

Re:It's a string in the user-agent

[thePowerOfGrayskull]

How about being able to trust that when MS installs ".Net Framework 3.5 SP1" it's a service pack to the framework that I use for development and execution of applications, without having to worry that they might bundle something else in with that update, completely unrelated to what they tell me they install?

Re:Some Left Over Stupidity from the Last Millenni

[Bert64]

Not exactly..
You have to explicitly acquire the JRE and install it, and the first version you install includes the firefox extension, subsequent updates may update functionality you already installed.

It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.

Re:Some Left Over Stupidity from the Last Millenni

[Brett+Buck]

I don't have a problem with the .NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).

        I sure hope they come up with a way to run ActiveX in Firefox, I want seamless integration of my botnet...

        Brett

Horray, Thanks M$

[Co0Ps]

The fact that microsoft enabled .net support into my firefox simply can't get my upset. I'm just happy that they actually took time to code an addon for their biggest competitor. As long as the addon does something useful, why should I care? Horray, Thanks M$.

Not the only ones that are doing that

[joseprio]

In my system I also have the "Java Quick Starter" (from Sun), and I already removed the Skype add-on.

As a Firefox extension developer, I've received several complaints about disappearing toolbar buttons, and the answer is always the same: check for the Skype extension that was installed without your consent, and uninstall it. Plus, navigating the browser history was a lot slower, and removing that add-on solved the problem (the Skype extension will scan the page contents to substitute phone numbers by Skype actions).

This is not limited to Firefox, as this stuff has been happening in Internet Explorer for a long, long time. Still, it would be nice if Firefox would protect its users from non-authorized extensions, warning of what was installed, and providing a easy way to uninstall/disable it.

Important Dupe

[jonathanhowell]

This is a dupe.
http://tech.slashdot.org/article.pl?sid=09/02/01/2143218

Even so, it's important to point out the transgressions of companies like Microsoft (SCO, Apple, Google, ...).

Bug in Firefox

[Lord+Bitman]

This allows an extension to be installed:
  - Without notification
  - Without the option to "uninstall"
  - (apparently, from the article) With the ability to install more things to your PC (which I thought Extensions were forbidden to do, and only Plugins [eg: Flash] could do)

This is clearly a bug in Firefox, and a fix should be released immediately.
I'd think that firstly Firefox should default to considering the extension "unauthorized" and put up a big scary warning like "Unauthorized extension detected: An external program has installed an extension in a manner which bypasses Firefox's normal security features. It is recommended that you click "uninstall" below, unless you are absolutely sure you know what you are doing"
But there's no framework in Firefox (that I am aware of) for such an authorized/unauthorized check to be established. (It would mean defaulting everything except this Microsoft extension to "trusted")

Sounds like a move by Microsoft to say "see! Open source isn't safe! Look what we could do!" once Firefox releases a fix that says "Warning: Unauthorized extension signed by 'Microsoft Corp' detected!"

Re:Bug in Firefox

[JesseMcDonald]

This isn't a bug in Firefox. The update process is running as Administrator (if not Local System) and has write access to every file on the system including the Firefox binaries themselves. The updater shouldn't be modifying third-party software, but if that's what Microsoft chooses to do there isn't much third-party developers can do to stop them.

As for the inability to uninstall the extension, that's standard for extensions installed into the main Firefox application directory. You can only uninstall extensions installed into your personal profile; this behavior is the same under Linux for extensions installed via the package manager. You can disable any extension via your profile regardless of where it was installed, assuming the extensions themselves don't interfere--they have full access to and control over the Firefox UI while it's running. Once an extension is disabled it is no longer loaded at startup (apart from the manifest) and should be completely inert.

I do agree that system extensions should probably be disabled by default, with some sort of prompt to enable them when they're first detected. That would be a bit more user-friendly, but can't ultimately prevent system-level processes from messing with how Firefox operates.

