Sneaky Microsoft Add-On Put Firefox Users At Risk

CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."

Not true

[Voulnet]

That's not true, I have Win XP SP2, Firefox 3.5.3; and I just disabled this plugin. It CAN be disabled.

Re:Not true

[The+Moof]

Originally, you couldn't uninstall the extension. Microsoft did eventually release a patch that activated the Uninstall button, it's been out for a while now. I even think Slashdot had a story about the patch that enabled the button. Still patiently waiting for Sun to give me the same option with "Super Cool Java Firefox Extension"...

(Going to the Advanced Settings in Java under the Control Panel to uninstall a Firefox extension is unacceptable. I also wish they'd clean up their plug-ins when they update.)

Re:Sabotage?

[noundi]

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

Registry Danger!

[aster_ken]

Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.

Also, the ability to remove this plug-in was covered on Slashdot a few months ago when Microsoft released version 1.1. It was included in an earlier service release to the .NET Framework for Windows XP and Windows Vista. This plug-in doesn't even exist in Windows XP by default. You must have installed .NET Framework 3.0 or higher to get it. Windows Vista includes .NET Framework 3.0, but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand. Windows 7 allows you to do it because the earlier service release is part of the operating system.

Microsoft bashing is fun, but let's stick to facts.

Re:Registry Danger!

[Penguinisto]

"It's no more dangerous to delete something from your registry"

Perhaps, but...

1. This kinda invalidates the argument that Windows fanboys have been spouting for years, namely "...but in Linux/BSD/Whatever, you have to edit files, which is too hard for Joe Sixpack to do!"
2. If you bork the registry, discover it's borked only after a full reboot/log-in, then try to reboot again thinking it's some other problem, that backup copy of the registry just went 'pfft!', and you may or may not be able to get to a point where you can use System Restore
3. The registry makes a great place to hide stuff in (see also half the malware to come down the pike in the past 9 years)

Re:Sabotage?

[hairyfeet]

And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.

Re:except anything but Windoze

[zach_the_lizard]

You can try WINE. Assuming Aion is Aion: The Tower of Eternity, people have gotten the game to play on Linux, FreeBSD, and Mac OS X with WINE, though there may be caveats. No one has tested NBA 2k10 on the AppDB. NBA 2k08 seems to work, however.