Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft Update Slips In a Firefox Extension

Posted by kdawson on Sun Feb 01, 2009 10:45 PM
from the hitch-hiker dept.
Microsoft Mozilla Operating Systems Software The Internet Windows
An anonymous reader writes "While doing a weekly scrub of my Windows systems, which includes checking for driver updates and running virus scans, I found Firefox notifying me of a new add-on. It's labelled 'Microsoft .NET Framework Assistant,' and it 'Adds ClickOnce support and the ability to report installed .NET versions to the web server.' The add-on could not be uninstalled in the usual way. A little Net searching turned up a number of sites offering advice on getting rid of the unrequested add-on." The unasked-for extension has been hitchhiking along with updates to Visual Studio, and perhaps other products that depend on .NET, since August. It appears to have gone wider recently, coming in with updates to XP SP3.
+ -
story

Related Stories

Submission: Latest Microsoft Update slips in Firefox Extension by Anonymous Coward
[+] Your Rights Online: MS Issued a Fix For Its Unwanted FireFox Extension 266 comments
As we discussed last February, and again a few days ago after the Washington Post noticed, Microsoft installed without permission a hard-to-remove Firefox extension along with a service pack for .NET Framework 3.5. Reader Pigskin-Referee lets us know that, as it turns out, Microsoft issued a fix a month ago; details here.
[+] Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon 448 comments
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft Update Slips In a Firefox Extension 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • malware.... (Score:5, Insightful)

    by gchesney0001 (667278) on Sunday February 01 2009, @10:47PM (#26689717)
    Remember Sony?

    • Re:malware.... (Score:5, Funny)

      by ScrewMaster (602015) * on Sunday February 01 2009, @10:49PM (#26689755)

      Remember Sony?

      Yes. Trying not to.

      • sony (Score:5, Funny)

        by symbolset (646467) on Sunday February 01 2009, @10:57PM (#26689859) Journal

        Never forget.

        Forgetting is key to getting caught again. You can only catch a cat in the same trap once.

        • Re:sony (Score:5, Insightful)

          by MrNaz (730548) * on Sunday February 01 2009, @11:07PM (#26689957) Homepage

          Unless that cat is the American public and the time since the last time you caught them is greater than the time since the last episode of American Idol.

      • Re:malware.... (Score:5, Insightful)

        by Anonymous Coward on Monday February 02 2009, @01:59AM (#26691199)

        The true question here is not how to uninstall it. The question everyone should be asking is: is it messing with other settings in firefox, reporting back to MS what other extensions I use, monitoring my web traffic, going to break my browser, new security holes? Maybe I don't want my f'ing browser to report what other software is installed on my computer.

        How about this one: Ok Microsoft, you are making automatic changes to software written by other companies without permission or request of the user. I don't care if you say it's just an extension, you didn't ask me! My trust just went right down the toilet.

        Note: I noticed this extension the other night on a system in VMWare but I haven't had a chance to look into it yet.

        In all fairness I think Microsoft should be forced to open source things they want to add on to NON MS applications. That way people can go take a look... Especially when you don't ask the user permission.

        Are there any legality issues with what they just did here?

    • Re:malware.... (Score:5, Insightful)

      by eebra82 (907996) on Sunday February 01 2009, @11:01PM (#26689901) Homepage
      I wouldn't class Sony's rootkit 'malware' as much as it was a security risk. This is not even remotely close to how stupid Sony's decision was.

      Having said that, I wonder if this update is stated anywhere in the ToA.

      • Re:malware.... (Score:5, Insightful)

        by Lendrick (314723) on Sunday February 01 2009, @11:36PM (#26690175) Homepage Journal

        Who's to say this thing isn't a security risk? Microsoft?

        Of course, we don't *know* that this software is bad, but my policy with my own machine is that if I don't know what something does, it doesn't run on my computer, which is why my computer still runs smoothly even though I haven't reinstalled Windows for several years.

        For those of you who are assuming it's probably safe (and admittedly, you're probably right), there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument to ush whatever new web technology they're pushing. Now that non-IE browsers account for 30% of the total browsers on the internet, Microsoft is losing their stranglehold on web "standards", and they're pulling this crap to get it back.

        Don't be a part of it. Remove this plugin, then go into about:config and change your browser string back so it doesn't falsely advertise that you have it installed.

        Oh, and as far as Firefox goes... why is the uninstall button grayed out? This feels like a UI issue to me; principals of user-friendliness dictate that I ought to be in control of whether or not I can uninstall an add-on. Even having code in the browser that allows someone to take that freedom away from me is a bad thing. (Of course, is it really Firefox's fault? Is there a technical reason that Firefox *can't* uninstall the plugin?)

        • Re:malware.... (Score:5, Informative)

          by mR.bRiGhTsId3 (1196765) on Sunday February 01 2009, @11:46PM (#26690257)
          Firefox cannot uninstall plugins that are installed to "sensitive" areas, like the actual Program Files folder. Skype does this also. It shouldn't prevent you from disabling the add-on though.

        • Re:malware.... (Score:5, Informative)

          by Thinboy00 (1190815) <[thinboy00] [at] [gmail.com]> on Sunday February 01 2009, @11:52PM (#26690311) Journal

          If you install something (e.g. an extension) via apt or (I assume) rpm on Linux, Firefox can't uninstall it since it isn't running as root. In that scenario, the button is grayed out with no explanation. But, of course, you can always ask apt/rpm to remove the offending software, or not install it in the first place...

        • Mod up. 5 is not enough. (Score:5, Insightful)

          by Jane Q. Public (1010737) on Monday February 02 2009, @12:35AM (#26690655)
          Installing software on my computer -- especially software that is designed to make YOUR software work better, at the possible expense of others -- without my knowledge or consent is UNETHICAL . Period. And deliberately making uninstall difficult? INEXCUSABLE!!!

          Shame on MS. They have been through this before and should know better. Bad. Bad. Negative points. Sad, sad negative Karma.

        • Re:malware.... (Score:5, Insightful)

          by johannesg (664142) on Monday February 02 2009, @01:35AM (#26691065)

          there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument to ush whatever new web technology they're pushing. Now that non-IE browsers account for 30% of the total browsers on the internet, Microsoft is losing their stranglehold on web "standards", and they're pulling this crap to get it back.

          This. It doesn't very often happen that a point is so important that I feel the need to quote it entirely and just add a "me too", but this is one of those very rare occasions.

          They have just hijacked every Firefox install out there, and are using it to advertise their own product. The only appropriate response would be for Mozilla to automatically refuse it from Firefox with the next Firefox update.

        • Re:malware.... (Score:5, Funny)

          by Antony-Kyre (807195) on Monday February 02 2009, @01:51AM (#26691161)

          Is there any difference between Microsoft doing that to Firefox, and Microsoft doing that popup blocker with Internet Explorer when someone does the SP2 update? Or how they force a firewall on you?

          You see, Microsoft is akin to a proctologist. Sticking things where they don't belong.

          • Re:malware.... (Score:5, Insightful)

            by Thiez (1281866) on Monday February 02 2009, @03:20AM (#26691627)

            Be honest. Have you read the source code of EVERY program you run, and of your operating system? Did you understand all of it? If you have read it all and understand it all, you're either running very few programs and a tiny, simple OS, or you have way too much free time. 'Knowing what someting does' is not a black-and-white thing. To get a good analogy: I can use a car and understand most of its parts without fully understanding the atoms it's made of, or how the car was made. Odds are GP is someone who knowns what all processes on his computer do, even if he doesn't know precisely how they do it. You create a false dichotomy by suggesting it is only possible to know what your programs do when you run an open source operating system.

  • Huh! (Score:5, Insightful)

    by ScrewMaster (602015) * on Sunday February 01 2009, @10:48PM (#26689737)
    This definitely goes into the "WTF?" category.

    • Exactly! (Score:5, Insightful)

      by Jane Q. Public (1010737) on Monday February 02 2009, @12:51AM (#26690773)
      This is where Microsoft shows its true colors. They believe that as long as you are running Windows, they actually have RIGHTS regarding your desktop and the software you run.

      They think they have a right to re-configure the software you use, for their own convenience and profit. That they can install things and you should have no say in the matter.

      I am serious. On the corporate level (not most individual employees, I am sure), they really think that way. The evidence is incontrovertible.

      Which used to serve them well. But which, in today's environment, is suffering a greater and greater disconnect with reality. I am sure you have noticed this yourself... the most obvious explanation for Microsoft's accelerating loss of market share is simply that they have lost touch with the realities of the market: their users' wants and needs, and, not to make too small a point of it, their business ethics.

      I am not surprised at all.

        • You have missed the point. (Score:5, Insightful)

          by Jane Q. Public (1010737) on Monday February 02 2009, @01:37AM (#26691079)
          (1) Firefox is not a Microsoft application. It is installed at the will and whim of the end-user. And the end-user should have control over what is installed into their Firefox.

          (2) Microsoft has every opportunity to give that end user A CHOICE. Yet, typically of Microsoft, they chose not to do so. That was the WRONG decision. And that is how most people view their work machines today: it belongs to me, by damn, and you had better ask me before installing something. As a computer professional, who depends on controlling software versions and so on to guarantee compatibility, this is not an option for me. I insist upon it. Companies that violate that policy are not my friends. They do NOT make my life easier, they make it much more difficult.

          (3)They have no right to assume that I want their goddamned "Clickonce" thing to work. Maybe I don't. And in fact, the OP was not about installing it via the web at all, it was about it being installed automatically in the background via SPs and SP updates. This isn't about clicking on a link at all. Please read first before you offer an opinion.

          (4) This is NOT about adding a mime-type handler. It is about installing a mime-type handler that some users may not want, secretly, in the background, without asking for permission. And for a BROWSER that isn't even their own product. Not only is this unacceptable to me (because I must always be in control of what is installed on my work machines), it is also typical of Microsoft's arrogant attitude toward their users.

          My high-horse is not strictly MS-specific, as you would know if you actually read what I wrote! If any other company did this, I would oppose it just as vehemently. It is just that Microsoft is famous for doing this kind of thing, and here is yet one more example.

          Odds are, "ozphx", that I was using Microsoft products professionally before you were out of elementary school. If you don't have a direct counterargument to mine, then please go elsewhere.

          Oh... by the way. I agree that including the Google toolbar in Java updates is unethical, too. But at least a choice *IS* offered, and that during a voluntary install. In the case under discussion, it was stated that this software is being added unannounced, as part of an update, without any such option being provided. So there is a bit of a difference.

        • Car Analogy For You (Score:5, Insightful)

          by TheLink (130905) on Monday February 02 2009, @03:25AM (#26691645) Journal
          <analogy_assistant>"You look like you need a car analogy"</analogy_assistant>

          This is like sending in your Microsoft car for servicing at Microsoft and having the Microsoft mechanic install an extension to your "Firefox" add-on car radio - which you installed yourself, because you wanted an alternative to the embedded Microsoft Car Radio (which cannot be removed without disabling a large part of the car).

          An extension that allows you to listen to the New & Wonderful Microsoft Radio Stations, and all installed without asking your permission first.

          Just because you chose to add that extension on your built-in Microsoft Car Radio, does not give them the right to install it on your non-Microsoft Car Radios, WITHOUT YOUR PERMISSION.

          After all many of us have the Firefox Car Radio just so that we can avoid listening to the Microsoft Radio Stations by accident or mistake or "Just Because Microsoft thinks it's time for you to". When we want to listen to those stations we use the Microsoft Car Radio.

          So far I have managed to install the Java crap on various computers without having the google tool bar installed without my permission - they made it optional and I usually deselect all such options.

          MS deserves a bashing for this. They are trespassing and are arguably doing an "unauthorised modification" to your computer system, which is a Computer Crimes offense in many countries.

          They'd probably get away by giving the various usual excuses. After all, the Sony bunch got away without being jailed even though they did something worse.

          Unauthorized modification of one to a few hundred computers and it's "hacking/vandalism", and if caught you can go to jail.

          Unauthorized modification of millions of computers and it's called "useful and allowing firefox adoption".

  • Allowed scope of updates (Score:5, Insightful)

    by Statecraftsman (718862) * on Sunday February 01 2009, @10:49PM (#26689751) Homepage
    Microsoft gives us updates all the time and we trust them to fix bugs and security holes. Firefox not coming with their extension is not in the scope of bugs and security holes they should fix. When they overstep their bounds like this ON TOP of an application(esp. a free software application) what might they be doing in their proprietary code under the application? Whatâ(TM)s next, an OpenOffice extension to make sure Microsoft never has an $ where their s is?

    • Re:Allowed scope of updates (Score:5, Interesting)

      by zobier (585066) <zobier@zobier.nYEATSet minus poet> on Sunday February 01 2009, @11:08PM (#26689963)

      It is totally unacceptable for Microsoft to interfere with any of the 3rd party software I have installed on my computer whether via their update mechanism or otherwise. If I ever find any of these shenanigans going on I will raise a formal complaint with the appropriate government competition bureau, I encourage others to do the same.

        • Re:Allowed scope of updates (Score:5, Insightful)

          by whoever57 (658626) on Sunday February 01 2009, @11:47PM (#26690267) Journal

          There is an option that you have to check to allow updates to things other than Windows.

          Which most people assume means things like MS Office and other MS components that are not part of a bare Windows install. I can't imagine anyone thinking this means 3rd party software.

            • Re:Allowed scope of updates (Score:5, Insightful)

              by mabhatter654 (561290) on Monday February 02 2009, @12:04AM (#26690441)

              that's because:
              a) most apps in Ubuntu come from the ubuntu servers, not their native homes and are compiled by canonical to work nicely with ubuntu

              b) Other apps are hosted in repositories. Some by the program writer, some by other people. But Apt/synamptic manages all the repositories in one place for you! And you can turn them on and off at will. What a concept!! This is what people have been requesting from Microsoft update for the better part of a decade.

      • Maybe because...

        • nobody asked for this extension
        • the extension makes a point of not letting you remove or disable it
        • the extension doesn't help you in any way whatsoever
        • it's Microsoft

        Just one of those is enough to make something bad.

      • Re:Why get upset? Firefox users avoid proprietary (Score:5, Insightful)

        by Nutria (679911) on Sunday February 01 2009, @11:55PM (#26690339)

        I'm seriously confused as to why this is upsetting considering that the average Firefox user installs plugins ...

        The point isn't that MSFT is creating FF plugins.

        The point is that MSFT is silently forcing plugins without telling us what they do.

        This whole thing would have been a non-issue if they had

        • added a sentence on why this plugin is useful, and
        • enabled the Uninstall button.

        But MSFT is too arrogantly stupid to do that.

  • Amazing (Score:5, Insightful)

    by kcbanner (929309) on Sunday February 01 2009, @10:49PM (#26689753) Homepage Journal
    Classic move. People noticed. Two steps forward 10 steps back, eh?

  • Intelligence gathering (Score:5, Funny)

    by madcat2c (1292296) on Sunday February 01 2009, @10:53PM (#26689801)
    They are gathering intelligence on how to build on of these "web browsers".

  • Scumware, eh? (Score:5, Informative)

    by dmomo (256005) on Sunday February 01 2009, @10:58PM (#26689863) Homepage

    One hint that this "extension" is unwanted garbage is that when you Google (google: Microsoft Framework Assistant) for it and the top links are pages about how to remove it. Then the first link from your site (microsoft.com) is also a forum that mentions getting rid of it...

    Anyway, here's how to remove it.

    http://www.robertnyman.com/2009/01/26/microsoft-force-installs-firefox-extension/ [robertnyman.com]

  • but... (Score:5, Insightful)

    by powerspike (729889) on Sunday February 01 2009, @11:04PM (#26689929)
    It's Funny, i have had the same issue with apple update, i find it requesting to install updates for programs that weren't installed in the first place, seems like the same thing but different company...

    • Re:but... (Score:5, Insightful)

      by spectecjr (31235) on Sunday February 01 2009, @11:28PM (#26690119) Homepage

      Except in Apple's case, it's somewhat worse... after all, why the fuck would they install MobileMe or Bonjour on my system when I install iTunes?

      Why the FUCK do they think I want their networking system along with their player?

      Bonjour [wikipedia.org]

      Grrrrrrrrrrrrrrrrrrrrrr. Weak. At least the .NET extension is within the realms of making sense.

        • Re:but... (Score:5, Interesting)

          by blincoln (592401) on Monday February 02 2009, @12:02AM (#26690427) Journal

          I don't understand the hatred for Bonjour. It's a discovery protocol, used by Macs for ages. All it does is to make it possible to find other computers.

          The only reason I have iTunes installed is because I couldn't find a Quicktime download that didn't come with it. The only reason I have Quicktime installed is because of people who only make their content available as Quicktime files for whatever reason.

          *Why* would I want Quicktime to be able to discover other devices on my network? Even if I did, why would I want a service running all of the time as opposed to once every few months when I go to play a Quicktime file?

          I can only speak for myself, but that's why *I* hate Bonjour. I wanted Apple's poorly-coded (for Windows at least) proprietary video player. In order to get it, I had to get a bunch of extra software I most definitely didn't want.

          I already tried Quicktime Alternative. It wasn't able to play the newest Quicktime variants.

  • updating third party software? (Score:5, Insightful)

    by master_runner (958234) on Monday February 02 2009, @12:00AM (#26690403) Homepage
    I find it interesting that people here are so outraged at MS installing an extension for third party software, particularly a web browser. Think about how many completely non-Mozilla related products install a Firefox extension - PDF readers, media players, etc. I'll take as an example Adobe Reader, which installs a plugin for in-browser viewing when you install the desktop app (I hate Adobe Reader too, but it's a high-profile example). Firefox is not an Adobe product at all! yet we aren't yelling at that. Additionally, MS already has components installed in FF. Silverlight and the Windows Presentation Foundation are both MS products that are commonly installed in Firefox as plugins, to enable apps that take advantage of Silverlight and .NET browser features to operate in Firefox and friends as well as Internet Explorer. This plugin seems to serve a similar purpose of allowing .NET-powered web apps (which MS wants to be common in the future) to operate in Firefox as well as Internet Explorer. It seems like we should appreciate this move towards interoperability on MS's part - the alternative is only supporting Internet Explorer for web apps.

    So it's really nothing abnormal to install an extension in a third party browser. This leaves us with only one issue, the fact that it was distributed via updates to other applications. I refute this as being a major issue for the exact same reason - quite a few programs update/install Firefox extensions as part of their normal update procedure - I raise Foxit Reader as an example, which as of v3.0 automatically installs a Firefox plugin. No one's yelling about that.

    A significant question here: If it wasn't Microsoft, would anyone be nearly as angry?

  • Is this SO bad? (Score:5, Insightful)

    by gorehog (534288) on Monday February 02 2009, @12:06AM (#26690451)

    A lot of you will hate me for this...

    MS doing this is them trying to ensure that Firefox will work with their web apps (or, web apps built with their technology). Now, granted that they are taking liberties they should not. It would be better to just make the plugin easy to get and install. Consider however that they are doing this so their technology will work on a standards-compliant browser. That's not nothing. It IS dysfunctional in a passive-aggressive way (aggressive-passive?). On the other hand MS is trying to make the browsing experience BETTER for people who use .Net with Firefox. I'm not so sure this is a bad thing. maybe poorly executed...but...there's an argument for saying it's not.

    Look, if you were running Ubuntu, installed Opera, and automatically got plugins from Synaptic for Opera that added new functionality would you complain?

    Then again, the convoluted removal process should be reconsidered.

  • Security (Score:5, Insightful)

    by Adrian Lopez (2615) on Monday February 02 2009, @12:29AM (#26690613) Homepage

    Given Microsoft's track record with security, I worry:

    - Windows user installs Firefox to avoid IE's security flaws.
    - Microsoft silently installs a plugin onto Firefox that reports the browser includes .NET functionality allows websites to host .NET executables.
    - Hackers discover a way to exploit this.
    - Thus, Firefox is now less secure thanks to Microsoft.

  • Quickly forgotten (Score:5, Insightful)

    by scdeimos (632778) on Monday February 02 2009, @01:23AM (#26690973)

    Anybody remember when Windows "Genuine Advantage" validation software was getting slipped in as part of "critical updates" for things like the Microsoft Flash Player patch? It wasn't really that long ago.

    You don't seriously expect Microsoft to *not* do these sorts of things on what they consider to be *their* systems, do you?

  • Microsoft, huh? (Score:5, Informative)

    by Waccoon (1186667) on Monday February 02 2009, @01:23AM (#26690981) Homepage

    Here's a look at all the plugins I didn't want and had to disable:

    Extensions:
    - Java Quick Starter 1.0
    - Microsoft .NET Framework Assistant 1.0

    Plugins: - Adobe Acrobat
    - Java(TM) Platform SE 6 U10
    - Java(TM) Platform SE 6 U11
    - Java(TM) Platform SE 6 U11 (Yes, again)
    - Microsoft(R) DRM
    - Microsoft(R) DRM (Yes, again)
    - QuickTime Plug-in 7.4.5 (I'll send it to the external player, please)
    - RealPlayer Version Plugin (RealAlternative, please)
    - RealPlayer(tm) G2 LiveConnet-Enabled Plug-IN (32-bit)
    - Windows Media Player Plug-in Dynamic Link Library

    So far, that's Sun, Apple, Real, Adobe, and Microsoft messing with my browser without telling me... and only because I'm quite strict with what I install on my system. This isn't Microsoft up to their old tricks, it's just them keeping up with the Joneses, and forcing me to keep up with everyone with an agenda. What else is new?

    I do have Silverlight installed, too, but at least the installer for that told me it would work with multiple browsers. Thank goodness the Mozilla people had the fine sense to let people see plugins and extensions, unlike IE6 and friends. Quite a few time I've had to fix someone's compter by hacking out IE extensions from the system registry, and that's not pleasant at all.

    • YES Unsuspecting... (Score:5, Insightful)

      by Anonymous Coward on Sunday February 01 2009, @10:53PM (#26689813)
      The .NET framework is not required for Firefox to run. Why would any sane person assume installing a totally unrelated framework would scribble all over Firefox?
    • It most definitely IS unexpected, because I was never notified anywhere that a MICROSOFT update would entail installing an addon to a completely NON-Microsoft product.

      Just because I installed the .NET framework, I'm subject to whatever else MS wants to do to my computer? Nay, sir, nay.

      • Re:First (Score:5, Funny)

        by Anthony_Cargile (1336739) on Sunday February 01 2009, @11:18PM (#26690035) Homepage

        !First. Fail!

        ...not first, fail not? ugh, this is why I prefer using the bitwise oprtator (~) instead, although in /. lore this is instead in jokes used to mean "home", per the bash usage instead of the one's complement.

        Or, I just need to get out more. After asking why all the guys were buying wings and beer on the same day in throngs at the grocery store, I found out the last super bowl was indeed not 32.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.