Re:Bug in Firefox

[Tokerat]

You do realize that the reason it cannot be uninstalled is because Firefox (securely) does not do privilege escalation and the extension was installed by Windows Update for all users; in which case the extension is located by reading en entry from the registry instead of your own individual Mozilla profile.

I agree with the statement there should be some type of warning when new plug-ins are installed. OH WAIT, there are warnings. Doesn't the add-on window pop up and say "1 new extension installed"? That's right.

The REAL fault here is with Microsoft not telling users it was MODIFYING THE SOFTWARE OF ANOTHER VENDOR, but apparently we're STILL going to blame the other vendor (Mozilla), even though we know the real story.

I sure liked technology more back when only smart people pretended to understand it.

Annoying, but...

[Corson]

What is annoying is that it's installed without warnings or questions asked. The good part may be that it provides (or could provide) some functionality and M$ is finally acknowledging the percentage of Firefox users out there.

Re:Annoying, but...

[causality]

What is annoying is that it's installed without warnings or questions asked. The good part may be that it provides (or could provide) some functionality and M$ is finally acknowledging the percentage of Firefox users out there.

I've seen the way they "acknowledge" competitors before. I like Firefox; that's why I'd prefer they keep ignoring it.

V1.1 Has the Uninstall Button Active

[Astronomerguy]

I'm Running Firefox on the Windows 7 RC, and v 1.1 of the Microsoft .NET Framework Assistant has the "Uninstall" button enabled. Looks like this was an old-news thing that's been fixed.

check your plugins too

i had "windows presentation foundation" installed too, with no details at all what it did or any obvious way of deleting it
eventually i navigated to
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation

and deleted everything in it and it was all gone

Mozilla needs to put a stop to this being possible and at least advise the user on the info screen what DLL is responsible and a way to forcibly remove it

The moral of the story is...

[petrus4]

...If you're not already using a FOSS operating system, (Linux or FreeBSD) you probably should be.

Microsoft bet on people not wanting to exercise personal responsibility; that is how they make their money. Windows makes life easier for you by providing you with a scenario where you don't need to take a month or so of your time to customise an open source operating system in order for it to be exactly the way you want it.

However, understand that like with anything else, an exchange is happening here. You want them to provide you with convenience, to make it easy for you, and to basically do pretty much everything for you. They therefore have every right (because you've given it to them) to screw you in whatever manner they feel like. If you uncompromisingly, unthinkingly give them responsibility for your welfare, don't be surprised when they do something which isn't in your best interests.

You can't have it both ways. You can't buy a fast food operating system and relinquish responsibility to a corporation in that manner on the one hand, and then expect it is going to be entirely and exclusively beneficial to you on the other.

It is a law of the universe; there is no free lunch, and in one way or another, you pay for everything.

IE compatibility mode?

[carbona]

Maybe now Firefox will now run in "IE" compatibility mode so I can "correct" all my CSS 2.0 compliant code to render correctly on Redmond's browser.

Gnashing my Teeth

[Thumper_SVX]

I'm grinding and gnashing my teeth, but not for the reasons everyone else is.

OK, I hate to defend Microsoft, but they absolutely stated this Firefox extension was to be installed in the release notes for the patch; http://www.microsoft.com/downloads/details.aspx?FamilyID=CECC62DC-96A7-4657-AF91-6383BA034EAB&displaylang=en

Also, as I recall this patch was one of those ones that requires you to click "Agree" or somesuch before installation despite setting to automatically download and install updates.

All of this crap occurs because people don't bother to read release notes any more. They would rather someone else take responsibility for their machines. Well you know what? Microsoft does just that, on a requested and as-needed basis. If you'd rather manage your own patches, then damn it... do it. But do it properly; read the bloody release notes so you know what's going on your machine. If you would rather Microsoft take that responsibility for your machine from you, then do that... but don't bitch when they do something you don't expect because you asked them to just take care of it for you.

Now, I'm not saying there's not other issues at play here; like installing a patch into a competing product and the potential ethical concerns therein... but can this not be construed as (a) a tacit approval of Firefox as a "valid" third-party browser and (b) an attempt to ensure that the user who requested that Microsoft take charge of their experience get the best experience possible?

