Microsoft sneaks in Firefox extension via Update

Summary:The good news is that Microsoft is writing extensions for Firefox. The bad news is, the Redmond giant is slipping the extension onto systems without notifying users and making it difficult to get rid of the extension.

The good news is that Microsoft is writing extensions for Firefox. The bad news is, the Redmond giant is slipping the extension onto systems without notifying users and making it difficult to get rid of the extension. Even worse? It's an extension that allows Web sites to install software onto users' PCs behind the scenes -- meaning that Firefox users on Windows may not be as safe as they think.

Brian Krebs, who originally recommended the .Net Framework that sneaks the extension into Firefox writes:

Anyway, I'm sure it's not the end of the world, but it's probably infuriating to many readers nonetheless. Firstly -- to my readers -- I apologize for overlooking this..."feature" of the .NET Framework security update. Secondly -- to Microsoft -- this is a great example of how not to convince people to trust your security updates.

Krebs is right: It's not the end of the world. But it seems like a violation of user trust to monkey with a third-party program -- and top it off by making it difficult to remove the extension without editing the Windows Registry. By using the update mechanism to sneak software onto the system, Microsoft is telling security conscious users to be suspicious of updates and to deploy them only after they've been widely vetted, or choose a more trustworthy vendor.

As a Linux user, it makes little difference to me what Microsoft does via Windows Update --users on openSUSE and other Linux distros can see exactly what updates will do to their system: Down to the source code, if they choose to take the time.

But, failing a source code audit, Microsoft could at least provide a full disclosure of the packages and features modified when a user runs Windows Update. Without that, users should be wary indeed of trusting Microsoft's updates -- and missing a trust relationship for security updates, users should be wary of running Windows in the first place.

Topics: Windows, Browser, Linux, Microsoft, Open Source, Operating Systems, Security, Software

About

Joe 'Zonker' Brockmeier is the community manager for openSUSE, a community Linux distro sponsored by Novell. Prior to joining Novell, Brockmeier worked as a technology journalist primarily covering the Linux and FOSS beat, and wrote for a number of publications, such as Linux Magazine, Linux.com, Sys Admin, UnixReview.com, IBM developer... Full Bio

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.