Forgot your password?
typodupeerror
Microsoft Mozilla The Internet Your Rights Online

Microsoft Update Quietly Installs Firefox Extension 500

Posted by CmdrTaco
from the guess-its-back dept.
hemantm writes "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."
This discussion has been archived. No new comments can be posted.

Microsoft Update Quietly Installs Firefox Extension

Comments Filter:
  • And yet... (Score:4, Interesting)

    by someyob (1062238) on Monday June 01, 2009 @11:06AM (#28168353)
    at the same time it was Firefox that quietly allowed it to happen. "I admit that maybe I missed the point", he said as he rushed home to check his Windows machine.
  • by asdf7890 (1518587) on Monday June 01, 2009 @11:09AM (#28168403)

    The .net-Update has "installed" this Add-On secretly for a few months now, as far as I know. It just got into the "normal" Windows auto-update stream, thus annoying more and more people? Or am I somehow mistaken?

    It has certainly been around for some time, and I think it has been in updates that Joe Public gets automatically for a while too. My guess is that this reported has only just heard about it so to him (and presumably other too) is it new news.

    At first it turned up as part of the Visual Studio install/servicepack, so developers got it first, I'm not sure when I first noticed it appearing on machines that had the relevant .Net libraries but no VS.

    I don't have a problem with the add-in existing, or it being installed by default. But being installed by default with no opt-out and with the uninstall/disable options removed from the user, is either bad customer care or plain malice (though for all the noise my inner tin-foil-hat is making I can't think of anything logical that such malice would achieve for MS, so "not caring about the customer" is the more likely option).

  • Anecdotal problem (Score:5, Interesting)

    by Dan East (318230) on Monday June 01, 2009 @11:10AM (#28168423) Homepage Journal

    I noticed this on a work machine and read about it last week. Instead of trying to manually remove the extension (the Uninstall button is disabled for this one and only extension) I simply disabled it. Starting that same day, the machine (2.3 Ghz dual core Vista with 4 GB RAM) has begun locking up hard when using Firefox. This doesn't happen with IE or any other software. It locked up 5 times on me with Firefox within 1 hour, and has not locked up at all since then, as I have not used Firefox. It is abundantly clear the problem is related to Firefox, and the only thing I did with Firefox was disable the extension and restart.

    Has anyone else experienced anything like this after disabling the .NET extension? I'm curious how deeply this extension hooks into the OS and if it is capable of freezing up the entire OS. Firefox, on its own, should not be capable of locking up the entire machine.

  • Re:fairly sure that (Score:2, Interesting)

    by morgan_greywolf (835522) on Monday June 01, 2009 @11:48AM (#28168915) Homepage Journal

    The new twist is that the article's author just realized that the extension can't be easily uninstalled:

    I'm here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult -- if not dangerous -- to remove, once installed.

    Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC." I'm not sure I'd put things in quite such dire terms, but I'm fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.

    Big deal, you say? I can just uninstall the add-on via Firefox's handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the "uninstall" button on the extension. What's more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that -- if done imprecisely -- can cause Windows systems to fail to boot up.

    The sad thing is that I think probably everyone missed this because this is not new behavior for Microsoft.

  • Re:Surprise! (Score:4, Interesting)

    by should_be_linear (779431) on Monday June 01, 2009 @12:04PM (#28169171)
    They sure have patent on breaking other people's SW interacting with their SW (Office formats, MS Java, Grub/Lilo support, ... ) so how about giving them little bit of their own medicine? (Breaking .NET plugin with next Firefox update). I know, I know, not gonna happen...
  • by Astronomerguy (1541977) on Monday June 01, 2009 @12:07PM (#28169205)
    I'm Running Firefox on the Windows 7 RC, and v 1.1 of the Microsoft .NET Framework Assistant has the "Uninstall" button enabled. Looks like this was an old-news thing that's been fixed.
  • Re:Annoying, but... (Score:5, Interesting)

    by causality (777677) on Monday June 01, 2009 @12:09PM (#28169243)

    What is annoying is that it's installed without warnings or questions asked. The good part may be that it provides (or could provide) some functionality and M$ is finally acknowledging the percentage of Firefox users out there.