OK, I will say before I get lynched that I don't really like this too much, myself... I don't much appreciate when people do stuff to my machines that I don't like... but I also accept that this is inevitable. If you turn ANY part of your systems management over to a third party, sometimes they're going to do things that you disagree with. This is only even vaguely newsworthy because it doesn't happen that often. At least, not as often as it could.

If you really don't like it, disable it. And if you don't want this happening again, then start doing your patching the old fashioned way; by downloading the patches by hand and installing them. But don't start crying when they do something unexpected because you didn't read the agreement you agreed to, or read the release notes to understand what the patch is doing.

This is NOT a failure of Microsoft OR Firefox. This is a failure of the user community who would rather hand off their systems management to a third party, and the "advanced" user community who just blindly install patches and updates with no attempt to research the implications of said update.

Me? I'm primarily a Mac and Gentoo user... and yes, I understand that on my Mac I'll get updates from Apple that do much the same stuff as this... but I also read the release notes that are handily downloaded with the patches... that way I know what to expect. With Gentoo, I do the same. I use Windows at work, and manage a large network of systems... and yes, this patch was deployed to my client base... and yes, the Firefox users have the .NET plugin... and yes, they can disable it if they like. In our regression testing, the plugin appeared to have little to no impact on the client system other than adding yet another add on to the list.

Updated

[MsGeek]

"Windows 7 isn't done until Firefox won't run."

Re:Updated

[BikeHelmet]

Microsoft removed the superior method of communicating with hardware that OpenGL had been using since Win9x.

They designed something very similar to what OpenGL did, for DX10, which improved communications efficiency quite a bit. (Takes far less CPU power to talk to the videocards, compared to DX9)

Unfortunately, there's only one of these channels in the kernel now, so OpenGL has to sit on top of it. (Reducing OpenGL's efficiency, since it doesn't need all the overhead that DX10 does)

Firefox cannot fix this

[js_sebastian]

This is clearly a bug in Firefox, and a fix should be released immediately. I'd think that firstly Firefox should default to considering the extension "unauthorized" and put up a big scary warning like "Unauthorized extension detected:

None of this is technically possible. Windows update runs with administrative privileges, and there is nothing firefox, or any application can stop it from doing. Firefox could make it harder for microsoft to add an addon, but it would basically be some kind of drm-style security-by-obscurity race against reverse engineering. This is a social, not a technical problem.

Summary of previous discussion

[TropicalCoder]

To save you all the trouble of reading the previous Slashdot discussion, I have summarized it below.

What does this Firefox extension do?

1.) It installs a BHO (Browser Helper Object)
2.) The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)"

A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality.

"BHO can be used to install additional features or functions that are useful, it can also be exploited to install features or functions that are malicious. Some applications, such as the Google or Yahoo toolbars, are examples of good BHO's. But, there are also many examples of BHO's which are used to hijack your Web browser home page, spy on your Internet activities and other malicious actions."

The author on this site goes on to say: "If you are really concerned about bad BHO's and their affect on the overall security of your computer, you can just switch browsers. BHO's are unique to Microsoft's Internet Explorer and do not impact other Web browser applications such as Firefox."

Now that Microsoft has infected Firefox with this extension, his advice in the line above is obsolete!

The following phrases were copied and pasted wholesale, directly from the previous Slashdot discussion without attribution (except in one case where I copied the entire text of one submitter's comment).

The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit. The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
It most definitely IS unexpected, because I was never notified anywhere that a MICROSOFT update would entail installing an addon to a completely NON-Microsoft product.

How are they allowed to get away with this? Isn't installing BHOs that are not asked for and cannot be uninstalled without hacking pretty much the definition of malware?

Microsoft modified *another company's products*. What's next? MS is going to start adding updates to VLC player or Utorrent or OpenOffice or WordPerfect?!?!? They shouldn't be messing with non-microsoft products.

