Microsoft Update Quietly Installs Firefox Extension 500
hemantm writes "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."
Dupe (Score:2, Informative)
I read about this on Slashdot a couple weeks ago.
How to disable... (Score:5, Informative)
Tools > Add-Ons > Plugins > Disable all Microsoft plugins.. and Adobe Acrobat's, QuickTimes & anythiing else that looks suspicious
Re:fairly sure that (Score:5, Informative)
Re:Dupe (Score:4, Informative)
Ah, finally found the link. Sadly enough, Slashdot's search engine didn't find it but Google's did.
http://tech.slashdot.org/article.pl?sid=09/02/01/2143218 [slashdot.org]
(would have posted sooner, but have to wait 5 minutes between posts)
Remove it! (Score:5, Informative)
http://www.annoyances.org/exec/show/article08-600 [annoyances.org]
Note that Oracle (nee Sun) is also doing this with a Java extension.
How to remove (Score:5, Informative)
http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx
Re:Microsoft patching 3rd party apps? (Score:3, Informative)
As far as I know, Mozilla puts no restrictions on who can release what sort of Add-Ons. In this equation, Microsoft controls the OS and the software update program; they needed no permission from Mozilla to push this out.
And as an Add-On, it's not really akin to patching a 3rd party app exactly. It's just a MS program that closely works and integrates with the publicly documented interface of a 3rd party app.
Re:How inconsiderate! (Score:5, Informative)
Well, Ubuntu users get the Ubuntu Firefox add-on which has actually conflicted and broken other popular add-ons like Tab Mix Plus. I never actually figured out what that add-on even does before I disabled it.
Re:Some Left Over Stupidity from the Last Millenni (Score:5, Informative)
On that note, Java's JRE does the exact same thing (adds a firefox extension without the using knowing about it, and reports back version).
Re:Firefox needs to fix this. (Score:5, Informative)
It's a string in the user-agent (Score:5, Informative)
Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.
I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it.
But do you know what your browser is already sending? Mine is sending this:
"Windows NT 5.1" is Windows XP, and "Gecko" is the HTML/CSS engine used by Firefox, Iceweasel, SeaMonkey, Fennec, etc. Sites can query the versions of various addons that handle an object type, such as Java SE and Flash Player, by embedding such an object. What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?
ClickOnce deployment (Score:1, Informative)
As clearly no one posting here knows anything about it here is some info:
http://msdn.microsoft.com/en-us/library/t71a733d(VS.80).aspx
These are not "web" apps, this is for deploying a client side .NET app, and keeping it updated, it is not a vulnerability.
Re:How to disable... (Score:5, Informative)
The article doesn't say you can't disable it. In fact, in the screenshot in the article, the disable button is clearly enabled.
The last .NET update did the same thing, put in an extension to FireFox that you couldn't uninstall, only disable. Java does the same thing, I have TWO Java SE FireFox extensions disabled in my list (neither can be uninstalled).
With this latest .NET update the uninstall button actually works for the .NET extension. At least on my Windows 7 machine.
Re:How to disable... (Score:5, Informative)
It says nowhere in the article that you can't disable it, just that you can't uninstall it.
In fact, the screenshot in the article shows an active disable button, but not an active uninstall button.
In a previous post, someone said that this is due to admin privileges issues. Most extensions are installed by a user and reside in a user-accessible directory. Firefox allows for system-wide installation of extensions by pointing to them with a registry entry. System-wide-installed extensions fundamentally can't be uninstalled directly by a user without some sort of privilege escalation, which Firefox doesn't support. MS didn't explicitly disable uninstallation, it's just a side effect of being a system-wide installation.
Re:It's a string in the user-agent (Score:5, Informative)
What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?
Because i don't want either one?