    I've seen the way they "acknowledge" competitors before. I like Firefox; that's why I'd prefer they keep ignoring it.

  • Re:Surprise! (Score:3, Interesting)

    by Ilgaz (86384) on Monday June 01, 2009 @12:11PM (#28169273) Homepage

    If Firefox was an evil company of some sort, they would deliberately add some functionality to make browser break when their extension installed from their back and call a good lawyer company. For a software/app at market share of Firefox, I can guarantee millions of dollars in return although I am not a lawyer.

    MS should pray that they don't seem interested in such things and of course, source is open to look/review. E.g. it is not Microsoft.

    If it sounded too childish or tin foil, just check that story http://www.theregister.co.uk/1999/11/05/how_ms_played_the_incompatibility/ [theregister.co.uk] . It is not a IT urban legend, it is actually documented in court.

  • Re:Surprise! (Score:2, Interesting)

    by vandit2k6 (848077) on Monday June 01, 2009 @12:34PM (#28169577) Homepage

    I think the OP's point is like XP was Windows nt5.1 to Windows 2k's nt5.0 (hint, just an update) and that Windows7 is just an update to Windows Vista, that ME was just an update to Windows 98 osr2.5.

    No, I am sorry ME was complete downgrade to Win 98!

  • Re:Surprise! (Score:1, Interesting)

    by Anonymous Coward on Monday June 01, 2009 @01:51PM (#28170543)

    Except ME was a decent OS. It has one thing over 98se that you cannot deny: If a program crashed, it didn't take down the entire machine. That is the primary reason ME was better than 98SE. Same capabilities, marginally more resource usage (I think it went from 5mb to 12mb memory usage, the ONLY reason people complained at the time, and it was slower)

    Now, 2k was years beyond the 9x line. But ME is the best of that series. It actually had uptimes of days, not hours.

    Also, 2k was not a Consumer OS. It was a business OS. XP was the next in the consumer OS line. 2k != 9x/XP lines, hence better.

  • Re:Uhuh (Score:4, Interesting)

    by pizzach (1011925) <pizzach@NosPAM.gmail.com> on Monday June 01, 2009 @02:10PM (#28170729) Homepage

    Then this is a problem with Firefox, not IE, that it let's plugins be installed through the filesystem without user intervention. At the least it should warn upon next start that "Blah has been installed, do you want to enable it?"

    When you have access to the filesystem, and I assume Windows Update runs with full privileges, you can do whatever the hell you want. If MS really wanted to, they could be replacing libraries in the Firefox folder. In many ways this is similar to the argument that if a hacker has physical access to the machine, you're toast.

    Having said that, a number of Linux distros have taken to including certain addons optionally or by default with a Firefox install. I don't really want to see this feature taken away and there is a very real purpose...to make mass management of Firefox installations easier.

  • Re:Surprise! (Score:3, Interesting)

    by AnalPerfume (1356177) on Monday June 01, 2009 @03:05PM (#28171611)
    "EULAs generally have few, if any, illegal terms in them. Mostly because few EULAs were ever tested in courts. That doesn't automatically mean that they're legally binding. Mostly, again, because few have ever been tested in courts."

    This is exactly my point.

    The company who wrote the EULA for their product will treat it as legally binding until a court tells them it's not. They wrote it for exactly that purpose. They will use threats / bullying etc to try and get people to accept it rather than fight it, because they may just lose the fight, and therefor lose the right to continue using it to extort more money.
  • by artemis67 (93453) on Monday June 01, 2009 @03:30PM (#28172119)

    I'm just thinking that if this update is making Registry changes, then the plug-in is Windows-only, and it means that Firefox users on Windows will now have a different browsing experience than Firefox users of other platforms.

    So, the plug-in accomplishes two things for Microsoft: 1) it promotes the .NET platform to a wider audience, and 2) it promotes Windows as being the superior OS to run Firefox in.

