Firefox users flip out over sneak MS add-on Firefox fans are up in arms after a recent Microsoft software update silently installed a Firefox extension that is difficult to remove. Users agreeing to install a service pack for the .NET Framework (NET Framework 3.5 Service Pack 1) through Windows update were also pushed a Firefox add-on that is potentially difficult to …
The only Add-ons I can see my end are:-
Adblock Plus 1.0.2
BetterPrivacy 1.29
British English Dictionary 1.19
CustomizeGoogle 0.76
Gmail Notifier 0.6.3.11
IE Tab 1.5.20090207
LogMeIn, Inc. Remote Access Plugin 1.0.0.406
NoScript 1.9.3.3
Webmail Notifier 1.2.1
Yahoo! Mail Notifier 1.0.0.16
Move along please
if your still daft enough to still be using Windows when you don't need to be.
I think this is solid proof if proof be needed that MS are fucking with your heads. I could never tolerate that. It makes me queasy just to think about it.
I'm also in agreement with Martin Kirk: we should bill MS for the time spent getting rid of it. An invoice is a demand for payment and failure to not pay an invoice is in fact against the law. I'd love to see MS defend themselves against not not paying several million small invoices.
Try moving on to something grown-up (and Microsoft agnostic). Its easy.
The main reason most people have installed Firefox is to avoid the gaping security holes in Windows Internet Explorer, particularly in running uninvited code. And the M$tards are basically patching Firefox - without asking - to make it more likely to do the same thing?
I hope the EU Courts will have something to say about that, since once again M$ is abusing its monopoly position against a competing web browser. You'd think they'd have paid out enough already!
ps Should that be cocks-up?
pps Paris 'cos she doesn't care.
It's hardly a vulnerability. We all install MS updates to (try to) keep our Windows boxes secure. Microsoft exploited this trust by slipping something through that is potentially unwanted, without much disclosure. Once you've given software permission to install---in the case of Windows updates by making them automatic or choosing to install them---the software has the privileges to do whatever it's programmed to do, beneficial or otherwise. It's like blaming the manufacturer of the lock on your front door when your ex still has the key you never got back.
Shame on MS for doing this, and I'm sorry if it (your misunderstanding of the situation) so upset you that you got your diaper in a twist and felt the need to admonish everyone.
There were complaints about this as far back as 12 August 2008, when it was a manual-only download.
http://channel9.msdn.com/forums/Coffeehouse/421171-NET-Framework-Assistant/
http://wyday.com/blog/2008/how-to-uninstall-microsoft-net-framework-assistant-from-firefox/
The delay between initial complaints and media pick-up could be because those most likely to care about security/privacy downloaded .NET 3.5 SP1 before it was available through Windows Update. If you’re one of only a small number of people being affected, you’re more likely to remove the offending add-on, moan a little and then just get on with things. As Michael B wrote, most people have a whole load of other add-on extensions and plug-ins installed and enabled. There are many reasons for Windows users choosing Firefox over Internet Explorer. Sadly, I can’t imagine security was a significant reason for many.
"I think we should be thanking the Microsoft people who provide us with the extra .Net functions in the Firefox free of charge. "
No. Sorry, but just, no. Not even close.
Ever since reading this article (http://www.ranum.com/security/computer_security/editorials/dumb/) I have a "default deny" stance with stuff from the internet. Deny Javascript, deny cookies, and sure as hell deny anything that can download arbitrary code from the net and run it on my PC.
This is why I was using FF in the first place, to get away from horrid things like ActiveX. And lo! MS come along and open up a colossal potential security hole, injecting it into a third party product, without even asking me. Sigh.
I noticed this thing a while back; it was gone from my system within the hour and our sysadmin informed.
So, Bad Balmer icon from me.
MS was known to do these kinds of things with their updates, if you have no problem using your system do not update it except for very specific patches that you understand to be required for your particular use of a system.
IOW, if you use firefox, do not install every IE patch that comes down the pike. If you aren't interested in DotNet functionality in your browser, don't install any DotNet patch until you're using something else requiring that DotNet level.
I do agree though, MS had no business altering 3rd party software in any way without specific user agreement, it is not enough that it be in a EULA because they release so many patches we'd be reading for days, the value of our time already exceeding the cost of the OS.