Not the only ones that are doing that (Score:5, Informative)
As a Firefox extension developer, I've received several complaints about disappearing toolbar buttons, and the answer is always the same: check for the Skype extension that was installed without your consent, and uninstall it. Plus, navigating the browser history was a lot slower, and removing that add-on solved the problem (the Skype extension will scan the page contents to substitute phone numbers by Skype actions).
This is not limited to Firefox, as this stuff has been happening in Internet Explorer for a long, long time. Still, it would be nice if Firefox would protect its users from non-authorized extensions, warning of what was installed, and providing a easy way to uninstall/disable it.
Re:Surprise! (Score:3, Informative)
What, you think you know better than MICROSOFT what should be on your machine?
Well they did release Vista.
Well, they did release Bob.
...And Clippy, and Windows 98 ME...
Re:It's a string in the user-agent (Score:5, Informative)
Re:Surprise! (Score:4, Informative)
Re:fairly sure that (Score:5, Informative)
Apparently, MS released a v1.1 of the plugin, but it can't install if you left 1.0 disabled (like I did). If you re-enable the plugin, then go manually re-download and re-install the hotfix which included this plugin more recently, you will get v1.1 of the plugin, after which, you CAN uninstall it. .net you have installed, so either get it uninstalled, or go check and delete the right entry from general.useragent.extra.* in about:config
Note that disabling the plugin still leaves a string in your user-agent saying what version of
Re:Firefox needs to fix this. (Score:5, Informative)
They aren't 'stealth'ing in an add or nor are they 'disabling' the uninstall button.
The 'uninstall' button is for user specific addons, not system wide add ons. The uninstall button has never worked for system wide addon installations. It is a feature, and a required one if you expect Firefox to actually get anywhere in the business world. This is done by adding a single registry key and can be done for ANY add on, regardless of who makes it or where it is installed.
It serves two purposes. First it allows things to install add ons before the browser is installed so that when you later install Firefox it will be aware of existing items and not require you to jump through hoops to get them to work. Second, it allows administrators and other software packages to install something globally, for all users of the host, without requiring each user to manually install the add on and keep it updated.
I'm sorry that this doesn't fall into your narrow little view of the world, but for the rest of us this sort of thing is a requirement to use Firefox in the business world.
Finally, there is a very simple solution. Don't install software that does things you don't want it to do. You're an idiot if you think there is anything what so ever that Firefox can do to stop this sort of thing. There isn't. Add ons will ALWAYS be able to install themselves with out notifying you, welcome to open source, EVERYONE can see how to do it, thats a feature of open source. There is nothing Mozilla can do to stop it short of releasing a version with some non-OSS component that can be used to prevent it from happening using digital sigs to verify that only allowed add ons are installed or not load them. And as soon as they do that Slashdot will be ranting and raving about freedom to do whatever the hell it wants.
You got your software freedom, you wanted everyone else to have the same access to the software as you do. Great, they do, now you get to deal with the consequences of that.
Its not like user add-ons can't do the EXACT SAME THING. All you need to do is remove write permissions from your own files when you startup and Firefox won't do shit when you tell it to uninstall it except throw an error. Any add on can do that, and Firefox is unlikely to ever 'fix' that problem as its one that Firefox shouldn't be responsible for.
You can fix the problem on your computer yourself to make sure this doesn't happen with some registry permissions in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla, take away all write/modify access to this key from everyone after you've installed Firefox. Problem solved. That is where various addons for Mozilla software can be installed globally by a system administrator.
As for Firefox removing that feature, go ahead and let that happen. Find out how many IT departments suddenly want even less to do with Firefox. I'm sure they'll love you for having it removed when they have to do something retarded like run a login script to roll out extensions rather than just pushing a registry change via group policy.
The worst part is that this gets modded insightful. This isn't fucking insightful, its ignorant, short sided and shows a complete lack of understanding about whats going on and why.
Whats worse is ignorant dipshit comments like this end up making me fucking defend Microsoft.
Get a clue, then start bashing, people with far more intelligence and understanding of this sort of thing work on it, not you, ever consider there MAY be a reason?