    It's a win-win scenario for Microsoft. Firefox can continue to gain marketshare, but Microsoft will have their tentacles in it, making sure that the adoption of Firefox does not lead to a platform-agnostic world. And it rewards the .NET developers for investing in Microsoft-only technologies.

  • Re:Surprise! (Score:3, Interesting)

    by AnalPerfume (1356177) on Monday June 01, 2009 @06:57PM (#28175221)
    After understanding the Linux "run as normal user" principle and how important it is for security I did actually try to apply that Linux user / admin separation on an XP install. You're right, it's a nightmare, with far too many regular user programs needing admin rights to run.

    In fairness I believe Microsoft have learned the error of that approach and have been trying to find a way round it. The problem they have is that they've conditioned users too well. They keep using "we know you don't want to learn anything new" as a reason to stay with Microsoft rather than look at something else.

    They even tried to patent sudo, even though they never invented it and don't use it.....but then since when has that stopped them using legal bullshit to attack and extort money from a competitor?

    Third party app developers don't help the cause either by not programming their user apps to need regular user rights. On the other hand OEM installed Windows which most Windows users have, tend to be installed as admin anyway to it's a fair bet that every user will be running as an admin.

    I have serious issues when the average Joe Sixpack can go into the system folder, delete and change stuff at random with NO knowledge about what he;s doing. My mate's lil cousin has been known to do that, randomly delete files in the System32 folder that he don't like the name of because he's bored, then he complains when his PC don't boot up.

    It's important that these functions should be doable. It's vital that the user / admin rights stop the average user from doing it. Of course, if people (or remote websites) were stopped from being able to hose their PCs, lots of PC repair stores would lose a LOT of customers and a lot of income. It does help their revenue stream when a clean PC can be hosed by the following day and needs a repeat appointment.
  • Re:Surprise! (Score:4, Interesting)

    by hairyfeet (841228) <bassbeast1968@NOsPAM.gmail.com> on Monday June 01, 2009 @07:42PM (#28175677) Journal

    Actually I can explain EXACTLY why it crashed, as being a PC repair guy off and on since Win3.xx I have had much experience in the area. I can also explain why yours worked and mine didn't.

    You see the main difference between Win98SE and WinME was .VXDs VS WDM. I would bet if you had that machine and looked at the drivers that ALL the drivers were WDM. You were what we in the biz called "lucky bastards" because nearly all the OEMs just used the same VXDs that were SUPPOSED to be supported in WinME, or even worse like mine ended up this horrible fucking mess with half of the older drivers being VXD and half the newer being WDM. You see, in WinME in my experience VXD and WDM just don't play nice together. In fact they hate each other and will happily kill themselves and the OS with it due to conflicts.

    So you see grasshopper, you were one of the lucky bastards that got a machine with WDM only drivers. MSFT in their infinite stupidity said that WinME could use both, so many OEMs(like that damned HP which is STILL running not ten feet from me with a rock solid Win2K) didn't bother writing drivers for their older chipsets. Instead they just reused the Win98SE drivers while only writing drivers for the newer hardware as WDM. That was a recipe for total disaster and why you could set your watch by how fast mine crash. The video chip was WDM, the audio VXD, and the network and modem was one of each. So it wasn't FUD, it was MSFT releasing an OS which really didn't support the drivers they say it did. If you had all WDM you were good. All VXD and you had about a 60/40% chance at being stable. A mix of the two? You're fucked. And that is what happend to me and way too many WinME owners. We got fucked.

  • Re:Updated (Score:4, Interesting)

    by BikeHelmet (1437881) on Tuesday June 02, 2009 @12:08AM (#28177603) Journal

    Microsoft removed the superior method of communicating with hardware that OpenGL had been using since Win9x.

    They designed something very similar to what OpenGL did, for DX10, which improved communications efficiency quite a bit. (Takes far less CPU power to talk to the videocards, compared to DX9)

    Unfortunately, there's only one of these channels in the kernel now, so OpenGL has to sit on top of it. (Reducing OpenGL's efficiency, since it doesn't need all the overhead that DX10 does)

After an instrument has been assembled, extra components will be found on the bench.

Working...