I don't think it was malicious though, only arrogant and another sign they have an interest in keeping web technology MS-centric, they want the world to develop DotNet and Silverlight instead of open tech, the same as they wanted the world to develop anything for IE or windows in general.
We let them do it. Just look at all the 'nix snobs that only suggest others run linux, but they don't provide the grass level peep support people had when windows was gaining momentum. With n00b windows users, if John Doe asked in a forum, "How do I see how much free space my hard drive has in Windows", someone would tell him. With n00b 'nix users, if John Doe asked the same question he'd get chastised or at best told something in geek-speak instead of plain and THOROUGH help.
In the Linux community there is this idea that new users are supposed to muck their way through getting a system up and running correctly instead of realize Linux is of no use if it doesn't start out running correctly so the user can remain productive while slowly learning more about the OS their machine runs.
To put it another way, do something basic like install Ubuntu on a laptop. Oops, no networking, seems a wrapper is needed for certain very popular network chips. Now what? System is a paperweight as you have to have a 2nd one to find a solution, but people only say "use a wrapper", they don't go through every single step nor is it automated.
Computers are supposed to do our work for us, not make us learn yet another discipline so we can devolve backwards to doing things manually.
I went on this rant to show the inherent problem, there is a balance needed between what the OS and Apps developers and peer support do for us, and what intervention we want control over. Linux does too little, Windows too much.
There's nothing dodgy going on here. Microsoft have installed a global extension for Firefox. It is picked up by all Firefox profiles on the system. That's what global extensions do. It is working exactly as Mozilla intended it to. If you run a portable apps version of Firefox it will be picked up there too because Firefox sees all global extensions when it loads up.
AVG anti-virus does exactly the same thing if you install their web tools. The add-on-is doing exactly what it's supposed to do. Microsoft are naughty for not advising that they're doing it, and for not providing an easy uninstall for it. But it's perfectly normal Mozilla functionality - if you must rant, have a go at them for designing that architecture into Firefox.
The Registratrix must be so proud! "OMG, Micro$oft installed something on my computer MONTHS ago!!!! I found out because The Reg told me about it!! Oh big bad nasty Micro$oft!!!"
Oh please quit your twaddling, you crybaby little whingy gits. HOW long was this on your system?
But, right on cue, an orchestra of fanboi rants at [whatever El Reg has written about today], regardless of whether knowledge of the issue extends beyond the final paragraph of the article.
I really must commend her; her control is nearly complete.
You're subtle but misleading. Of course if John Doe asks this question on (let's say) Linux kernel developers forum, he will get what (in my opinion) deserves. And for your information, asking this particular question shows he didn't read elementary documentation and more than that, he doesn't have any desire to read and learn about Linux. He just wants someone to give him the exact command line so he can copy and paste it at the prompt. My friend, this is the result of staying too close to Windows. Lack of real documentation (no, "Windows for dummies" doesn't count) makes the Windows user lazy in searching for answers.
I tried in vain to understand your last paragraph but reading again the one just above it, all became clear to me. You are doing way more than letting the computer work for you, you're allowing it to think for you. Tell me please what good is your brain if you don't use it for learning something new ?
Oh, and your example of installing wireless networking Ubuntu is lame. Allmost all ethernet network interfaces that come on recent motherboards do not have drivers in Windows so yes, you'll need a second system to download them too (unless perhaps you have an automated way of connecting to the net before installing Windows).
What are you people astroturfers or M$ spin doctors? How you can defend M$ on this is baffling to me! Could I as a writer of firefox add-on write an add on that surreptitiously that gets control of a machine in this way? NO, because when a USER installs an add on, they do not get that level of permissions to do this. But M$, the true OWNER of the windows system(not YOU, read the license) and by extension YOUR machine gets that level of permission in its update process so it can do such a shiity thing to its cutomers.
Should FF developers have blocked this from happening? No doubt if the OPEN SOURCE community had access to the M$ SOURCE CODE they could head off the ability of M$ to fuck around with things they have no right to fuck around with. Advantage M$, disadvantage PAYING TRUSTING LOYAL CUSTOMER.
