Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft Mozilla Operating Systems Software The Internet Windows

Microsoft Update Slips In a Firefox Extension 803

An anonymous reader writes "While doing a weekly scrub of my Windows systems, which includes checking for driver updates and running virus scans, I found Firefox notifying me of a new add-on. It's labelled 'Microsoft .NET Framework Assistant,' and it 'Adds ClickOnce support and the ability to report installed .NET versions to the web server.' The add-on could not be uninstalled in the usual way. A little Net searching turned up a number of sites offering advice on getting rid of the unrequested add-on." The unasked-for extension has been hitchhiking along with updates to Visual Studio, and perhaps other products that depend on .NET, since August. It appears to have gone wider recently, coming in with updates to XP SP3.
This discussion has been archived. No new comments can be posted.

Microsoft Update Slips In a Firefox Extension

Comments Filter:
  • malware.... (Score:5, Insightful)

    by gchesney0001 ( 667278 ) on Sunday February 01, 2009 @10:47PM (#26689717)
    Remember Sony?
    • by ScrewMaster ( 602015 ) * on Sunday February 01, 2009 @10:49PM (#26689755)

      Remember Sony?

      Yes. Trying not to.

      • sony (Score:5, Funny)

        by symbolset ( 646467 ) on Sunday February 01, 2009 @10:57PM (#26689859) Journal

        Never forget.

        Forgetting is key to getting caught again. You can only catch a cat in the same trap once.

        • Re:sony (Score:5, Insightful)

          by MrNaz ( 730548 ) * on Sunday February 01, 2009 @11:07PM (#26689957) Homepage

          Unless that cat is the American public and the time since the last time you caught them is greater than the time since the last episode of American Idol.

          • Comment removed (Score:5, Insightful)

            by account_deleted ( 4530225 ) on Monday February 02, 2009 @05:59AM (#26692365)
            Comment removed based on user account deletion
            • Re:sony (Score:4, Interesting)

              by slashdottedjoe ( 1448757 ) on Monday February 02, 2009 @09:28AM (#26693835)
              I am disappointed that MS is pushing out .Net 3.5 as a high priority update to v2. The real reason can be found looking up .Net 3.5 on Google. Developers want this out there and hoped it would have been in XP SP3. I really do not care what developers want. It is my system and the Windows updates need to be for system maintenance and not for pushing an agenda from MS and its developers. I emailed MS and complained. I had not installed that update, so I had not seen the FF ext. Hearing this, I am even more alarmed over MS activities.
            • Re:sony (Score:5, Funny)

              by Richy_T ( 111409 ) on Monday February 02, 2009 @09:40AM (#26693955) Homepage

              Isn't installing BHOs that are not asked for and cannot be uninstalled without hacking pretty much the definition of malware?

              Give the guy a chance, he's only been in for two weeks...

              Rich

          • Quick uninstall (Score:5, Informative)

            by qubezz ( 520511 ) on Monday February 02, 2009 @10:11AM (#26694329)

            For a fast removal of the .NET Framework Assistant 1.0 from Firefox, save the following text as decrap.reg and run:

            Windows Registry Editor Version 5.00

            [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
            "{20a82645-c095-46ed-80e3-08825760534b}"=-

            To run this from a command line (like a login script on all your machines):

            regedit.exe /s decrap.reg

            Feel free to modify and add the strings of any other extensions you want to auto-kill...

            Microsoft has also added to the Firefox prefs.js config file, located at C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\XXXXXXXX.default, where USERNAME is the user profile and XXXXXXXX is random characters. You will find these entries added to the file:

            user_pref("general.useragent.extra.microsoftdotnet", "(.NET CLR 3.5.30729)");
            user_pref("microsoft.CLR.clickonce.autolaunch"

            You can remove these lines manually after closing all Firefox windows.

            You can type about:config in the URL bar, and filter for 'microsoft' if you want to see what the slimeballs have been adding to your browser.

            (high posting so you can find this...)

