Firefox fans are up in arms after a recent Microsoft software update silently installed a Firefox extension that is difficult to remove. Users agreeing to install a service pack for the .NET Framework (NET Framework 3.5 Service Pack 1) through Windows update were also pushed a Firefox add-on that is potentially difficult to …
at least you can disable the extension
I noticed this thing months ago and was quite upset myself. It could not be uninstalled but at least it was possible to disable it, which is what I did.
"This is because the update installs itself for all users of a machine, while the Firefox GUI only manages add-ons for a single profile at a time."
So Firefox contains a weakness whereby any software can install an add-on that cannot be removed through the Firefox GUI.
Shame on MS for exploiting this weakness, but surely some explanation and a fix for this weakness should be forthcoming from Mozilla as well...?
And now, before said weakness is fixed, El Reg is publishing details which should make an exploit very easy to reproduce...?
Learning from Apple
Seems that MS is learning from Apple about pushing stuff onto PCs that people don't want.
I am off to find out how to remove the piece of malware right now. And it is malware no matter what the MS fanbois say. I never gave explicit consent for it to be installed (I never even knew of it existence until this story) ergo it is malware.
The utter, utter bastards.
but whats the issue here?
Is the problem that MS are pushing silent updates on to a rival browser or that Firefox allows such operations to take place in the first instance?
What makes it worse..
is that the patch to fix the uninstaller does not seem to be picked up by automatic updates. I had to follow the link to the patch and manually down load it and run it. Then you have to start FF, let it update the plugin, restart it, click to de-install it and restart it before it is gone.
I didn't want this software installing in my FF. MS pushed it there without giving me the option and without telling me they were doing it. But then again that's Microsoft's arrogant bastard attitude for you. Brad Adams in his blog wrote:
"We added this support at the machine level in order to enable the feature for all users on the machine. Seems reasonable right? Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the "Uninstall" button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components. "
Sorry, Brad but YOU decided what was right to do on MY machine concerning a piece of sofware (FireFox) which is NOTHING to do with you? Where do you get off? And if you don't understand that standard users can't uninstall machine level components in FF then just what the fuck were you doing pushing something like that out?
So just what else are MS pushing onto our machines in the background that we don't know about and they aren't telling us about. Maybe my copy of Chrome doesn't work well (and thrashes the disk) because MS have hidden something on my computer. Is that odd error I get when I access google mail about the connection failing to transfer data properly really an error or is it MS doing things to break competitors applications?
omg: windows installing a random piece of software
Wonders will never cease....
Seriously the sooner people realise they should 'grow up' and stop using a kids o.s that is only good for games the better.
Just noticed this little beastie lurking in my Add-Ons list.
/throws hissy fit etc.
Why do they always do grubby, mean little things like this?
Just another good reason why I will NEVER purchase another MS product and have reduced my use of Windows to 2 regular applications that I cannot duplicate on Linux, and 1 occasional-use tool. This is just another example of Microsoft's overweening arrogance, IMO.
Just update your Firefox
To the latest Firefox beta, v3.5b4. Microsoft .NET Framework Assistant can't run on it.
You know you've arrived when Microsoft try to subvert your software.
Let's get the facts right
It's not difficult to remove at all.
There was originally a 'bug' in firefox which disabled the uninstall button for extensions installed for all users. The Microsoft extension installed itself at this level which highlighed this bug.
Microsoft has since rewritten the extension to work around this and it's now able to uninstall like any other extension.
Another case of attacking Microsoft without finding out the facts first .....
a cynic writes...
Call me cynical, but I suppose their next move would have been to add some unpleasant .net code, then point at it and say "ooh, look at their insecure browser, we told you they couldn't be trusted - IE is much safer".
Bastards. If this isn't illegal, it should be.
That's MS updates disabled permanently now. I'll take my chances.
Out of order
MS should not be patching third-party apps through Windows Update PERIOD. The idea of that site is to improve system stability, not fuck it up by messing with unrelated shit.
Someone should lose their balls for this one.
Question: is this not blatantly illegal?
AFAIK, it is illegal to install software without the permission of the owner. That's why the Sony rootkit affair got ugly very quickly as well. I cannot see any argument why what they did here is legal -there really is no excuse for this.