M$ apologists, have the dark hearts of lawyers. M$ apologists are also the Republican, Conservative, Liberal ie right wing scum bags of the IT world.
Which popular network card did YOU have the problem with or are you reporting some heresay you read in a forum somewhere?
Wanna know how much disk space left in a drive, in kde you have KDF or 'K Disk Free' a pretty graphic tool in sytem>monitoring. You may have to 'mount' the windows drive first though. In the left pane of Konqueror (the KDE 'explorer') in the 'storage media' bit, click on 'drive C' to mount your windows drive.
Yes this Linux stuff is rocket science is it not? With such complex instruction like I just described, it is no wonder wintards are scared away from it.
Say, for example, you employ a cleaner to clean your house, every room top bottom except the bedroom, YOU will take care of that. The cleaner does their thing, you are happy with them but one day, you go to your bedroom and find in plain view some 'items' of a personal nature that you normally have stored discretely away and a note from the cleaner as how they have moved the items to make it easier for YOU to find/use them.
What would YOU do? Any normal person would feel violated and upset and probably have words or stronger with the cleaner but, judging by the response of the wintards on here, with the 'tard' part of the word been particularly relevant, they would not be concerned and would actually thank and congratulate the cleaner for what they did!
has ANYONE actaully bothered to check the eula, or did you just click on ok as normal, i am preetty sure a company like MS will have something in the eula to say that either they are installing it or that they are allowed to install it.
Its a addon, if its a major problem then the idea of addons in firefox is not working, but as normal ms are damned if they do and damned if they don't because the internet is full of complete idiots.
Dear Auntie Reg, I have fallen for the old "security update" scam. I run some schill ware for the major copyright holders, I downloaded a "security update" this included a program that significantly altered the function of a third party application without permission or notification. I am told i need to use Reg edit to remove it. Might you send him round ASAP? In the past the worst the schillware did was to change file associations to their app from 3rd party apps and DRMing some mp3 files that where legitimately not DRM'ed.
so my question.. Should i contact PC plod to report that Microsfot buisness network, purveyor of poor quality security colanders to the masses (formerly controlled by the mysterious multi billionaire Byll Gits ( for defamation avoidance , i think that's how you spell it). has hacked and circumvented my careful security measures?
Linux needs a wrapper because the hardware manufacturers are still pandering to the sheeple-OS only.
If you have, say, an Intel chip (small company out of Oregon, you may've heard of them) it just works, on most any recent distribution.
With Windows, it works *not* because MS is doing *anything at all*, but because the hardware manufacturer went all out to make sure.
This, my friend, is a direct result of them being a monopoly, though it's at a level where MS can't be blamed for it in court.
I install and configure Linux for friends and family, even people I only have a nodding acquaintance with, no strings attached. That such level of support is needed is not Linux's fault.
However, I also know people who talk like you do, and I am happy they're on Windows. I took the water to the horse['s ass] but I can't make him drink you know.
Back to this issue: regardless of what is or is not Firefox's fault, installing something onto a **competing** product, that changes the behaviour of the competing product (useragent string), **without** the user's permission, is criminal.
They couldn't come up with even a little dialog saying "oh hey I notice you have FF. I can install foobar onto it to make your experience on FF as foobar as on our own IE. Would you like me to?"
And for those who think this was not intentional, let me assure you MS staff are not idiots. That old line about "never attribute to malice that which can be explained by stupidity" doesn't apply to MS.
In this case, it was to make sure .Net and Moonshine work on as many computers as possible.
Dear AC I'm Preeety sure you'l find that there is no EULA on security updates from Microshaft, otherwise they couldn't install unattended in the background...
Just had a thought , look round the back of your computer Does the label say "vtech toddler computer?" if so look again on a grown-ups computer at the article and Microsoft's website
"You're a *minority*. "
Not in Europe we're not, FF is the most popular browser here.
MS did not *ASK* before installing, that is the issue.
MS did not provide an uninstall, that is also part of the issue.
The fact that FF will not allow me to remove machine level code is a tertiary issue.
Any software vendor (and I mean "any", Apple are equally guilty) that installs code without my explicit consent is installing malware. This may be a breach of the Computer Misuse Act.
