Microsoft Update Quietly Installs Firefox Extension

hemantm writes "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."

Surprise!

[jeffb+(2.718)]

What, you think you know better than MICROSOFT what should be on your machine?

Re:Surprise!

[Smidge207]

What, you think you know better than MICROSOFT what should be on your machine?

Well they did release Vista.

Well, they did release Bob.

Re:Surprise!

[fatray]

Firefox is a competitor to Microsoft. Automatically installing extensions to your competitor's products really is an innovative idea. I wonder if Microsoft has a patent on this?

This could be misused, though.

Re:Surprise!

[AnalPerfume]

I don't doubt plenty of EULAs have illegal terms in them, Microsoft are not alone in this practice. Apple seem worse in this regard with "not allowed to install on non-Apple hardware" and "not allowed as a virtual PC" but like any other agreement, until someone has the money to risk fighting it in court it stands. Pystar tried with one of these clauses and was struck down in the US court. Yes there's a lot more going on there than just one clause but huge mega-rich corporations rely on bullying people into just accepting and paying, not fighting.

Still, if you feel as a loyal citizen to fight Microsoft on the terms of their EULA in the firm knowledge that "right" will win over a huge lobbying / lawyering budget then be my guest, be a good citizen on behalf of all Windows license holders. I wish you the best of luck, and remember to check down the back of the sofa for every last euro, you're gonna need them.

Windows is built to remove as many user decisions as possible on the idea that users shouldn't have to be techy to use a PC. This means stuff is enabled and allowed by default. Over the years Microsoft have been nailed for that practice, and have gradually put in fixes to many of them, often far too little and far too late. These features are essentially Microsoft making the decision for the user which on the face of it can be seen as training wheels to keep you safe, but in reality gives malware writers an open goal to aim at, and they have done BIG TIME. It's why Windows is a malware magnet and why NO other OS follows Microsoft's design lead.

Active X enabled on IE by default? Execute code from websites without asking by default? Run as Administrator by default? Install applications without even informing the user by default?

All of these and more suggest Microsoft want to be the ones making decisions on behalf of their license holders. From a loyal Microsoft point of view that could be that they want to look after you and have your interests at heart, to protect you from the bad people. Like any other corporation, Microsoft don't give a shit about it's license holders, their priorities lie firmly with THEIR interests, with THEM making as much money as possible. This is hampered when you allow others the control you once held, you then have to convince them to do something you could have done on their behalf with no discussion or notification.

Microsoft rely on the average user being kept dumb. The more the user knows about day to day computing, the more they can make the decisions Microsoft make on their behalf because they understand them, at least on a basic level. Other OS's find ways to get decent defaults but do ask the users for confirmation on stuff, with help options available; taking the approach of trying to educate the user to some degree and giving them control. We have a LONG way to go before this is working perfectly, but at least some are trying.

Re:Surprise!

[Opportunist]

Really? How?

Oh, lemme think... an unethical company could push an insecure framework into the plugin list of a competing browser so they can claim that the average Firefox installation is at least as insecure as the average IE... nah, who'd do that?

Re:Surprise!

[jythie]

Well, they installed changes to another companies application without asking the user first,.. these changes, while more convient, open up security holes (the down side of 'just work' technologies) that many people go to firefox specifically to get away from.... and then they make it difficult to uninstall (anything that requires an average user to modify the registry manually counts as difficult and dangerous). Big deal or not I could see why people would be pissed, esp network admins that do not want this kind of functionality on their network.

Uhuh

[jav1231]

The new extension allows Firefox to experience the same rich vulnerabilities that IE users have come to expect!

fairly sure that

[Pvt_Ryan]

this is old news.. That extension was "added" at least a year ago i think..

Re:fairly sure that

[Taagehornet]

...and we've already discussed it here at least once: http://tech.slashdot.org/article.pl?sid=09/02/01/2143218

Re:fairly sure that

[mrsteveman1]

New Slashdot rule, forget TFA, don't even read the discussion until the 2nd or 3rd time around

Re:fairly sure that

[Ark42]

Apparently, MS released a v1.1 of the plugin, but it can't install if you left 1.0 disabled (like I did). If you re-enable the plugin, then go manually re-download and re-install the hotfix which included this plugin more recently, you will get v1.1 of the plugin, after which, you CAN uninstall it.
Note that disabling the plugin still leaves a string in your user-agent saying what version of .net you have installed, so either get it uninstalled, or go check and delete the right entry from general.useragent.extra.* in about:config

Re:fairly sure that

[AnalPerfume]

The concept of "download and install an uninstaller to uninstall a program you never asked for but Windows allowed to be installed" seems very common on Windows. Just goes to show Windows is built for developers to exploit, rather than users to use. And people still call it a "personal" computer. I guess one more oximoron can't hurt.