Microsoft is doing this in an update without notifying its users (as far as has been reported) that this update will be modifying third party software with no easy way to prevent or uninstall the change.

The true question here is not how to uninstall it. The question everyone should be asking is: is it messing with other settings in firefox, reporting back to MS what other extensions I use, monitoring my web traffic, going to break my browser, new security holes?

Ok Microsoft, you are making automatic changes to software written by other companies without permission or request of the user. I don't care if you say it's just an extension, you didn't ask me!

The precedent has already been established that the OS can be configured to require the local administrator to give explicit permission for each patch to be applied; the outrage here is that this time, that choice was not offered, and the affected software was neither part of the operating system nor even a Microsoft product.

For those of you who are assuming it's probably safe (and admittedly, you're probably right), there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument

Re:Summary of previous discussion

[vux984]

It most definitely IS unexpected, because I was never notified anywhere that a MICROSOFT update would entail installing an addon to a completely NON-Microsoft product.

Oh? And when you download Adobe Acrobat Reader, were you shocked and surprised and offended when it did its thing to your browser too? Gasp its just a document viewer for PDFs... why is it installing browser addons?

The addon is relevant to the .net frameworks functionality, and its reasonable to assume people downloading an updating the .net framework should be aware of what it is and does, and want the functionality.

Plus...

1) Microsoft does notify you if you actually read the information about what you are downloading.

2) Firefox also notifies you when it starts up. If you don't want it just click disable. Microsoft knows this, and took no steps to try and stealth it in, so its RELYING on firefox's built in addon-notification. I don't see anything wrong with this.

1) Firefox is not a Microsoft application. It is installed at the will and whim of the end-user. And the end-user should have control over what is installed into their Firefox.

Lets take a look at my Addon's and Plugins... approximately 1/3rd of them were not explicitly installed by me, this is that half:

1) Adobe Acrobat .. Firefox is not an Adobe application !!!
2) Citrix ICA Client .. WTF... I access the Terminal Server via Program Neighborhood... I didn't ask for this in firefox!
3) iTunes Application Detector... Holy craps! Apple's in on this too?
4) Java Platform SE 6U13. I installed Java for OO.o what's it doing in Firefox... Man am I getting steamed.
5) Microsoft SharedView Plugin - Cripes... Microsoft snuck this into FF when I installed SharedView! Bastards.
6) QuickTime 7.6 -- Apple again fuckers!!
7) VMware Remote Console Plug-in -- holy shit even VMWARE is teh evilz!

Yeah, sorry, I'm having a tough time working a lot of outrage over the "Microsoft .NET Framework Assistant"

2) Microsoft has every opportunity to give that end user A CHOICE.

FF already notifies you on start up. Microsoft knows this. What is the advantage of being asked twice?

3)They have no right to assume that I want their goddamned "Clickonce" thing to work.

So don't install automatic updates to features if you don't want them automatically updated.

Given Microsoft's track record with security, I worry:

- Windows user installs Firefox to avoid IE's security flaws.
- Microsoft silently installs a plugin onto Firefox that reports the browser includes .NET functionality allows websites to host .NET executables.
- Hackers discover a way to exploit this.
- Thus, Firefox is now less secure thanks to Microsoft

a) It wasn't silent. FF tells you quite plainly that it happened.
b) It isn't unique to microsoft... Adobe, Citrix, Sun, VMware, and Apple are all doing it too... in some cases they even do it on Linux.

c) I'm curious what your "better solution" is? And why isn't relying on FF's own notification mechanism not acceptable to you?

Your argument sounds pretty shrill to me.

Re:Summary of previous discussion

[vux984]

1) ahh it's ok they told me I just missed it while reading the 67 other security updates.

And your alternative is?

As long as it is in the small print that's ok..

FF notifies you to.

2) Part of the problem is that Disable IS DISABLED!!!!

No. Its not. The option to Uninstall is disabled. The option to "disable" works just fine.