"Could I as a writer of firefox add-on write an add on that surreptitiously that gets control of a machine in this way? "
HAHAHAHHAHAHAHA , serious is a firefox addon is "getting control of my machine" as you claim then the problem is with firefox not ms, seriously stop being an idiot.
"Say, for example, you employ a cleaner to clean your house, every room top bottom except the bedroom, YOU will take care of that. The cleaner does their thing, you are happy with them but one day, you go to your bedroom and find in plain view some 'items' of a personal nature that you normally have stored discretely away and a note from the cleaner as how they have moved the items to make it easier for YOU to find/use them."
Incorrect analogy, its like the window cleaner leaving a bottle of car window cleaner on your doorstep. As basically the addon is helping you install stuff using a different browser/
And again to everyone who says it was without notification? DID YOU READ THE EULA (i'm betting no and you just clicked yes, yes,yes, yes each time), if you didn't shut the hell up complaining.AVG etc all do this as well, have a go at them , or have a go at firefox for not putting something in to detect new addons that are installed and telling users about it.
To all of those saying that these were added without your permission. These are plugins NOT extensions. What Microsoft installed without permission, without asking and silently was a new extension to Firefox which added functionality which some of us possibly didn't want, or at least wanted to have the option to choose rather than having our decisions made for us. The add-on also changed the user agent string to include .NET descriptors and also returned information on your system back to websites that supported the .NET extension.
It is NOT in the EULA, go on, read it... it will bore you shitless and you'll be tempted to give up before the end but its not in there (unless my brain imploded from all the legal bollocks it had to cope with).
Ask yourself. Is what they did acceptable in any way. They used a feature of FF to install an extension without it ever been requested. FF add-ons always ask when you are installing if you trust them and are they coming from a site you trust. Microsoft didn't feel they needed to ask us those questions and simply forced it down our throats. They put software into a third party application that affects the way that application works without telling anyone or asking anyone. Hell if I do that to your computer I'm a criminal but Microsoft are apparently above the law.
In the original blog post about it Brad posted : "We added this support at the machine level in order to enable the feature for all users on the machine. Seems reasonable right?"
They took a decision to override individuals preferences and forced it onto everyone and they didn't even check to see if an individual could actually de-install it. Is that reasonable?
I assume that the next time your car is in the in garage for a service, and they just tinker with the engine or the steering to "improve your driving experience" and they don't ask to do it, or tell you that they've done it, or even allow you to take those changes away, that you'll be totally happy?
Even it was just a plug in and they added it silently like some of the other plugins it still does not make what they did right. Just because company X and company Y do it does not make it right.
userAgent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
and the corresponding about:config
general.useragent.extra.microsoftdotnet;(.NET CLR 3.5.30729)
Worst part is that the prompt is unchecked - just go to:
Tools > Add-ons
You'll see "Microsoft .NET Framework Assistant 1.0"
Click the relevant "Options" button and ensure that "Prompt before running ClickOnce applications" is checked - at least then, if something wants to make use of this feature, FF will ask you first.
Yes, SILENTLY installing this update on FF with the .NET patch was distinctly wrong but it's MS, you expect it... normally when something wants to install a browser add-on it'll at least give you a (normally pre-checked) check-box asking if you want to install it.
Oddly enough - couldn't find any trace of this in the Opera about:config
"I assume that the next time your car is in the in garage for a service, and they just tinker with the engine or the steering to "improve your driving experience" and they don't ask to do it, or tell you that they've done it, or even allow you to take those changes away, that you'll be totally happy?"
Err, yeah of course i would, free extras for no cost and no extra time, ride on!
Anyway enough of this, all you whiners would NOT be commenting on this if it was any other company, the only reason you are all up in arms is because ms have done it (and again, you would also be up in arms if they didn't include the functionality because they would be "focusing on IE"), if any other company did it (and they do) nothing would be said.
Finally the proof. And before the fanbums start saying it wasn't Mozzila's fault, it was a third party - I don't care. Microsoft don't go around making viruses and exploits for their own users either, it's third parties who are to blame, yet he fanbums love to atack the 'evil empire'.
Very very bad Firefox here, allowing third parties to do whetever they want with no regard to the user. Trust has been broken, mark my words. Google Chrome is the tiger in the grass, and fox no match for tiger.
This *IS* insidious. I wasn't too concerned (it's like them adding the ASP.NET user account to XP with the .Net installer - annoying, but not altogether unexpected) at first, but having just plugged Firefox Portable into a brand new machine, it's automatically installed the plugin, even though the Windows .NET installer was run days ago.
That, to me, is totally unacceptable. You can almost excuse them messing with an installed copy of firefox, but the whole point of a Portable App is one that YOU control the settings on more than usual because it travels between machines...
MS Installed an extention into non MS software without specific permission: Bad.
FF Allows an extention to be installed without specific user permission: Bad.
FF doesn't allow individual users to disable a globally installed plugin: Dubious
MS change plugin so it can be more easily diabled: Ok, but a bit belated
This is another non-linux story hijacked by Linux zealots: Tedious
I stopped using FF and IE a couple of weeks ago and use Opera now: Ha, ha.
Now get back to work.
Man you Windows fanbois have got a real persecution complex haven't you?! You can dish dish it, but woe betide anyone that besmirches your precious Microsoft and Windows OS. Look, MSFT have been naughty here. The SP1 was for .Net. They have 'sneaked' a plugin UNLAWFULLY onto Windows systems. Thats wrong. Apple did it with Safari and they where rightly derided. So suck it up fanbois. Really, how hard would it have been to prompt the user for permission? It'll be that shite Silverlight next...
[DISCLAIMER] This is not legal advice. Please consult a solicitor for legal concerns [/DISCLAIMER]
@MS = Guilty , By Anonymous Coward Posted Monday 1st June 2009 16:57 GMT
"Tell me please, what part of what MS did does NOT fit the below extract from the Computer Misuse Act;"
Specifically, not one of 3.2.a, 3.2.b, or 3.2.c is met, which means that 3.1.b cannot be met, which means it is not illegal, under the Computer Misuse Act clause you have quoted. To wit:
"(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—
(a) to impair the operation of any computer;"
- This does not "impair" the operation of the computer. This might make it easier for other code conforming to MS rules (OneClick) to run on the computer, but that would be outside the scope of MS, unless such code was, in fact, written by MS.
"(b) to prevent or hinder access to any program or data held in any computer; or"
- This does not stop FF from running. It does not stop FF from accessing any sites (in and of itself). It does not modify any access to data on the computer. It *does* install for all users, and therefore some versions of FF might have issue *uninstalling* (fixed as of latest version, I hear?), but does not "prevent or hinder" access to any data on your computer. In fact, it provides and eases access to more data (see below).
"(c) to impair the operation of any such program or the reliability of any such data."
- This does not impair the operation of FF. It could, in fact, be argued that the plugin extends the functionality of FF (which one might expect a plugin to do, eh?), not withstanding interference with other plugins. Unfortuneately, there are quite a few examples of plugins that *do not* like to work together (OGame, anyone?), so this is not a isolated, malicious instance. This, in fact, does not impair the reliability of data on your machine; in fact, it might be argued that as site you visit is provided what version of .NET you are running, it can improve the reliabilty of data provided to you by the site.
If MS violated its own EULA or did/did not put appropriate information/clauses in there to allow it to install the plugin (which is still separate software and distinct from FF), is another matter which has been discussed above.
Personal Opinion:
This is not uncommon to those [explictive removed] "shareware" or "free" (as in beer) "tools" that include Google/Yahoo/OpenDNS/etc. Toolbar in FF and IE as a silent(!) *requirement* to installing them. They are also extending FF without my knowledge and against my will, but is tucked away as part and parcel of the app.
Do I feel MS was wrong to do this, *in this way*? Heck yeah. By their own procedures (not necessarily rules), this should have been tucked into "Optional Components" and shouted and jumped pointing to it. That would have allowed them to tout and toot "Look how magnanimous we are!" to provide better functionality to "the lesser masses." But, but putting it in under cover of "Critical Security!", they have simply come off as Evil Empire(tm) again.
"(c) to impair the operation of any such program or the reliability of any such data."- This does not impair the operation of FF. It could, in fact, be argued that the plugin extends the functionality of FF (which one might expect a plugin to do, eh?)