        • by Anonymous Coward on Sunday February 01, 2009 @11:50PM (#26690295)
          People think that Microsoft is a software company that is sometimes abusive. But it isn't, in my opinion. Microsoft is an abuse company that delivers abuse using software.
          • by Anonymous Coward on Monday February 02, 2009 @07:59AM (#26692985)

            you came here for software? I'm sorry, this is Abuse!

      • Re:malware.... (Score:5, Insightful)

        by Anonymous Coward on Monday February 02, 2009 @01:59AM (#26691199)

        The true question here is not how to uninstall it. The question everyone should be asking is: is it messing with other settings in firefox, reporting back to MS what other extensions I use, monitoring my web traffic, going to break my browser, new security holes? Maybe I don't want my f'ing browser to report what other software is installed on my computer.

        How about this one: Ok Microsoft, you are making automatic changes to software written by other companies without permission or request of the user. I don't care if you say it's just an extension, you didn't ask me! My trust just went right down the toilet.

        Note: I noticed this extension the other night on a system in VMWare but I haven't had a chance to look into it yet.

        In all fairness I think Microsoft should be forced to open source things they want to add on to NON MS applications. That way people can go take a look... Especially when you don't ask the user permission.

        Are there any legality issues with what they just did here?

        • by stephanruby ( 542433 ) on Monday February 02, 2009 @03:23AM (#26691639)
          I'm kind of torn on this. On one hand, it's Microsoft, but on the other hand they seem to be competing directly with Amazon's one-click button technology.
        • by Arslan ibn Da'ud ( 636514 ) on Monday February 02, 2009 @05:01AM (#26692087) Homepage

          How about this one: Ok Microsoft, you are making automatic changes to software written by other companies without permission or request of the user. I don't care if you say it's just an extension, you didn't ask me! My trust just went right down the toilet.

          Don't worry, just flush. You'll have some more trust in about 20-30 hours.

          (I'm only half-joking)

        • Re:malware.... (Score:5, Insightful)

          by Ed Avis ( 5917 ) <ed@membled.com> on Monday February 02, 2009 @06:07AM (#26692405) Homepage

          is it messing with other settings in firefox, reporting back to MS what other extensions I use, monitoring my web traffic, going to break my browser, new security holes?

          If they wanted to do that, they wouldn't be so stupid as to make it an extension that's clearly visible in the Firefox preferences. Since Microsoft control the operating system and can push out updates for it, any trojan they wanted to install would be much more stealthy.

          If you run Microsoft Windows then you accept that you run whatever software Microsoft chooses to put on your machine, and without source code you have little hope of finding out exactly what it's doing. If you do not trust Microsoft, I suggest you uninstall Windows from your computer right now.

          • by nine-times ( 778537 ) <nine.times@gmail.com> on Monday February 02, 2009 @08:25AM (#26693125) Homepage

            If they wanted to do that, they wouldn't be so stupid as to make it an extension that's clearly visible in the Firefox preferences.

            After some recent events [arstechnica.com], I'm starting to suspect that Microsoft may indeed be stupid.

          • Re:malware.... (Score:5, Informative)

            by poot_rootbeer ( 188613 ) on Monday February 02, 2009 @09:46AM (#26694043)

            If they wanted to do [a bunch of Bad Stuff], they wouldn't be so stupid as to make it an extension that's clearly visible in the Firefox preferences.

            What kind of argument is this? "See, Microsoft is totally upfront about what they're secretly installing! All you have to do is open Firefox, go to Tools -> Add-ons -> Extensions -> Local Planning Office -> Dark Basement -> Locked File Cabinet..."

            If you run Microsoft Windows then you accept that you run whatever software Microsoft chooses to put on your machine

            That's not true according to the Windows EULA, nor in a pragmatic sense. The precedent has already been established that the OS can be configured to require the local administrator to give explicit permission for each patch to be applied; the outrage here is that this time, that choice was not offered, and the affected software was neither part of the operating system nor even a Microsoft product.

            There's enough FUD surrounding Microsoft Windows without your contributions to it.

    • Re:malware.... (Score:5, Insightful)

      by eebra82 ( 907996 ) on Sunday February 01, 2009 @11:01PM (#26689901) Homepage
      I wouldn't class Sony's rootkit 'malware' as much as it was a security risk. This is not even remotely close to how stupid Sony's decision was.