Re:fairly sure that

[adolf]

TFA, which almost nobody bothered to read, links to an MSDN blog (which even acknowledges and links to the previous Slashdot story), which absolutely nobody bothered to read. Because, if the submitter, or the editor, or anyone had bothered to do so, they'd realize what a total non-issue this is: It's already fixed, which is why it works fine for you, drinkypoo.

This blog states that the plugin was initially installed as a system-wide thing. And, with FF, users can't simply remove system-wide things by themselves. Which, of course, makes sense to anyone who has spent more than ten minutes working on a system with proper basic security. They detail a long-winded workaround.

Right. So. Then there's this:

Update (5/2009): We just release an update to .NET Framework 3.5 SP1 that makes the firefox plug in a per-user component. This makes uninstall a LOT cleaner.. none of the steps below are required once this update is installed.

I'd guess that you simply already have this newer version of the .NET package, which includes a Firefox plugin which is installed in a manner more in-keeping with what folks might normally expect, and accordingly can be uninstalled in a manner that folks might normally expect.

Some Left Over Stupidity from the Last Millennium

[eldavojohn]

Wow, well, you know what can I say? I applaud Microsoft for their work in Vista & Windows 7 in separating userspace from kernelspace and then they just go and do something like this:

Microsoft .NET Framework Assistant 1.0
Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.

I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it. I really don't like the sound of ClickOnce either! Isn't this the mentality that has gotten IE users in trouble time and time again?!

I don't have a problem with the .NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).

How to disable...

Tools > Add-Ons > Plugins > Disable all Microsoft plugins.. and Adobe Acrobat's, QuickTimes & anythiing else that looks suspicious

Firefox needs to fix this.

[Jartan]

Several companies have pulled this stunt where they stealh in an addon and disable the uninstall button. Firefox makes this too easy and needs to change how it handles addons which are not installed expressly via the user.

Re:Firefox needs to fix this.

[MyLongNickName]

Hi. If you are running automatic updates, then by default, you have a process running on your computer with administrative privileges. So, you are proposing that Firefox somehow magically blocks that? Even if you find a way to do that, you would piss someone like me off. I am the defacto sysadmin for a small company. If I want auto update to run and update all computers, I do NOT want individual applications vetoing the updates. If I have a problem with an individual update, it is up to me to test the update before pushing it out to client computers. Simple as that.

It is goofy workarounds and disregarding of conventions that create the big messes.

Re:Firefox needs to fix this.

[Captain+Hook]

This isn't an update from Firefox's point of view, it's the installation of an add-on which has not be requested by the user, at the very least, Firefox should prompt the user at the next startup if a new add-on has been installed.

Re:Firefox needs to fix this.

[BitZtream]

They aren't 'stealth'ing in an add or nor are they 'disabling' the uninstall button.

The 'uninstall' button is for user specific addons, not system wide add ons. The uninstall button has never worked for system wide addon installations. It is a feature, and a required one if you expect Firefox to actually get anywhere in the business world. This is done by adding a single registry key and can be done for ANY add on, regardless of who makes it or where it is installed.

It serves two purposes. First it allows things to install add ons before the browser is installed so that when you later install Firefox it will be aware of existing items and not require you to jump through hoops to get them to work. Second, it allows administrators and other software packages to install something globally, for all users of the host, without requiring each user to manually install the add on and keep it updated.

I'm sorry that this doesn't fall into your narrow little view of the world, but for the rest of us this sort of thing is a requirement to use Firefox in the business world.

Finally, there is a very simple solution. Don't install software that does things you don't want it to do. You're an idiot if you think there is anything what so ever that Firefox can do to stop this sort of thing. There isn't. Add ons will ALWAYS be able to install themselves with out notifying you, welcome to open source, EVERYONE can see how to do it, thats a feature of open source. There is nothing Mozilla can do to stop it short of releasing a version with some non-OSS component that can be used to prevent it from happening using digital sigs to verify that only allowed add ons are installed or not load them. And as soon as they do that Slashdot will be ranting and raving about freedom to do whatever the hell it wants.

You got your software freedom, you wanted everyone else to have the same access to the software as you do. Great, they do, now you get to deal with the consequences of that.