Wrong. It silently allows external code to install and run -silently. (yes, double silent: the plugin installs silently, and the 4th-party code will install silently). So it digs a huge security hole. It _is_ impairing the proper operation of the software. Period. (and I don't give a shit about the ridiculous "but clickonce app has to be signed with a certificate". Who says the certificate is to be trusted? the same company who sneaked the malicious hole in the first place? How trustful!)
Not a big issue for me anyway. It's not like I was foolish enough to use Windows for mission-critical tasks -unless it's on a properly quarantined machine.
Let's say you have an NVIDIA nForce 570 SLI MCP built-in Gigabit MAC with external Marvell PHY, Windows XP will helpfully show you an unknown ethernet controller (if you're lucky). Maybe it's not popular but that's what comes with a lot of Asus motherboards.
Regarding your opinion on getting help in Linux, please imagine for a second what would happen if I would go to a Windows forum (Microsoft TechNet) and ask how can I see the free space on my Linux partitions while I'm in Windows gui. How helpful will they be ? From my Linux experience I know you will have to mount the Linux partition somehow but I doubt you'll find a lot of Microsofties who will tell you how to do it.
Yes this Linux stuff is rocket science is it not? With such complex instruction like I just described, it is no wonder wintards are scared away from it.
I only use Ubuntu and I have never come across a more friendly set of forums than those at Ubuntu. People bending over backwards to help, when the questions are sensible and show a genuine need for help.
What annoys anyone technical, no matter what O/S or application, is some complete prat turning up and asking the most idiotic questions and you know full well they haven't even bothered to attempt a simple bit of reading the help pages or Googling for an answer. You managed to get a browser up somehow, on something and you managed to log into this forum, so you can't be a complete brain-dead zombie then?!
Two of the following are genuine questions:
"Can I run this Linux thing in Windows 7?"
"Duh, I got this Linux thing installed, why won't it run run Access?"
"I got an Apple and IE is not installed, why not? This suxxors!"
"I can't find my arse with both hands, am I a complete twat?".
"Annoyances.org, a Windows gripes site, reports that the update slaps IE-style behaviour on Firefox users, specifically the "ability for Web sites to easily and quietly install software on your PC"."
Note the quotes people, El Reg have not said the plugin does this, Annoyances.org have and they are hopelessly wrong.
The plugin is for a technology called Click Once. It allows developers to publish .net applications via the internet/intranet. I use it at work and its very handy.
It is far from covert, the user sees a web page telling them what app they are installing along with a big install button. Nothing gets downloaded without the user pressing the install button. Once installed, the app, when launched can check the site and see if any newer versions are available. Once again, the user must click on the install button to install the update. The user can also use Add/Remove programs to uninstall the App if they no longer need it. For anyone to publish an App in this way, they must digitally sign the code as well, making it harder for a site to get hacked and the hacker replacing the app with something nasty. And, as far as I am aware, it only works with .net applications.
Far from trying to subvert FireFox or make it “act like IE”, the purpose is to allow users to install .net applications without having to resort to running IE in the first place. This technology is nothing like the godforsaken mess IE’s ActiveX components was.
Granted, the plugin cannot be easily removed unless you have updated it. But the purpose of the update is so you CAN remove it.
I hope this helps to clarify matters!
In a fit of disgust I went to the place you delete shit and ploffed [Specifically anything .NET and arbitrarily Microsoft] it off. Not that I should be bothered that...... later on in the excercise it was saying some of me software would not work if I did it.
HAH!!!!!! KILL KILL KILL
Still..... I did notice that [grumble] when I tried to uninstall one bit of cruft I was told that I did not have the 'Administrative Privilidges' to do so. YahFuckingBut I, don't know who the fuck you think you are but am Admin/Root God and shit coz you let me be.
Strange to say that having arbitrarily got rid of the cruft putre [sic] boots real quick and still works.
I suppose I'll just install Firefox again and gain a lack of .NET compatibilty until my shit get upgraded.
Whoopy Fucking Dooo!!!!
Microsoft is downloading updates to take care of me.... or sniffing about elsewhere after my rape to see what I got rid of.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