The reason the option to uninstall is disabled is because it was installed by the windows update service, which is a very high priviledge account. The account that you use to run FF on the other hand doesn't have equivalent permission so you can't remove it. This is actually a good thing.

If you really want to remove it, you simply need to remove it from the add-ons folder manually, with suitable priviledge escalation. However, its smarter to just disable it so that it knows its already been installed and disabled. If you remove it, it will be restored next time its supposed to be updated.

Well You might want to watch what you install then. ALL of mine (bar the MS one) were installed by me on purpose.

I call bullshit.

On the one hand very few people are aware installing something like itunes will add an extension to firefox. And it certainly doesn't make a big production of "clearly notifying" you.

On the other hand, if YOU watched what you installed better, you wouldn't have been surprised by the MS extension either.

But hey I don't care it's only on my work laptop as I have switched to xubuntu at home.

You should care.

1) If an extension is installed via yum or apt-get or whatever you can't 'uninstall it' from within firefox. The option is greyed out same as windows. Same reason too: priviledges.

2) Things you install into ubuntu, from 3rd parties, will drop extensions into firefox without making a giant production of telling you about it too.

Hell, I wouldnt be surprised if one day you'll apt-get mono as a package pre-req for something else, and then lo and behold find the "Mono .NET Assissant 1.0 ClickOnce support" sitting in your firefox extensions next time you launch it.

Windows-only Firefox?

[artemis67]

I'm just thinking that if this update is making Registry changes, then the plug-in is Windows-only, and it means that Firefox users on Windows will now have a different browsing experience than Firefox users of other platforms.

So, the plug-in accomplishes two things for Microsoft: 1) it promotes the .NET platform to a wider audience, and 2) it promotes Windows as being the superior OS to run Firefox in.

It's a win-win scenario for Microsoft. Firefox can continue to gain marketshare, but Microsoft will have their tentacles in it, making sure that the adoption of Firefox does not lead to a platform-agnostic world. And it rewards the .NET developers for investing in Microsoft-only technologies.

I know where you're coming from, BUT. . .

[Fantastic+Lad]

It is a law of the universe; there is no free lunch, and in one way or another, you pay for everything.

Funny. I thought that paying Microsoft a lot of money for their product was the cost of the "lunch". Just because they can screw people doesn't mean that they are on any sort of moral high ground when they do. Not everybody is adept at reading and understanding the fine print like some of us happen to be. I can't stand the argument that we have nobody to blame but ourselves in a society where it is impossible for any one person to learn all the trades and skills necessary to function today. I don't know how to fix a car engine or perform surgeries, so I have to rely on others to do their jobs responsibly, and I'll be damned if I'm going to be made to feel guilty for not being a mechanic or a surgeon. Nor will I ever say that being raped is your own fault if you can't be bothered to learn martial arts or carry a gun. There is a reasonable expectation of decency from others in our society, and when that expectation is violated, there should be penalties.

I'm not seeing nearly enough penalties dished out these days. I almost wish I'd taken up law enforcement so I could prosecute top-flight political assholes. Because we certainly don't have a V or a Batman looking out for us.

-FL

My only concern

[Xenophon+Fenderson,]

Does NoScript prevent .NET applets from running unless I explicitly trust the site? If so, then no big deal as I would have gladly downloaded this functionality separately had I know it existed (which is what I have to do with Java on all my Windows boxes).

You also might notice that both Silverlight 2 and Office 2007 add plugins to Firefox, again behavior that is congruent with at least Adobe Acrobat and Flash. And - happy day - their execution is controlled by NoScript, so I don't mind that at all.

If anything, I'm glad to see Microsoft supporting alternative browses. I'm almost certain that these efforts are driven by anti-trust judgements against them in a number of different jurisdictions, but that's fine with me, too.

Simple Solution

[Hach-Que]

Mozilla should release an immediate update that simply ignores the registry entry and prompts the user whether they want they want an additional security hole installed.

Maybe Firefox could silently filter Automatic Update installations to make sure they never install extensions again?