Microsoft sneaks in Firefox extension via Update

Microsoft sneaks in Firefox extension via Update

Summary: The good news is that Microsoft is writing extensions for Firefox. The bad news is, the Redmond giant is slipping the extension onto systems without notifying users and making it difficult to get rid of the extension.

SHARE:

The good news is that Microsoft is writing extensions for Firefox. The bad news is, the Redmond giant is slipping the extension onto systems without notifying users and making it difficult to get rid of the extension. Even worse? It's an extension that allows Web sites to install software onto users' PCs behind the scenes -- meaning that Firefox users on Windows may not be as safe as they think.

Brian Krebs, who originally recommended the .Net Framework that sneaks the extension into Firefox writes:

Anyway, I'm sure it's not the end of the world, but it's probably infuriating to many readers nonetheless. Firstly -- to my readers -- I apologize for overlooking this..."feature" of the .NET Framework security update. Secondly -- to Microsoft -- this is a great example of how not to convince people to trust your security updates.

Krebs is right: It's not the end of the world. But it seems like a violation of user trust to monkey with a third-party program -- and top it off by making it difficult to remove the extension without editing the Windows Registry. By using the update mechanism to sneak software onto the system, Microsoft is telling security conscious users to be suspicious of updates and to deploy them only after they've been widely vetted, or choose a more trustworthy vendor.

As a Linux user, it makes little difference to me what Microsoft does via Windows Update --users on openSUSE and other Linux distros can see exactly what updates will do to their system: Down to the source code, if they choose to take the time.

But, failing a source code audit, Microsoft could at least provide a full disclosure of the packages and features modified when a user runs Windows Update. Without that, users should be wary indeed of trusting Microsoft's updates -- and missing a trust relationship for security updates, users should be wary of running Windows in the first place.

Topics: Windows, Browser, Linux, Microsoft, Open Source, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • Maybe NoAxe, LD, or Bott would care to explain this?

    .
    nizuse
    • NoAx and LD Are Having Breakfast In Bed

      Leave them alone.
      itanalyst2@...
    • About ClickOnce

      It looks like Microsoft is simply trying to improve the user experience for Windows users who are running Firefox. It actually sounds like a good thing.

      from: http://msdn.microsoft.com/en-us/library/142dbbz4.aspx

      ClickOnce is a deployment technology that enables you to create self-updating Windows-based applications that can be installed and run with minimal user interaction. ClickOnce deployment overcomes three major issues in deployment:

      * Difficulties in updating applications. With Microsoft Windows Installer deployment, whenever an application is updated, the user must reinstall the whole application; with ClickOnce deployment, you can provide updates automatically. Only those parts of the application that have changed are downloaded, and then the full, updated application is reinstalled from a new side-by-side folder.

      * Impact to the user's computer. With Windows Installer deployment, applications often rely on shared components, with the potential for versioning conflicts; with ClickOnce deployment, each application is self-contained and cannot interfere with other applications.

      * Security permissions. Windows Installer deployment requires administrative permissions and allows only limited user installation; ClickOnce deployment enables non-administrative users to install and grants only those Code Access Security permissions necessary for the application.
      bradsl@...
      • Spoken like an MS damage-control guy

        What about those of us who aren't "deploying" anything, but just want a simple trustworthy OS that won't do things behind our backs without asking us.

        Having something on my PC that allows websites to download anything without my explicit permission is invading my home and is disturbing to me (that's WHY I use Firefox instead of IE in the first place). Now MS is screwing with Firefox and making it less secure (from individual user standpoint - I realize that corporations like to be able to control and alter their employees PCs) - Mozilla should have a lawsuit here.

        I run retail XP XP2 (and will move to Linux when it stops meeting my needs) and I have updates by Microsoft and "remote" anything disabled in Services with no Windows "LIVE" ANYTHING or net framework or any of the MS controlware/spyware on my PC at all. Even though I have a purchased retail copy of the OS, I do not have WGA on my PC.

        I trust Microsoft about zero - I learned a while back to not give Microsoft unsupervised access to anything on my PC when MS tried to use WinLiveID (my bad for loading it - its gone now) to disable functionality on an older version of MSMoney (I saved myself only because I image my drive).

        Even tho I have Office 2003, I'm moving to OpenOffice already. Now at least I can view .pps files safely with Impress instead of exposing my PC to all sorts of bad stuff with PowerPoint.

        Microsoft CEOs think they have a right to step all over individuals without asking and do whatever they (or their "cooperative" vendors and corporations) want without the smallest concern for for the individual.
        maggietoo9
        • You won't get it

          This is deployed as an update to the .net framework; if you don't have that, it won't affect you. I've never installed .net framework either - somehow I just didn't trust it...
          Greenknight_z
          • I had to install it, but...

            If I want to use .net. Otherwise certain programs I have to use won't work.

            However...,

            http://www.dedoimedo.com/computers/ms-dotnet-firefox.html

            http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab

            Which means I can still keep .net installed with it fooling around with FF.
            Wintel BSOD
        • A very typical MS bully tactic!

          I'm on the same page as you! I also have a retail XP-SP2 with all of MS's crap services disabled. IF I choose to do an update, It's at MY discretion and thoroughly vetted.

          But this new attack on FireFox angers me DEEPLY! I fully expect MS to be the next "Too big to fail" corporate goober to latch onto the nationalization craze currently being jammed into America!

          Mozilla needs to immediately fire back with a version update to counter this, and follow on with a lawsuit! Unfortunately, MS has the filthy attitude that it's too big to tackle!

          ANTITRUST action is seriously overdue for this beast!

          I'm also planning a move to Linux when XP no longer serves me. (Fedora 11x) I've already purchased a small box to begin learning and testing. As bad as MS is, the apple is MS on steroids and has successfully pulled the wool over it's unsuspecting victims. Not hard to do since Mac owners typically don't know a byte from a kite! Remember the "etch-A-Sketch"? That was for those of use who couldn't hold a pencil...
          RS9
  • RE: Microsoft sneaks in Firefox extension via Update

    Adding extensions to 3d party applications without the users permission is actually a violation. How does Mozilla feel about this? Has this cleared Mozilla as a valid extension?

    Anyway all one has to do is go into Tools-Add-ons and disable this on Firefox. Poof it no longer runs or you can enable it than uninstall it. If it cannot be uninstalled this way remember MS owns the operating system but it still does not give them the right to install what they feel like without the computer owners permission. Hiding the extension within another program without explaining it to the user is also another individual rights violation of ownership.
    PeterPac
    • uninstalling extensions

      malicious malware can enable a disabled extension. Remove the folder containing the components of this extension from the Mozilla(Firefox) folder/%default%/extensions.
      Mnighthawk
  • RE: Microsoft sneaks in Firefox extension via Update

    Joe Brockmeier you are an idiot. What extension? What does it do? Is it bad? If so how do I get rid of it? Thanx for nothing you sensationalistic moron!
    nospam@...
    • It's the .NET Framework Assistant 1.1...

      The description says:

      "Adds ClickOnce support and the ability to report installed .NET framework versions to the web server."

      Oooh.. Sounds ominous...
      Wolfie2K3
      • and keyclick sniffers

        Keyclick sniffers just "report users keypresses to a 3rd party server."

        Wake up!

        Spyware is spyware when it installs itself without your knowledge or consent, even if it IS written and installed by Microsoft.
        oldbaritone
      • thats enough information for a malicious site to dynamically

        send .net code tweaked to the version of .net you are running. i'll be removing .net from my wine installation and switching to mono.

        on a side note: you know you've hit the big time when microsoft is actively trying to break your software. they've been doing it to wine for years, welcome to our world mozilla!
        brokndodge@...
        • lol...

          And how exactly are they going to send ".net code" to your pc? lololol
          twisterjosh@...
  • Why does ZDNet permit these blatantly false blogs to appear on their sites?

    I followed the link in the article and started reading
    the comments. Here are a few interesting ones that the
    author did not see fit to mention and completely
    obliterate any point the author originally had:
    [i]Luckily, you can disable this extension which is
    just as good as uninstalling it.[/i]

    So no, it isn't difficult to remove. But then I came
    across this gem:
    [i]Looks like the author did not install the latest
    version for .NET Framework Assistant 1.0 for Firefox.
    The latest version support per-user uninstallation and
    FF 3.5.[/i]

    So why not mention that this was fixed? It was fixed
    long before you posted this blog.

    [i]Not sure why there is not a word on comparative
    analysis. Java Quick Starter does the same thing (from
    Firefox extension installation to application
    launching)[/i]

    You aren't sure why there is no mention that this is
    common practice? I can tell you why: double standards
    held by ABMers.

    [i]In general this story was neither well researched
    nor accurate.[/i]

    Nor was the blog that basically copy and pasted from
    that story.
    NonZealot
    • It uninstalled in my FF no problem

      Guess you have to "consider the source" what else
      is new.
      tech_walker
    • NonZealot, you should stop flaming unless...

      First,

      Disabling is not the same as uninstalling. If you think so, you are an idiot.

      Second, Sun tells you when installing the Java extension and uninstalling is as simple as uninstalling. No registry hacks or anything.

      Third, he said he got it from automatic updates. is the latest being pushed? or do you have to go get it? hmmmm, maybe you should research a little...

      jtiner
    • I don't have any options.

      I don't seem to be able to disable or uninstall it. I am kind of pissed about this, even if it doesn't do anything malicious.
      lostarchitect
  • Load up WireShark and watch the action

    Microsoft is well-known to use tunneling over http and ALOT goes on there unbeknownst to the average Windows user.

    Worse, there is NO stopping it.

    no_zd_user_name
    • Thanks for the tip...

      Wireshark looks great!
      20kwfence