      Having said that, I wonder if this update is stated anywhere in the ToA.
      • Re:malware.... (Score:5, Insightful)

        by Lendrick ( 314723 ) on Sunday February 01, 2009 @11:36PM (#26690175) Homepage Journal

        Who's to say this thing isn't a security risk? Microsoft?

        Of course, we don't *know* that this software is bad, but my policy with my own machine is that if I don't know what something does, it doesn't run on my computer, which is why my computer still runs smoothly even though I haven't reinstalled Windows for several years.

        For those of you who are assuming it's probably safe (and admittedly, you're probably right), there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument to ush whatever new web technology they're pushing. Now that non-IE browsers account for 30% of the total browsers on the internet, Microsoft is losing their stranglehold on web "standards", and they're pulling this crap to get it back.

        Don't be a part of it. Remove this plugin, then go into about:config and change your browser string back so it doesn't falsely advertise that you have it installed.

        Oh, and as far as Firefox goes... why is the uninstall button grayed out? This feels like a UI issue to me; principals of user-friendliness dictate that I ought to be in control of whether or not I can uninstall an add-on. Even having code in the browser that allows someone to take that freedom away from me is a bad thing. (Of course, is it really Firefox's fault? Is there a technical reason that Firefox *can't* uninstall the plugin?)

        • Re:malware.... (Score:5, Informative)

          by mR.bRiGhTsId3 ( 1196765 ) on Sunday February 01, 2009 @11:46PM (#26690257)
          Firefox cannot uninstall plugins that are installed to "sensitive" areas, like the actual Program Files folder. Skype does this also. It shouldn't prevent you from disabling the add-on though.
        • Re:malware.... (Score:5, Informative)

          by Thinboy00 ( 1190815 ) <thinboy00&gmail,com> on Sunday February 01, 2009 @11:52PM (#26690311) Journal

          If you install something (e.g. an extension) via apt or (I assume) rpm on Linux, Firefox can't uninstall it since it isn't running as root. In that scenario, the button is grayed out with no explanation. But, of course, you can always ask apt/rpm to remove the offending software, or not install it in the first place...

        • by Jane Q. Public ( 1010737 ) on Monday February 02, 2009 @12:35AM (#26690655)
          Installing software on my computer -- especially software that is designed to make YOUR software work better, at the possible expense of others -- without my knowledge or consent is UNETHICAL . Period. And deliberately making uninstall difficult? INEXCUSABLE!!!

          Shame on MS. They have been through this before and should know better. Bad. Bad. Negative points. Sad, sad negative Karma.
        • Re:malware.... (Score:5, Insightful)

          by johannesg ( 664142 ) on Monday February 02, 2009 @01:35AM (#26691065)

          there's another good reason to get rid of it. Microsoft changing your browser string to indicate that this piece of software is installed in your browser. The purpose of this, most likely, is to increase the installed base for this software, and use that as an argument to ush whatever new web technology they're pushing. Now that non-IE browsers account for 30% of the total browsers on the internet, Microsoft is losing their stranglehold on web "standards", and they're pulling this crap to get it back.

          This. It doesn't very often happen that a point is so important that I feel the need to quote it entirely and just add a "me too", but this is one of those very rare occasions.

          They have just hijacked every Firefox install out there, and are using it to advertise their own product. The only appropriate response would be for Mozilla to automatically refuse it from Firefox with the next Firefox update.

          • by Anonymous Coward on Monday February 02, 2009 @05:42AM (#26692277)

            The only appropriate response would be for Mozilla to automatically refuse it from Firefox with the next Firefox update.

            I have a better idea, let Firefox add an "extension" to Microsoft Office that improves its usability by downloading and starting OpenOffice when the user starts MS Office.

        • by Antony-Kyre ( 807195 ) on Monday February 02, 2009 @01:51AM (#26691161)

          Is there any difference between Microsoft doing that to Firefox, and Microsoft doing that popup blocker with Internet Explorer when someone does the SP2 update? Or how they force a firewall on you?

          You see, Microsoft is akin to a proctologist. Sticking things where they don't belong.