Important Dupe (Score:2, Informative)
http://tech.slashdot.org/article.pl?sid=09/02/01/2143218 [slashdot.org]
Even so, it's important to point out the transgressions of companies like Microsoft (SCO, Apple, Google,
Re:How to disable... (Score:2, Informative)
Yeah, this one is at HKLM/Mozilla/Firefox/Extensions.
I don't care about it, so I have no idea if deleting that key is sticky or not (perhaps some watchdog or another puts it back...).
Mozilla has, for some value of documented, documented this:
http://kb.mozillazine.org/Uninstalling_extensions#Windows_Registry_extension [mozillazine.org]
Re:Anecdotal problem (Score:5, Informative)
When you disable the extension Firefox does not load anything other than its manifest. It doesn't matter WHAT the extension does or how 'deeply the extension hooks into the OS', its not loaded. Your lockups are unrelated to this extension if you have it disabled. The could very well be related to any number of other things that change during patching, but this particular extension is not it.
Re:Surprise! (Score:4, Informative)
I always wondered if they ever thought "If we didn't acquire quick and dirty OS and go with our own". If you look at the quality of their code on Mac and releases in those ages, it is clearly ages ahead of the clone of the clone they acquired.
Remember, they had UNIX license directly from AT&T too and selling it as Xenix. It really looks like they try to code Unix again in a different sense but fail, over and over. Judging from OS X Office releases, they wouldn't be a bad Unix/NeXT coding company either.
Re:Surprise! (Score:3, Informative)
I always wondered if they ever thought "If we didn't acquire quick and dirty OS and go with our own". If you look at the quality of their code on Mac and releases in those ages, it is clearly ages ahead of the clone of the clone they acquired.
Remember, they had UNIX license directly from AT&T too and selling it as Xenix. It really looks like they try to code Unix again in a different sense but fail, over and over. Judging from OS X Office releases, they wouldn't be a bad Unix/NeXT coding company either.
Didn't Microsoft have some sort of agreement with SCO (of all people) that prevented them from entering the Unix market? What I don't know is whether that exclusively means "bearing the Unix trademark" or if that also covers "unix clones".
Otherwise your comment reminded me of that old saying, "those who fail to understand Unix are doomed to re-implement it, poorly."
Re:fairly sure that (Score:2, Informative)
MS has instructions here for the extension's manual removal, for any who want them:
.NET Framework Assistant for Firefox [microsoft.com]
How to manually remove the
Re:Surprise! (Score:3, Informative)
Re:Bug in Firefox (Score:3, Informative)
This isn't a bug in Firefox. The update process is running as Administrator (if not Local System) and has write access to every file on the system including the Firefox binaries themselves. The updater shouldn't be modifying third-party software, but if that's what Microsoft chooses to do there isn't much third-party developers can do to stop them.
As for the inability to uninstall the extension, that's standard for extensions installed into the main Firefox application directory. You can only uninstall extensions installed into your personal profile; this behavior is the same under Linux for extensions installed via the package manager. You can disable any extension via your profile regardless of where it was installed, assuming the extensions themselves don't interfere--they have full access to and control over the Firefox UI while it's running. Once an extension is disabled it is no longer loaded at startup (apart from the manifest) and should be completely inert.
I do agree that system extensions should probably be disabled by default, with some sort of prompt to enable them when they're first detected. That would be a bit more user-friendly, but can't ultimately prevent system-level processes from messing with how Firefox operates.
Re:Surprise! (Score:3, Informative)
It's not YOUR PC though, the hardware is but Microsoft own the copy of Windows running on it, you only own a license to use Windows under their terms and conditions. Under those terms Microsoft can do whatever they want with the consent of the owners.....which is themselves.
Which is complete and utter bullshit!!! They can state whatever they want in their licenses, but I think you are completely wrong, and at least here in Europe national or EU laws will overrule such conditions. They may still own Windows, but they may not do whatever they like on my or any other computer.