Let's add this up:
1 - this update did not mention in any way, shape or form that it would "affect" (read: hack) Firefox. If it did, I would have said "no" because the whole reason I use FF is that it tends to be safer (there are sadly a few reasons that lock me to Windows, working on it).
2 - the EULA on display does not reference to this FF add-in, nor does it seek your permission for its installation. In other words, MS has not sought permission, nor abdicated responsibility as usual (not that that is possible with what is AFAIK probably a criminal offence). Before you ask, I did check - it's a lot shorter as "regular" EULAs go. Heck, it even misses the ALL CAPS bit.
3 - MS does not make Firefox, does not contribute to it, cannot even follow the standards it's based on, yet it is installing add-ins. It has nil arguments to mess with it, there is NO excuse whatsoever.
So, when -and where- will the first lawsuit be filed?
Computer Misuse Act?
Are they deceiving somebody so as to get their software running on your computer?
I wouldn't prosecute Microsoft over this -- they might set a nasty precedent by winning.
How about we all bill MS for our time spent removing this add-on from our systems?
"enables .NET apps to be installed with one click."
"easily and quietly"
easily, maybe, but requiring a click is not quietly.
Just can't help themselves can they.
Not content with fiddling with and breaking their own software, they now have the audacity to interfere with other companies products, and all this was done on the quiet as well rather than being upfront about it.
They just don’t get it.
Anybody else think they where just installing a exploit onto it. Release a public exploit code. Or sell it to some russians/chinese and say
"See IE was more secure all along!"
Yup - I've got the damn thing on my computer. Disabled it even before I finished reading the article and will now set about removing it. The annoying thing is that I have my windows update set only for security patches, specifically because I don't want MS buggering about with my setup without good reason.
This makes my browser LESS secure. They didn't ask me before they did it and I didn't want it. So now I know I can't trust MS even to add security patches without playing silly buggers.
"MS should not be patching third-party apps through Windows Update PERIOD. The idea of that site is to improve system stability, not fuck it up by messing with unrelated shit"
You do know that a little over a third of the windows codebase in XP is Microsoft bug fixing other vendors applications right?
Anyway the article seems to complete ignore that a clickonce app has to be signed with a trusted certificate before it will even install let alone silently, that clickonce has huge restrictions over what you can change on the system (no reg, no system files etc.
Microsoft not the only company
Just taking a peek at the list of extensions I can see:
Java ( but that asked me )
A couple of Real plugins
and a Yahoo activeX plugin bridge
Apart from the Java plugin I believe all of those other ones did not ask me if they wantrf a plugin to be installed.
I noticed it on the Win7 RC as well. I just assumed it was the usual WIndows crap that is part and parcel with that particular OS (I haven't used Windows since win98). And lo and behold it was!
Smug, moi? Never! ;)
The cry of the failfag,
MS should provide supportzorz for other softwares!
The return of the failfag
ZOMFG MS put supportzorz for their crap into my failfag! Illigalz failzorz!
MS's attempt to weaken firefox security?
Perhaps this is an attempt to weaken the security of firefox.
One of the reasons that is mentioned as to why people started using firefox was that it was known to have better security . Perhaps MS are trying to level off the playing field.
P.S : To all these people whinging about unauthorised software being installed I have absolutely no sympathy - you should be using an open system that doesn't do things behind your back.
ANYONE who uses Windows can never know exactly what is going on their systems, there are process / packets hidden from users...
Aside from the general better quality one of my reasons for moving to Linux was the control that it give you.
What is wrong?
I cannot see what there is you complain about here. Microsoft are provide us with the system on which the Firefox Javs can run so it is up to them if they wish to correct them to run better. I think we should be thanking the Microsoft people who provide us with the extra .Net functions in the Firefox free of charge. They do not have to help the Firefox people but they do because they want the Windows to always keep being the best it can be.
I don't get it. MS installs a *plug-in* and you're complaining? That the original version was difficult to uninstall was FIREFOX'S FAULT, not MS'. Why the hell they're being flamed for releasing a *workaround for a Firefox BUG* I have no idea.
