Microsoft Update Slips In a Firefox Extension 803
An anonymous reader writes "While doing a weekly scrub of my Windows systems, which includes checking for driver updates and running virus scans, I found Firefox notifying me of a new add-on. It's labelled 'Microsoft .NET Framework Assistant,' and it 'Adds ClickOnce support and the ability to report installed .NET versions to the web server.' The add-on could not be uninstalled in the usual way. A little Net searching turned up a number of sites offering advice on getting rid of the unrequested add-on." The unasked-for extension has been hitchhiking along with updates to Visual Studio, and perhaps other products that depend on .NET, since August. It appears to have gone wider recently, coming in with updates to XP SP3.
Re:malware.... (Score:3, Informative)
Remember Sony?
Unfortunately, for most people the answer is no... For me it is which time? The CD-ROM Trojan, or the secure thumb drive Trojan?
NOT Unsuspecting... (Score:4, Informative)
XP SP3? (Score:4, Informative)
Are you sure? Did you actually mean .Net 3.5 SP1? That's what just installed it on my machine. I've never seen XP SP3 install it.
Scumware, eh? (Score:5, Informative)
One hint that this "extension" is unwanted garbage is that when you Google (google: Microsoft Framework Assistant) for it and the top links are pages about how to remove it. Then the first link from your site (microsoft.com) is also a forum that mentions getting rid of it...
Anyway, here's how to remove it.
http://www.robertnyman.com/2009/01/26/microsoft-force-installs-firefox-extension/ [robertnyman.com]
Java does this, too (Score:4, Informative)
Re:XP SP3? (Score:3, Informative)
Re:Java does this, too (Score:1, Informative)
Sun offers steps to disable the Java Quick Starter [java.com], though. And those unexplained Ubuntu extensions can be removed by uninstalling the "ubufox" package (if I recall correctly; I haven't been using Ubuntu for a long time now.)
Re:Profiling, anyone? (Score:1, Informative)
The "raison d'etre" of the plug-in when installing latest the .NET framework is to provide support for "Click-Once" deployment of web-enabled applications via Firefox. This is no different than the Java SE installing it's plug-in for Java applets, or Adobe Reader installing it's plug-in for viewing PDFs directly within the browser. It has no effect on the browser at all unless you try to open a Click-Once application link specifically. This also isn't new; the plug-in has been available on Windows Update for at least half a year.
Re:Allowed scope of updates (Score:3, Informative)
There is an option that you have to check to allow updates to things other than Windows.
Re:Any real reason to nuke it? (Score:2, Informative)
Re:Java does this, too (Score:4, Informative)
WTF? Do you understand why this is an issue?
Some of the recent updates for Java SE have included "Java Quick Starter". And for those with Ubuntu, there are a number of things that show up in the Add-ons list that are not explained well.
Neither of the examples you cite update an independently installed third party software without giving you an easy way of uninstalling.
FFS.
Re:XP SP3? (Score:3, Informative)
.Net 2.0 SP2 is an update to .Net 2.0, not XP SP3. It's the same installer binary for whatever version of Windows you have (64/32-bit differences aside)
Re:malware.... (Score:5, Informative)
Re:malware.... (Score:5, Informative)
If you install something (e.g. an extension) via apt or (I assume) rpm on Linux, Firefox can't uninstall it since it isn't running as root. In that scenario, the button is grayed out with no explanation. But, of course, you can always ask apt/rpm to remove the offending software, or not install it in the first place...
Re:Allowed scope of updates (Score:1, Informative)
You authorized it when you installed SP1. The extension is clearly described in the ClickOnce section of the SP1 feature list. We all read feature lists, changelogs and release notes very carefully whenever we install something this significant, right?
Technically, Microsoft didn't modify a single bit of Firefox. It just dropped the extension where Firefox could find it.
http://channel9.msdn.com/forums/Coffeehouse/421171-NET-Framework-Assistant/?CommentID=421225 [msdn.com]
Copied from Channel 9. Yes, you authorized this. You also authorized this by enabling Microsoft Update IN ADDITION to Windows Update. It does not do this by default.
Basically, if you didn't want this, it's your own fault for blindly allowing things to be installed on the server. It sounds like its there to aid Visual Studio in prototyping web apps with firefox (for those who use firefox) and other general junks.. it's not exactly a trojan. Calm down, morons. Go sue your pillow for a while.
Re:but... (Score:1, Informative)
Microsoft, huh? (Score:5, Informative)
Here's a look at all the plugins I didn't want and had to disable:
Extensions: .NET Framework Assistant 1.0
- Java Quick Starter 1.0
- Microsoft
Plugins: - Adobe Acrobat
- Java(TM) Platform SE 6 U10
- Java(TM) Platform SE 6 U11
- Java(TM) Platform SE 6 U11 (Yes, again)
- Microsoft(R) DRM
- Microsoft(R) DRM (Yes, again)
- QuickTime Plug-in 7.4.5 (I'll send it to the external player, please)
- RealPlayer Version Plugin (RealAlternative, please)
- RealPlayer(tm) G2 LiveConnet-Enabled Plug-IN (32-bit)
- Windows Media Player Plug-in Dynamic Link Library
So far, that's Sun, Apple, Real, Adobe, and Microsoft messing with my browser without telling me... and only because I'm quite strict with what I install on my system. This isn't Microsoft up to their old tricks, it's just them keeping up with the Joneses, and forcing me to keep up with everyone with an agenda. What else is new?
I do have Silverlight installed, too, but at least the installer for that told me it would work with multiple browsers. Thank goodness the Mozilla people had the fine sense to let people see plugins and extensions, unlike IE6 and friends. Quite a few time I've had to fix someone's compter by hacking out IE extensions from the system registry, and that's not pleasant at all.
documentation (Score:3, Informative)
there is a doc about that extension, written by M$:
http://msdn.microsoft.com/en-us/library/cc716877.aspx [microsoft.com]
according to that site, its present sice *July* 2008
It's not possible to guard against this (Score:3, Informative)
Firefox is a standards-compliant program that does things via standard API's. MS is going behind Firefox's back and putting stuff in places where Firefox can't write/delete files. You do *NOT* want FF to be able to write/delete all over your system. That is one reason it's safer than IE.
Re:Is this SO bad? (Score:3, Informative)
OK, Captain Open Standards. I'm sure you can refer MS to the open standards dealing with ClickOnce installs of .NET apps?
Oh. OK, I guess you can't.
Re:malware.... (Score:4, Informative)
I did. I can't find "Microsoft .NET Framework Assistant" anywhere.
Re:Exactly! (Score:2, Informative)
They have added a goddamn handler for the clickonce mime type. That is all. This is useful. This allows firefox adoption in the many businesses that deliver LOB thick client apps using clickonce.
It's useful, unless you don't want to make it easier to install software from any website that offers it. I would argue that ClickOnce is a lot more trouble than it's worth.
Before you get on your MS bashing high-horse, you might choose to take a glance at Sun, who has been including the _goddamn google toolbar_ in Java updates as a default option.
Unless I'm misremembering, a good number of us folk *have* bee bashing Sun for that. I believe the phrase "whoring themselves out for cash" has been used in the context of discussions about this behavior before...
Re:Erm, right.... (Score:2, Informative)
Not updating (Score:3, Informative)
And this is why my XP system has not been updated in two years now. The PC's working, Microsoft won't support the OS much longer, and Microsoft is known for messy and intrusive changes. Ain't no way I'm letting them near my computer now.
Yes, that means I have dozens of unplugged security holes, but then there are dozens of unplugged holes even after updating - plus the messy changes into the bargain. Ultimately I'm probably safer relying on a NAT router and a virus scanner than on system fixes.
Re:malware.... (Score:3, Informative)
You trusted MS?
I don't trust even Google, that swears by their company they won't 'be evil'.
Re:malware.... (Score:3, Informative)
In the case of firefox extensions in apt-based distros, true you can't uninstall the extensions through the browser, but you can disable them.
Also changes User-Agent string (Score:5, Informative)
The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
Re:malware.... (Score:1, Informative)
Microsoft should be forced to open source things they want to add on to NON MS applications .jar in your favourite archiver and browse away.
You'll be pleased to know that Firefox extensions are written in plaintext javascript/XUL. If you want to 'view the source', just open the
Re:Mod up. 5 is not enough. (Score:5, Informative)
Yeah because when you choose to install software on your computer its completely wrong of them to actually install that software on your computer.
This program is mentioned in the new features list of .NET Framework 3.5.
http://msdn.microsoft.com/en-us/library/bb613588.aspx [microsoft.com]
No big deal. Return to your homes. Disaster averted.
Re:malware.... (Score:5, Informative)
If they wanted to do [a bunch of Bad Stuff], they wouldn't be so stupid as to make it an extension that's clearly visible in the Firefox preferences.
What kind of argument is this? "See, Microsoft is totally upfront about what they're secretly installing! All you have to do is open Firefox, go to Tools -> Add-ons -> Extensions -> Local Planning Office -> Dark Basement -> Locked File Cabinet..."
If you run Microsoft Windows then you accept that you run whatever software Microsoft chooses to put on your machine
That's not true according to the Windows EULA, nor in a pragmatic sense. The precedent has already been established that the OS can be configured to require the local administrator to give explicit permission for each patch to be applied; the outrage here is that this time, that choice was not offered, and the affected software was neither part of the operating system nor even a Microsoft product.
There's enough FUD surrounding Microsoft Windows without your contributions to it.
Quick uninstall (Score:5, Informative)
For a fast removal of the .NET Framework Assistant 1.0 from Firefox, save the following text as decrap.reg and run:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"=-
To run this from a command line (like a login script on all your machines):
regedit.exe /s decrap.reg
Feel free to modify and add the strings of any other extensions you want to auto-kill...
Microsoft has also added to the Firefox prefs.js config file, located at C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\XXXXXXXX.default, where USERNAME is the user profile and XXXXXXXX is random characters. You will find these entries added to the file:
user_pref("general.useragent.extra.microsoftdotnet", "(.NET CLR 3.5.30729)");
user_pref("microsoft.CLR.clickonce.autolaunch"
You can remove these lines manually after closing all Firefox windows.
You can type about:config in the URL bar, and filter for 'microsoft' if you want to see what the slimeballs have been adding to your browser.
(high posting so you can find this...)
Re:malware.... (Score:4, Informative)
Re:sony (Score:3, Informative)
It's funny how the fanboi mentality works (and not as a valid argument, mind you)
Microsoft did not just package IE with Windows, it illegally tied the it to Windows where the user had no choice about it being installed and they could not remove it easily. The US and EU governments have investigated and have accused Microsoft of being a monopoly, it is not just fanbois making that accusation.
Sound more like an incessantly nagging spouse on a power trip please...
You yourself are either a fanboi or an astroturfer. I mean come on, a content-free post complaining about other computer users complaining about the software installed on THEIR computers?
If you are an astroturfer, does Microsoft pay well? If you are doing this for free why? Why do you feel compelled to defend a large faceless corporation like Microsoft? Especially given their past criminal behavior?
Too bad you can't channel all that time and energy into some productive activities that benefit humankind instead...