Re:How inconsiderate! (Score:2, Informative)
After a quick look at the source, this is what this extension does:
- Changing the start page
- When a plugin is missing, make the Ubuntu package system deal with it.
- In the extension manager add an option to download ubuntu-managed extensions (system-wide, apt-get controlled)
- When apt-get updates firefox, communicate need to restart it to the user.
- Add the ask.com search plugin (wtf?)
Re:Uhuh (Score:5, Informative)
Re:Surprise! (Score:4, Informative)
I think the OP's point is like XP was Windows nt5.1 to Windows 2k's nt5.0 (hint, just an update) and that Windows7 is just an update to Windows Vista, that ME was just an update to Windows 98 osr2.5.
You've got your Windows 9x's confused. Win 95 had an "OSR 2.5" (4.00.950C), Win 98 had "SE" (4.10.2222A).
Re:fairly sure that (Score:5, Informative)
TFA, which almost nobody bothered to read, links to an MSDN blog [msdn.com] (which even acknowledges and links to the previous Slashdot story [slashdot.org]), which absolutely nobody bothered to read. Because, if the submitter, or the editor, or anyone had bothered to do so, they'd realize what a total non-issue this is: It's already fixed, which is why it works fine for you, drinkypoo.
This blog states that the plugin was initially installed as a system-wide thing. And, with FF, users can't simply remove system-wide things by themselves. Which, of course, makes sense to anyone who has spent more than ten minutes working on a system with proper basic security. They detail a long-winded workaround.
Right. So. Then there's this:
Update (5/2009): We just release an update to .NET Framework 3.5 SP1 that makes the firefox plug in a per-user component. This makes uninstall a LOT cleaner.. none of the steps below are required once this update is installed.
I'd guess that you simply already have this newer version of the .NET package, which includes a Firefox plugin which is installed in a manner more in-keeping with what folks might normally expect, and accordingly can be uninstalled in a manner that folks might normally expect.
Re:Uhuh (Score:1, Informative)
Some one with physical, root access to the machine (such a Windows update) would be able to simply pre-acknowledge the add-on though. And considering that Microsoft already adds this without warning, I would not put it past them.
Re:Surprise! (Score:2, Informative)
It's a catch-22.
If MS makes it so that .Net/ClickOnce/Silverlight or anything else, ONLY works in IE; people get upset that MS is being anti-competitive.
If MS does make it so that everyone can use .Net/ClickOnce/Silverlight or anything else, then MS is just trying to force EVERYONE to use their technologies.
I'm completely okay with MS giving out an addon that gives you .Net Framework functionality when you install/update the .Net Framework.
---
Why would FireFox want to support ClickOnce? Because FireFox is a web-browser. FireFox has no offering that competes with something like ClickOnce. Before MS released this patch, there were already (unofficial, not-supported) addons that provided the same functionality. (https://addons.mozilla.org/en-US/firefox/addon/1608)
FireFox supports the IFRAME. A tag that MS just made up, that didn't conform to any standards. Why did FireFox support it? Because FireFox wanted it's users to be able to use FireFox for anything they could use IE for. ClickOnce is no different. If a user wants to have the .Net Framework/wants to use ClickOnce on their machine - why *wouldn't* FireFox want support for it to be there?
Not supporting it means people HAVE to use IE to get that functionality.
---
Beyond that, you don't *have* to edit the registry to remove it. That's a hack.
When the plug-in gets installed, it's not for an individual user; it's for the entire system. Other FireFox plug-ins behave the same way. You can't remove those either, not directly, from FireFox. Because FireFox is treating you as an individual user. You, as a user, can disable the Add-on.
Everything else about the .Net Framework is also installed for everyone on the system. The same way security patches are installed. Individual users on the machine don't have to each update critical windows crap.
You can go here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab [microsoft.com]
(That's right, Microsoft.com)
And you can download an update that will make the addons to FireFox work on a per-user level. At which point, FireFox allows you to easily uninstall it with the in-FireFox GUI.
I haven't tested it, but I'm fairly confident removing the .Net Framework will remove the FireFox addons as well.
So again, I'm *not* saying Microsoft is in the right here. But I am saying, 99% of the people I hear talking about this are grossly over-reacting.
We're talking about an Update to the .Net Framework that added .Net functionality to FireFox. If you didn't install the Update, you wouldn't get the functionality.
At best, this is a reminder to turn off 'Automatic Updates' if you don't trust Microsoft to be updating your files. It's hardly a case of Microsoft trying to 'discredit' FireFox or anything else.
Re:Surprise! (Score:3, Informative)
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab [microsoft.com] [microsoft.com] .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the ClickOnce technology that is included in the .NET Framework. The .NET Framework Assistant is added at the machine-level to enable its functionality for all users on the machine. As a result, the Uninstall button is shown as unavailable in the Firefox Add-ons list because standard users are not permitted to uninstall machine-level components. In this update for .NET Framework 3.5 SP1 and in Windows 7, the .NET Framework Assistant will be installed on a per-user basis. As a result, the Uninstall button will be functional in the Firefox Add-ons list.
This was released on 5/6/2009
Again, seems like a giant over-reaction.
The article was written 5/30/2009.
You'd think the author would take a few seconds before sticking his foot in his mouth, again.
Re:Uhuh (Score:2, Informative)
Firefox did warn me about the installation on its following restart. I changed an option (to make it ask for permission to execute things) and then I disabled it.
Nonetheless I don't like a bit being forced to shallow this.
Re:fairly sure that (Score:3, Informative)
Are you unaware that most Linux distros don't use 'uninstall' software, but keep track of the files belonging to various 'packages' in a central database allowing the removal of any of said software at any time without any special third party software nor the permission of the installing package?
Re:Surprise! (Score:3, Informative)
Windows 2000 was never intended to be a "general user" or "home user" platform and it's original launch date was intended to be in 97 or 98. When the NT 5 beta 2 was released, Microsoft [winsupersite.com] was finally hammering home the notion that Windows NT 5.0 was being designed solely for businesses, not for individual users at home. Microsoft's Jim Allchin spoke of releases that would follow NT 5.0, such as NT 5.1 "Asteroid" and NT 6.0 "Neptune," which would feature a consumer edition. Post-NT 5.0, Windows would receive a maintenance-free user interface and a unified Web/Win32 API. "NT everywhere" was the theme of the show. (of course NT 5 is windows 2000)
In line with the Asteroid release containing a consumer edition, it was something like service pack one or two in windows 2000 before some of the more major problems with consumer level access was addressed.
Windows ME however was the original 98 to NT transition plan that Gates was talking of back in 1998. It's release was behind then rushed too. XP was the first planned and first implemented consumer lever transition to the NT style Kernel. The NT numerical names would have been windows 2000 as NT 5.0, Windows XP as 5.1, and Vista or the 2008 server as NT 6.0.
There was a rumor that MS was going to combine the best of windows CE with ME to create a consumer level NT platform but it was scrapped as marketing feared the slogan would become windows "CE ME NT": hard as a rock and dumb as a brick. Anyways, in the middle there, MS did come out with the windows "really good edition". [deanliou.com] This version was one of my favorites and you can even run a demo of it on that site.
Re:fairly sure that (Score:3, Informative)
OK, the API is documented [google.com]. If a developer decides to not follow the API, then Firefox is at fault? How so? Did the Mozilla Development Team stick a gun in his face and tell him "Hey, don't follow the API!' or something? I'm sorry, it's sounding like if I go get hammered at the bar then try to drive home while at 5-8 times the allowable blood alcohol level, it's not my fault, it's the fault of General Motors for building the Cavalier I drive.