  • Huh! (Score:5, Insightful)

    by ScrewMaster ( 602015 ) * on Sunday February 01, 2009 @10:48PM (#26689737)
    This definitely goes into the "WTF?" category.
    • Exactly! (Score:5, Insightful)

      by Jane Q. Public ( 1010737 ) on Monday February 02, 2009 @12:51AM (#26690773)
      This is where Microsoft shows its true colors. They believe that as long as you are running Windows, they actually have RIGHTS regarding your desktop and the software you run.

      They think they have a right to re-configure the software you use, for their own convenience and profit. That they can install things and you should have no say in the matter.

      I am serious. On the corporate level (not most individual employees, I am sure), they really think that way. The evidence is incontrovertible.

      Which used to serve them well. But which, in today's environment, is suffering a greater and greater disconnect with reality. I am sure you have noticed this yourself... the most obvious explanation for Microsoft's accelerating loss of market share is simply that they have lost touch with the realities of the market: their users' wants and needs, and, not to make too small a point of it, their business ethics.

      I am not surprised at all.
      • Re:Exactly! (Score:5, Insightful)

        by ais523 ( 1172701 ) <ais523(524\)(525)x)@bham.ac.uk> on Monday February 02, 2009 @06:23AM (#26692477)

        They think they have a right to re-configure the software you use, for their own convenience and profit. That they can install things and you should have no say in the matter.

        They do. Read the EULA.

    • Re:Huh! (Score:4, Insightful)

      by obarthelemy ( 160321 ) on Monday February 02, 2009 @02:49AM (#26691479)

      This is probably actionnable under whatever covenant MS signed to get out of the antitrust lawsuits against them: they're using the OS (windows update) to modify a competitor's software (FF), in order to give an unfair advantage to one of their technologies/product.

      If that behaviour can be proven, someone stands to make a lot of money. Several someones: the states, the competitors...

  • by Statecraftsman ( 718862 ) * on Sunday February 01, 2009 @10:49PM (#26689751)
    Microsoft gives us updates all the time and we trust them to fix bugs and security holes. Firefox not coming with their extension is not in the scope of bugs and security holes they should fix. When they overstep their bounds like this ON TOP of an application(esp. a free software application) what might they be doing in their proprietary code under the application? Whatâ(TM)s next, an OpenOffice extension to make sure Microsoft never has an $ where their s is?
  • Amazing (Score:5, Insightful)

    by kcbanner ( 929309 ) on Sunday February 01, 2009 @10:49PM (#26689753) Homepage Journal
    Classic move. People noticed. Two steps forward 10 steps back, eh?
  • NOT Unsuspecting... (Score:4, Informative)

    by eWarz ( 610883 ) on Sunday February 01, 2009 @10:50PM (#26689773)
    The add-on is automatically installed when you install the latest version of the .net framework. Microsoft Update does NOT automatically install this add-on. In order for it to be installed you had to explicitly choose to install the .net framework.
  • by madcat2c ( 1292296 ) on Sunday February 01, 2009 @10:53PM (#26689801)
    They are gathering intelligence on how to build on of these "web browsers".
  • by __aaclcg7560 ( 824291 ) on Sunday February 01, 2009 @10:53PM (#26689805)
    Yea, more spyware. Now on FireFox instead of Internet Explorer. :P
  • XP SP3? (Score:4, Informative)

    by Malc ( 1751 ) on Sunday February 01, 2009 @10:56PM (#26689841)

    Are you sure? Did you actually mean .Net 3.5 SP1? That's what just installed it on my machine. I've never seen XP SP3 install it.

  • A good sign! (Score:4, Insightful)

    by dclozier ( 1002772 ) on Sunday February 01, 2009 @10:56PM (#26689847)

    Although it's not the best approach that could have been taken it is a good sign. If Microsoft can no longer ignore Firefox then all those sites that still require IE to function will begin to follow.

    • Re:A good sign! (Score:4, Insightful)

      by markdavis ( 642305 ) on Sunday February 01, 2009 @11:03PM (#26689923)
      Yeah, well, so the sites will use some proprietary .NET stuff. I don't see such a plugin for non-MS operating systems. I would rather those sites that WERE ignoring Firefox code in something that not only works on all browsers but on all platforms as well.
  • Scumware, eh? (Score:5, Informative)

    by dmomo ( 256005 ) on Sunday February 01, 2009 @10:58PM (#26689863)

    One hint that this "extension" is unwanted garbage is that when you Google (google: Microsoft Framework Assistant) for it and the top links are pages about how to remove it. Then the first link from your site (microsoft.com) is also a forum that mentions getting rid of it...

    Anyway, here's how to remove it.

    http://www.robertnyman.com/2009/01/26/microsoft-force-installs-firefox-extension/ [robertnyman.com]

  • but... (Score:5, Insightful)

    by powerspike ( 729889 ) on Sunday February 01, 2009 @11:04PM (#26689929)
    It's Funny, i have had the same issue with apple update, i find it requesting to install updates for programs that weren't installed in the first place, seems like the same thing but different company...
    • Re:but... (Score:5, Insightful)

      by spectecjr ( 31235 ) on Sunday February 01, 2009 @11:28PM (#26690119) Homepage

      Except in Apple's case, it's somewhat worse... after all, why the fuck would they install MobileMe or Bonjour on my system when I install iTunes?

      Why the FUCK do they think I want their networking system along with their player?

      Bonjour [wikipedia.org]

      Grrrrrrrrrrrrrrrrrrrrrr. Weak. At least the .NET extension is within the realms of making sense.

      • Re:but... (Score:4, Insightful)

        by EvilIdler ( 21087 ) on Sunday February 01, 2009 @11:47PM (#26690271)

        I don't understand the hatred for Bonjour. It's a discovery protocol, used by Macs for ages. All it does is to make it possible to find other computers. Adobe seem to be using it in their latest products, so you'll be seeing it more. It's not as if Windows programs historically have been satisfied with just one version of a DLL, anyway ;)

        • Re:but... (Score:5, Interesting)

          by blincoln ( 592401 ) on Monday February 02, 2009 @12:02AM (#26690427) Homepage Journal

          I don't understand the hatred for Bonjour. It's a discovery protocol, used by Macs for ages. All it does is to make it possible to find other computers.

          The only reason I have iTunes installed is because I couldn't find a Quicktime download that didn't come with it. The only reason I have Quicktime installed is because of people who only make their content available as Quicktime files for whatever reason.

          *Why* would I want Quicktime to be able to discover other devices on my network? Even if I did, why would I want a service running all of the time as opposed to once every few months when I go to play a Quicktime file?

          I can only speak for myself, but that's why *I* hate Bonjour. I wanted Apple's poorly-coded (for Windows at least) proprietary video player. In order to get it, I had to get a bunch of extra software I most definitely didn't want.

          I already tried Quicktime Alternative. It wasn't able to play the newest Quicktime variants.

  • Java does this, too (Score:4, Informative)

    by RockMFR ( 1022315 ) on Sunday February 01, 2009 @11:05PM (#26689939)
    Some of the recent updates for Java SE have included "Java Quick Starter". And for those with Ubuntu, there are a number of things that show up in the Add-ons list that are not explained well.
  • by master_runner ( 958234 ) on Monday February 02, 2009 @12:00AM (#26690403) Homepage
    I find it interesting that people here are so outraged at MS installing an extension for third party software, particularly a web browser. Think about how many completely non-Mozilla related products install a Firefox extension - PDF readers, media players, etc. I'll take as an example Adobe Reader, which installs a plugin for in-browser viewing when you install the desktop app (I hate Adobe Reader too, but it's a high-profile example). Firefox is not an Adobe product at all! yet we aren't yelling at that. Additionally, MS already has components installed in FF. Silverlight and the Windows Presentation Foundation are both MS products that are commonly installed in Firefox as plugins, to enable apps that take advantage of Silverlight and .NET browser features to operate in Firefox and friends as well as Internet Explorer. This plugin seems to serve a similar purpose of allowing .NET-powered web apps (which MS wants to be common in the future) to operate in Firefox as well as Internet Explorer. It seems like we should appreciate this move towards interoperability on MS's part - the alternative is only supporting Internet Explorer for web apps.

    So it's really nothing abnormal to install an extension in a third party browser. This leaves us with only one issue, the fact that it was distributed via updates to other applications. I refute this as being a major issue for the exact same reason - quite a few programs update/install Firefox extensions as part of their normal update procedure - I raise Foxit Reader as an example, which as of v3.0 automatically installs a Firefox plugin. No one's yelling about that.

    A significant question here: If it wasn't Microsoft, would anyone be nearly as angry?
  • Is this SO bad? (Score:5, Insightful)

    by gorehog ( 534288 ) on Monday February 02, 2009 @12:06AM (#26690451)

    A lot of you will hate me for this...

    MS doing this is them trying to ensure that Firefox will work with their web apps (or, web apps built with their technology). Now, granted that they are taking liberties they should not. It would be better to just make the plugin easy to get and install. Consider however that they are doing this so their technology will work on a standards-compliant browser. That's not nothing. It IS dysfunctional in a passive-aggressive way (aggressive-passive?). On the other hand MS is trying to make the browsing experience BETTER for people who use .Net with Firefox. I'm not so sure this is a bad thing. maybe poorly executed...but...there's an argument for saying it's not.

    Look, if you were running Ubuntu, installed Opera, and automatically got plugins from Synaptic for Opera that added new functionality would you complain?

    Then again, the convoluted removal process should be reconsidered.

  • Security (Score:5, Insightful)

    by Adrian Lopez ( 2615 ) on Monday February 02, 2009 @12:29AM (#26690613) Homepage

    Given Microsoft's track record with security, I worry:

    - Windows user installs Firefox to avoid IE's security flaws.
    - Microsoft silently installs a plugin onto Firefox that reports the browser includes .NET functionality allows websites to host .NET executables.
    - Hackers discover a way to exploit this.
    - Thus, Firefox is now less secure thanks to Microsoft.

  • Quickly forgotten (Score:5, Insightful)

    by scdeimos ( 632778 ) on Monday February 02, 2009 @01:23AM (#26690973)

    Anybody remember when Windows "Genuine Advantage" validation software was getting slipped in as part of "critical updates" for things like the Microsoft Flash Player patch? It wasn't really that long ago.

    You don't seriously expect Microsoft to *not* do these sorts of things on what they consider to be *their* systems, do you?

  • Microsoft, huh? (Score:5, Informative)

    by Waccoon ( 1186667 ) on Monday February 02, 2009 @01:23AM (#26690981)

    Here's a look at all the plugins I didn't want and had to disable:

    Extensions:
    - Java Quick Starter 1.0
    - Microsoft .NET Framework Assistant 1.0

    Plugins: - Adobe Acrobat
    - Java(TM) Platform SE 6 U10
    - Java(TM) Platform SE 6 U11
    - Java(TM) Platform SE 6 U11 (Yes, again)
    - Microsoft(R) DRM
    - Microsoft(R) DRM (Yes, again)
    - QuickTime Plug-in 7.4.5 (I'll send it to the external player, please)
    - RealPlayer Version Plugin (RealAlternative, please)
    - RealPlayer(tm) G2 LiveConnet-Enabled Plug-IN (32-bit)
    - Windows Media Player Plug-in Dynamic Link Library

    So far, that's Sun, Apple, Real, Adobe, and Microsoft messing with my browser without telling me... and only because I'm quite strict with what I install on my system. This isn't Microsoft up to their old tricks, it's just them keeping up with the Joneses, and forcing me to keep up with everyone with an agenda. What else is new?

    I do have Silverlight installed, too, but at least the installer for that told me it would work with multiple browsers. Thank goodness the Mozilla people had the fine sense to let people see plugins and extensions, unlike IE6 and friends. Quite a few time I've had to fix someone's compter by hacking out IE extensions from the system registry, and that's not pleasant at all.

  • by Zaiff Urgulbunger ( 591514 ) on Monday February 02, 2009 @06:28AM (#26692499)
    Mozilla should include a Linux OS extension with Firefox then. And install it by default! :D
  • by tonk ( 101504 ) on Monday February 02, 2009 @07:40AM (#26692863) Homepage

    The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...