Its not like user add-ons can't do the EXACT SAME THING. All you need to do is remove write permissions from your own files when you startup and Firefox won't do shit when you tell it to uninstall it except throw an error. Any add on can do that, and Firefox is unlikely to ever 'fix' that problem as its one that Firefox shouldn't be responsible for.

You can fix the problem on your computer yourself to make sure this doesn't happen with some registry permissions in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla, take away all write/modify access to this key from everyone after you've installed Firefox. Problem solved. That is where various addons for Mozilla software can be installed globally by a system administrator.

As for Firefox removing that feature, go ahead and let that happen. Find out how many IT departments suddenly want even less to do with Firefox. I'm sure they'll love you for having it removed when they have to do something retarded like run a login script to roll out extensions rather than just pushing a registry change via group policy.

The worst part is that this gets modded insightful. This isn't fucking insightful, its ignorant, short sided and shows a complete lack of understanding about whats going on and why.

Whats worse is ignorant dipshit comments like this end up making me fucking defend Microsoft.

Get a clue, then start bashing, people with far more intelligence and understanding of this sort of thing work on it, not you, ever consider there MAY be a reason?

Nice Security Update

[causality]

From the fine article:

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

If this was part of a "routine security update" then it's getting easier to understand why there are so many unpatched Windows machines out there. Things like this may seem minor but they really erode the trust that must be present in order to allow a vendor to automatically push system updates. It always did amaze me that whenever major worms come out and infect millions of PCs, they do it using vulnerabilities that have already been patched some time ago. I'm wondering how much this lack of trustworthiness has to do with it.

How inconsiderate!

[goldaryn]

Man, this is so unfair to us Ubuntu users

Someone please send me the .xpi

Remove it!

[Dystopian+Rebel]

http://www.annoyances.org/exec/show/article08-600

Note that Oracle (nee Sun) is also doing this with a Java extension.

How to remove

[NES+HQ]

In case anyone's wondering:

http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx

Anecdotal problem

[Dan+East]

I noticed this on a work machine and read about it last week. Instead of trying to manually remove the extension (the Uninstall button is disabled for this one and only extension) I simply disabled it. Starting that same day, the machine (2.3 Ghz dual core Vista with 4 GB RAM) has begun locking up hard when using Firefox. This doesn't happen with IE or any other software. It locked up 5 times on me with Firefox within 1 hour, and has not locked up at all since then, as I have not used Firefox. It is abundantly clear the problem is related to Firefox, and the only thing I did with Firefox was disable the extension and restart.

Has anyone else experienced anything like this after disabling the .NET extension? I'm curious how deeply this extension hooks into the OS and if it is capable of freezing up the entire OS. Firefox, on its own, should not be capable of locking up the entire machine.

Re:Anecdotal problem

[bennini]

Firefox, on its own, should not be capable of locking up the entire machine.

you must be new to Windows

Re:Anecdotal problem

[BitZtream]

When you disable the extension Firefox does not load anything other than its manifest. It doesn't matter WHAT the extension does or how 'deeply the extension hooks into the OS', its not loaded. Your lockups are unrelated to this extension if you have it disabled. The could very well be related to any number of other things that change during patching, but this particular extension is not it.

Attention!

Would everyone who voted this old news to the front page kindly line up...thank you.

*SLAP*

*SLAP*

*SLAP*

*SLAP*

(etc...)

Now, don't do it again!

Re:Some Left Over Stupidity from the Last Millenni

ClickOnce makes it possible to install applications over the web (WoWAceUpdater was an example of this) at the user's demand, it will not automagically download .NET-capable trojans to send back personal information. If you're truly paranoid and wish to disable it, the instructions are pretty simple and can be found by googling.

On that note, Java's JRE does the exact same thing (adds a firefox extension without the using knowing about it, and reports back version).

It's a string in the user-agent

[tepples]

Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.

I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it.

But do you know what your browser is already sending? Mine is sending this:

User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

"Windows NT 5.1" is Windows XP, and "Gecko" is the HTML/CSS engine used by Firefox, Iceweasel, SeaMonkey, Fennec, etc. Sites can query the versions of various addons that handle an object type, such as Java SE and Flash Player, by embedding such an object. What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?

Re:It's a string in the user-agent

[slashd'oh]

You can go to "about:config" and clear the value of "general.useragent.extra.microsoftdotnet" to remove the "(.NET [...])" part of the UA string.

Re:Some Left Over Stupidity from the Last Millenni

[Brett+Buck]

I don't have a problem with the .NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).

        I sure hope they come up with a way to run ActiveX in Firefox, I want seamless integration of my botnet...

        Brett

Not the only ones that are doing that

[joseprio]

In my system I also have the "Java Quick Starter" (from Sun), and I already removed the Skype add-on.

As a Firefox extension developer, I've received several complaints about disappearing toolbar buttons, and the answer is always the same: check for the Skype extension that was installed without your consent, and uninstall it. Plus, navigating the browser history was a lot slower, and removing that add-on solved the problem (the Skype extension will scan the page contents to substitute phone numbers by Skype actions).

This is not limited to Firefox, as this stuff has been happening in Internet Explorer for a long, long time. Still, it would be nice if Firefox would protect its users from non-authorized extensions, warning of what was installed, and providing a easy way to uninstall/disable it.

Re:Dupe

Sadly enough, Slashdot's search engine didn't find it but Google's did.

Hey, be fair. Slashdot has only had a search feature for about 10 years - it takes time to make these things useful.

And their development team (Sid) has been feverishly at work all those years in order to bring us world-beating innovations the giant green "Reply to This" and "Parent" buttons (we has such a hard time finding those links before the advent of those buttons) and features to break certain browsers. Add to that the Herculean efforts to change the wait between AC posts (the "Slow Down, Cowboy" feature) from 2 minutes to an amount of time generated by a random number generator and added to 2 hours while telling us things like "it has only been 96 days and 14 minutes since you your last post - you must wait at least 2 minutes before posting" and you can see that Sid (who does this in his spare time between grade-school classes) has had a pretty full plate.

Oh, and Sid has discovered girls, so his mind is elsewhere these days (he has to adapt - he never had exposure to girls while working for Slashdot).

So, a little less of the bitching, if you please.

Re:Annoying, but...

[causality]

What is annoying is that it's installed without warnings or questions asked. The good part may be that it provides (or could provide) some functionality and M$ is finally acknowledging the percentage of Firefox users out there.

I've seen the way they "acknowledge" competitors before. I like Firefox; that's why I'd prefer they keep ignoring it.

Updated

[MsGeek]

"Windows 7 isn't done until Firefox won't run."

Summary of previous discussion

[TropicalCoder]

To save you all the trouble of reading the previous Slashdot discussion, I have summarized it below.

What does this Firefox extension do?

1.) It installs a BHO (Browser Helper Object)
2.) The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)"

A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality.

"BHO can be used to install additional features or functions that are useful, it can also be exploited to install features or functions that are malicious. Some applications, such as the Google or Yahoo toolbars, are examples of good BHO's. But, there are also many examples of BHO's which are used to hijack your Web browser home page, spy on your Internet activities and other malicious actions."

The author on this site goes on to say: "If you are really concerned about bad BHO's and their affect on the overall security of your computer, you can just switch browsers. BHO's are unique to Microsoft's Internet Explorer and do not impact other Web browser applications such as Firefox."

Now that Microsoft has infected Firefox with this extension, his advice in the line above is obsolete!

The following phrases were copied and pasted wholesale, directly from the previous Slashdot discussion without attribution (except in one case where I copied the entire text of one submitter's comment).

The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit. The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
It most definitely IS unexpected, because I was never notified anywhere that a MICROSOFT update would entail installing an addon to a completely NON-Microsoft product.

How are they allowed to get away with this? Isn't installing BHOs that are not asked for and cannot be uninstalled without hacking pretty much the definition of malware?

Microsoft modified *another company's products*. What's next? MS is going to start adding updates to VLC player or Utorrent or OpenOffice or WordPerfect?!?!? They shouldn't be messing with non-microsoft products.

Microsoft is doing this in an update without notifying its users (as far as has been reported) that this update will be modifying third party software with no easy way to prevent or uninstall the change.

The true question here is not how to uninstall it. The question everyone should be asking is: is it messing with other settings in firefox, reporting back to MS what other extensions I use, monitoring my web traffic, going to break my browser, new security holes?

Ok Microsoft, you are making automatic changes to software written by other companies without permission or request of the user. I don't care if you say it's just an extension, you didn't ask me!

The precedent has already been established that the OS can be configured to require the local administrator to give explicit permission for each patch to be applied; the outrage here is that this time, that choice was not offered, and the affected software was neither part of the operating system nor even a Microsoft product.

For those of you who are assuming it's probably safe (and admittedly, you're probably right), there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument