Microsoft Update Slips In a Firefox Extension

An anonymous reader writes "While doing a weekly scrub of my Windows systems, which includes checking for driver updates and running virus scans, I found Firefox notifying me of a new add-on. It's labelled 'Microsoft .NET Framework Assistant,' and it 'Adds ClickOnce support and the ability to report installed .NET versions to the web server.' The add-on could not be uninstalled in the usual way. A little Net searching turned up a number of sites offering advice on getting rid of the unrequested add-on." The unasked-for extension has been hitchhiking along with updates to Visual Studio, and perhaps other products that depend on .NET, since August. It appears to have gone wider recently, coming in with updates to XP SP3.

Re:Allowed scope of updates

[zobier]

It is totally unacceptable for Microsoft to interfere with any of the 3rd party software I have installed on my computer whether via their update mechanism or otherwise. If I ever find any of these shenanigans going on I will raise a formal complaint with the appropriate government competition bureau, I encourage others to do the same.

Re:Huh!

[carlzum]

Exactly, this could have been touted as proof that MS was serious about .NET interoperability. Instead they chose to install it silently and make it difficult to remove, making the update a nuisance to FF users.

Re:A good sign!

[glwtta]

If Microsoft can no longer ignore Firefox then all those sites that still require IE to function will begin to follow.

Is that really still a problem, though? I'm pretty sure that particular knee-jerk needs to be updated a bit.

I'm sure half a dozen people will jump in here with their favorite examples of IE-only sites, but chances are they will be quite obscure. I spend a fair amount of time online, and it hasn't really entered my mind in the last 2-3 years that I'm using some kind of "fringe" browser.

Now, internal corporate apps are another matter entirely; then again, they only have a 50/50 chance of ever working in their "supported" environment to begin with (ahh fond memories of having to install a VM with some extremely specific, and extremely ancient java version just to sign the company "ethics pledge" or whatever).

Re:Allowed scope of updates

[Thinboy00]

I hope someone, preferably the U.S. or E.U., sues them for anticompetitive practices (again).

Re:malware....

[Lendrick]

Interesting... Would it be possible to change Firefox in such a way that it refuses to recognize those plugins that it can't install?

Re:but...

[blincoln]

I don't understand the hatred for Bonjour. It's a discovery protocol, used by Macs for ages. All it does is to make it possible to find other computers.

The only reason I have iTunes installed is because I couldn't find a Quicktime download that didn't come with it. The only reason I have Quicktime installed is because of people who only make their content available as Quicktime files for whatever reason.

*Why* would I want Quicktime to be able to discover other devices on my network? Even if I did, why would I want a service running all of the time as opposed to once every few months when I go to play a Quicktime file?

I can only speak for myself, but that's why *I* hate Bonjour. I wanted Apple's poorly-coded (for Windows at least) proprietary video player. In order to get it, I had to get a bunch of extra software I most definitely didn't want.

I already tried Quicktime Alternative. It wasn't able to play the newest Quicktime variants.

Re:malware....

[StuartHankins]

The fact that this unwanted addon is NOT visible in Add/Remove Programs, and this was done to a 3rd party program smells like an attempt at sabotage.

I'm not aware of any other Windows updates targeting 3rd party software.

Re:NOT Unsuspecting...

[ozphx]

Jeeze and when I installed the Java framework, boy was I surprised to get a plugin* for my browser! Golly gee whilikers, what a humdinger!

Looks like the Java framework supports some kinda browser integration, and those bastards over at Sun decided that by installing Java that I would like this feature to work!

So yes. You installed the .Net framework. The .Net framework put the appropriate hooks into the appropriate places, including your browser of choice. Fucking deal with it.

Re:malware....

[Arker]

So why didn't MS enable removal through the "add or remove programs" mechanism?

For the same reason they went to so much trouble to wire IE too deeply into the system to remove it.

Re:Allowed scope of updates

[Workaphobia]

Of course and as always, the word "trust" is used in its technical capacity to indicate a relationship characterized by uneasy vulnerability, rather than an actual commitment of faith.

Re:malware....

[Lendrick]

Touche.

A touch of vulgar honesty for you: I don't give two shits if my policy is "biased". I don't do it out of a sense of fairness; I do it to keep my computer running smoothly, and here in the real world, my strategy works, even if it's not ideologically perfect.

I'm not a huge fan of Microsoft, but my choice is either to run their OS or give up a lot of software that, quite frankly, I enjoy using (mostly games). I use Linux when I can, but unfortunately that's not all the time.

Re:Ho Hum

[l0ungeb0y]

And so the disabling of the "uninstall" button is totally cool with you?

Not sure which comments you were reading, but the ones I payed attention to were the ones that were ticked about the lack of any sort of notification prior, during or after the install, the lack of an opt-out and the intentional disabling of the uninstall button.

Wasn't there some laws being pushed that made this sort of covert install procedure illegal? Or did MS and Sony get those laws squashed?

Re:Ho Hum

[knorthern knight]

> The amount of venom/vitriol/nerdrage comments in this story is fucking astounding.

    Why, because MS is so benevolent and competent and writes such secure code? No. The reason is because of their high-handed tactics, combined with their propensity for malicious behaviour. And please, forget the old saw about not assumimg malice when effing incompetence explains things; the results are the same.

    The reaction would've been totally different if MS had promoted this plugin, and made its installation voluntary, and made uninstallation possible without registry hacking. Note that dozens of obscure extensions show up on https://addons.mozilla.org/en-US/firefox/ [mozilla.org] This is the "official channel" for people who want to enhance their Firefox. The extensions at this site are downloaded voluntarily by end-users who feel a need for them. And these extensions can be uninstalled by the same users who install them. MS merely needed to have asked the Mozilla folks to link to a specific MS webpage from their addons section, and things would've been copacetic.

    Instead, MS chose to act like Apple. Remember the flak Apple caught for trying to sneak in Itunes and Safari for people who install/update Quicktime? We happen to be "equal-opportunity-bashers" here. MS acts like Apple, they catch flak like Apple.

Yes, I did RTFA. FFClickOnce makes automated installation of .NET code (the successor to Visual Basic) much easier. Have you ever heard the phrase "drive-by download"??? Many people fled from IE to FF specifically to avoid this very problem. Now MS throws in code that may enable this in FF. No thanks. BTW, there was a plugin for FF that provided ActiveX support for FF (For crying out loud... WHY?). Let's just say I wouldn't want it on my work machine either.

Re:but...

[Dhalka226]

Oh. My. God.

Spyware? Are you kidding now? Because it tells you what version of .NET is installed on a system and lets you launch a .NET program as easily as you would with IE?

Well holy hell boys, you'd better all uninstall all of your web browsers. Do you know those damn things are spyware? They report what version of your browser and operating system you use! And your IP address, so that the evil hacker groups know where to find you.

There are plenty of problems with what MS did and the way they did it. This is not one of them. This is hyperbolic bullshit, plain and simple.

Re:but...

[sumdumass]

Depends on when he installed QuickTime. Apple pulled a stunt where is hid and changed the downloed to Quicktime without Itunes. There was a period of a couple of months where they even forgot to make the public page for the standalone download availible from the quicktime page. That means if you didn't follow a link in from a this party site, you wouldn't have found it.

It's possible that both of you are right and neither of you are wrong or not looking very hard depending when he went after the QuickTime. Apple certainly didn't make it easy.

Re:It's not possible to guard against this

[FriendlyLurker]

Firefox is a standards-compliant program that does things via standard API's. MS is going behind Firefox's back and putting stuff in places where Firefox can't write/delete files. You do *NOT* want FF to be able to write/delete all over your system. That is one reason it's safer than IE.

Sure, fair enough. But FF can *ignore* said extensions in a standards compliant way without writing/deleting all over your system. A simple user authorised extensions list will do the trick.

Re:Why get upset? Firefox users avoid proprietary

[zoney_ie]

Well, obviously Firefox does not obstruct the possibility for some other random application to install a Firefox plug-in as part of the install process.

How does a Firefox user have any assurance that it's a good idea for them to manually install a given plug-in in any case?

As far as I can see, it's just because people "like" Firefox that they choose to believe it's all perfect. It's just like Apple, or Google, or $FlavourOfTheYear

This story is as much about Firefox insecurity as Microsoft surrepticiousness in my opinion.

Re:Firefox security hole

[BBird]

It isn't. First time you start firefox after the update it tells you about the new add on and you can delete it or disable it on the spot. Before that it will not work. I've got the ms update and was surprised myself (as I only run on demand ms updates, and review before installing, and it did not say it was installing this add on bundled in .not update)

Re:malware....

[Anonymous Coward]

As an added thought - if MS feels free to do this to other Software, how does that impact their EULA - which is written to specifically prevent this sort of behaviour.

Does this mean that years of piracy/hacking/cracking cases should now be reviewed?

Re:sony

[slashdottedjoe]

I am disappointed that MS is pushing out .Net 3.5 as a high priority update to v2. The real reason can be found looking up .Net 3.5 on Google. Developers want this out there and hoped it would have been in XP SP3. I really do not care what developers want. It is my system and the Windows updates need to be for system maintenance and not for pushing an agenda from MS and its developers. I emailed MS and complained. I had not installed that update, so I had not seen the FF ext. Hearing this, I am even more alarmed over MS activities.

Re:sony

[Machtyn]

The difference is you choose to install Flash. You knowingly (in most cases) go to Adobe, download the flash installer, agree to some sort of EULA, and install Flash with the understanding that it will be modifying third party software.

Microsoft is doing this in an update without notifying its users (as far as has been reported) that this update will be modifying third party software with no easy way to prevent or uninstall the change.

Given that, I am curious to know how this addon will improve my web experience in Firefox. Will it open security holes beyond what is already in Firefox and my other addons? Will it slow or decrease performance of FF? What benefit is it to FF (I thought .NET was already compatible with FF and other webbrowsers.)