Note that MS' plug-in is NOT hidden from view, masked, or otherwise camouflaged. If you open up the plugin manager GUI, it shows up just like all the other plug-ins.
This is not a malicious "hack", it's being installed to make web-based .NET apps easier to use for the less IT-literate users. I.e. those who do NOT frequent this website.
You're a *minority*. Deal with it and stop demanding every IT company under the sun panders to your every whim for f*ck's sake. Not everyone who has to use a computer actually gives a shit how the annoying box of tricks does its magic.
Maybe if you whingers and moaners could actually create software worth a damn, you'd have cause to complain, but you can't, so you don't. Get your own effing house in order before you blame people for genuinely caring about making computers *easy to use*.
@Michael B.: The iTunes plug-in redirects iTunes Store-related URLs to the iTunes app, where the resulting info is intended to be viewed.
Stop saying that they patched FF...
They released an add on for fire fox, they went about it in the wrong way, but thats all they did, its not like they actually started adding bugs to the core application.
There are 3 main issues here:
1. MS should not have installed the addon silently.
2. FF should have allowed the removal of this more easily.
3. Shouldnt FF warn you when new addons are added through an interface other than its own? - maybe not at the time as it may not be running, but at least on next start up say "Hey, I found these addons and have no record of you telling me you wanted them, do you want them? [Yes] [No] [FILE_NOT_FOUND]"
Microsoft 1 : Mozilla 0
Sorry, whilst Mankysoft were wrong to go silently deploying an 'extension' into a competing product, there's more to blame than just them. I'm really quite annoyed that the concept of a 'silent' add-in exists at all in FF.
I'm paranoid enough to want _any_ extension to be added only after confirmation with the user. The only silent additions can be updates to existing add-ons as far as I'm concerned, (and personally even then I'd prefer a 'there's an update for xxx - do you want to apply' question). So what I want to know is when Mozilla are going to get their act together and get this hole sorted. Or is someone going to tell me that there's a "Add-on Security" add-on that I can install to do this?
Penguin icon because surely it's only a matter of time before we see MS 'enhancements' being pushed out to Debian et al. In which case I'm going back to paper and pencil.
Re:Contradictory by Coyote
I remember reading how it was/is possible to get a flash widget to "passthrough" the click to the underlying page, subverted for the intent of getting users to unknowlingly click a button on the webpage - have this add-on installed and the next flash game you play could pwn your machine!!
I think MS....
may well have a problem with the uK Laws at least in tampering with someones computer system with out their knowledge or permission. Surely if someone can get "done" for simply trying to access an insure website then MS are guilty as hell for tampering with Firefox ? I believe a Court may well find them guilty,.
MS = Guilty
Tell me please, what part of what MS did does NOT fit the below extract from the Computer Misuse Act;
3 Unauthorised modification of computer material
(1) A person is guilty of an offence if—
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.
(3) The intent need not be directed at—
(a) any particular computer;
(b) any particular program or data or a program or data of any particular kind; or
(c) any particular modification or a modification of any particular kind.
"How to" available at
And yes it iz a fooking pain in the blucking ass.
M$ don't export your vulnerabilities to other's browsers. Fix your pooh.
Might explain something.....
The other day I found a bunch of .net EULA and installation files lurking on an external drive on one of the Windows boxes. I wonder if each time I was unknowingly installing some MS .net app it was dumping that junk there (I know the article leads to say that you had to click to accept it, but that might not be true in every case - I have noticed some sites behaving differently starting a couple months ago and put it off to them making a change on the site).
I also do wonder about the legality of that. Granted when I installed Norton on the Windows machines, it installed an add-on to scan incoming add-ons, but this is different.
@ statement above about "weaknesses" in Firefox: At least it shows up in the add-on bar; Who knows what they put under the hood of IE that we never know about....
At least I don't see that mess in Firefox on my Linux machines and this confirms why I feel constrained when I use Windows!
@ AC Monday 1st June 2009 15:26 GMT
You seem to be under the misguided notion that A: Anyone has the kind of money to waste filing lawsuit against MS for this and B: That MS does or would give a rust fuck about said lawsuit. They have in the past, do now, and will in the future ignore rulings against or win these kinds of lawsuits. A suit revolving around this wouldn't even make it out the door given that in relation to the big picture when it comes to MS illegal activities this is such small potatoes that it doesn't even register.
Well Turgle My Burds...
So Microsoft 'upgraded' FireFox without asking or saying so and then left the 'prompt before fucking you over' checkbox unchecked.
One thing I don't understand is.... well I just don't understand.
Java Quick Starter
Java Quick Starter does operates in exactly the same way, making it difficult to remove because Firefox doesn't allow multi-user addons to be manually removed.
Seems to me a that this is a pretty huge flaw if you can't remove these addons without a registry edit, even if you can disable them.
It would be really easy for one of those spamware sites to use this to make their toolbars and associated adware generators unremovable.
As for changing to Linux, no thanks. Just avoiding being associated with retards like you makes using Windows a better choice all by itself.
User agent string
I noticed this unwanted bit of kid install itself ages ago when they first started sending it out. The clue was that it changes the Firefox's user agent to broadcast the currently installed .NET framework version to all and sundry.
Removing the add on does not revert the change made to the user agent string or at least, removing it by force like I did does not. To put change that, open about:config, search for dotnet and clear the value of the general.useragent.extra.microsoftdotnet preference (or set it to something witty, of course).
Lets just extend your logic a bit shall we.
According yo you it would be OK for an update to Open Office to silently patch MS Word so that ODF was the default document type and disable the mechanism to change the default to any other file type.
That would be just as stupid.
MMMMMMMMMM, you know what to do.....
Also @ Eddie Edwards:
Having the so-called dominating web browser in the market.....Microsoft should not have to resort to this. Eddie is right. Updates should be just that....updates, not some method to screw with other companies' stuff.
I have used Microsoft products since DOS 3 something or other. I moved over to Ubuntu after being mucked about at work far too many times to remember ( and that was in one week!!!). If you don't want Microsoft ruling your life, don't complain! Do something about it!
Hurrah to Firefox
Tell mozilla to keep doing what they're doing, they're clearly worrying microsoft enough to prompt this sort of dirty behaviour.
MS did something that showed a bug in firefox, by doing something that actually helped firefox by making things behave in the same way as it would on IE (which thye would be moaned at otherwise for making it "only work on IE"), the bug has now been fixed and worked around, but i want to throw my toys at microsoft because ....... i dunno its the cool IT thing to do so i whine on internet forums, arn't i smartzzzzz!!!
There , now i have said it so you idiots can stop posting now!
hissy fit central
I dont get the hissy fits. I welcome anything that makes firefox work better with websites that only seem to work properly in IE, due to retarded web devs.
And, as Mike B correctly points out, MS arent the only ones to do it!
I'm telling you
Microsoft love Firefox so much they think they own it
I installed FedoraCore 10 over the weekend and already I can gloat about it on the reg forums. Score!
Contrary to the article, there WAS a big stink on slashdot some time ago about an update installing a hard-to-remove firefox plugin, I guess it was just long enough ago already that slashdot collectively forgot about it 8-)
Anyway, I don't like this at all, but I'm with Ged.... Microsoft released a buggy update, and fixed this bug. I don't like updates that install extra software either, but this is par for the course for Windows (which is one reason why I don't use it.)
so "millions of eyes" help make Open Source more secure?
Wonderful. This update is almost 4 months old, and all of a sudden people are up in arms about it. So much for "many eyes making bugs shallow".
Interestingly, it's not the people with the skills that count that are up in arms about it, because they understand that there is nothing sneaky or underhand about this (if you install the .Net Framework, it's enabled in all of the "standard" places, including Firefox and Chrome). If Microsoft didn't support those environments, the same people would be complaining that Microsoft wasn't supporting open standards.
As others have pointed out, Adobe, Google and Java all do exactly the same thing - and I'm pretty sure that Java doesn't ask for permission to do this either - when you install Java, you get a "silent" update to the Java starter addon in Firefox.
Have I got this right?
So Microsoft are telling me:
We have decided on your behalf that for our convenience and to improve our market share it is quite OK for us to compromise the security of your machine without asking you and without warning you that we are doing so.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad