Network News

X My Profile
View More Activity

Microsoft Update Quietly Installs Firefox Extension

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a "service pack" for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or interfered with third-party programs -- and not finding any that warranted waving readers away from this update -- I told readers not to worry and to go ahead and install it.

dotnetext.JPG

I'm here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult -- if not dangerous -- to remove, once installed.

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC." I'm not sure I'd put things in quite such dire terms, but I'm fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.

Big deal, you say? I can just uninstall the add-on via Firefox's handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the "uninstall" button on the extension. What's more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that -- if done imprecisely -- can cause Windows systems to fail to boot up.

When I first learned of this, three thoughts immediately flashed through my mind:

1) How the %#@! did I miss this?

2) The right way would have been to just publish the add-on at Mozilla's Add Ons page.

3) This kind of makes you wonder what else MS is installing without your knowledge.

Then I found that I wasn't the only one who had these ideas. Microsoft has heard these criticisms from others who long ago commented on this unfortunate development (see the comments underneath this post).

Anyway, I'm sure it's not the end of the world, but it's probably infuriating to many readers nonetheless. Firstly -- to my readers -- I apologize for overlooking this..."feature" of the .NET Framework security update. Secondly -- to Microsoft -- this is a great example of how not to convince people to trust your security updates.

By Brian Krebs  |  May 29, 2009; 7:40 AM ET
Categories:  From the Bunker , New Patches  | Tags: .NET Framework, firefox add-on  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The Scrap Value of a Hacked PC
Next: Obama: Cyber Security is a National Security Priority

Comments

"Not compatible with Firefox 3.5b4"

Good...

Posted by: wiredog | May 29, 2009 7:50 AM | Report abuse

I've also noticed Google Gears and Java Quick Starter on my list of Firefox Add-ons, on top of the .NET one, that have disabled the "uninstall" button. I have at least disabled those three for now but sure would like the ability to take them off altogether.

Posted by: joseph4 | May 29, 2009 9:05 AM | Report abuse

> Microsoft has disabled the "uninstall" button on the extension

Unfortunately, this is only partially Microsoft's fault. Firefox makes it easy for applications to ship their own browser extensions - they only need to add a registry entry that points to the extension's directory. But Firefox cannot uninstall extensions that were installed like this (because it didn't install them in the first place, because it might require administrator rights and because doing that would affect other Firefox profiles as well). So while this feature is great for application developers, it is rather flawed from user's point of view.

Luckily, you can disable this extension which is just as good as uninstalling it. Removing the registry entry isn't recommendable anyway, it will come back on next update. The drawback is - every time I create a new Firefox profile I have to remember that I should disable the .NET extension. But I guess most people don't have that problem.

Posted by: WladimirPalant | May 29, 2009 9:12 AM | Report abuse

Will disabling this extension prevent it from causing a vulnerability and taking up system resources?

Posted by: bokamba | May 29, 2009 9:18 AM | Report abuse

@bokamba: Yes, an extension that is disabled is as good as an extension that isn't installed - Firefox won't load it.

Posted by: WladimirPalant | May 29, 2009 9:23 AM | Report abuse

It looks like the Microsoft dotnet addon also affects the Chrome browser.

Posted by: TwoCentsWrth | May 29, 2009 9:59 AM | Report abuse

This is a very good reason as to why I have automatic updates dis-abled here. I update every month just on MY terms. I always use custom update and I choose what needs to be installed, not what MS thinks should be installed. After all .NET is nothing more than BLOAT WARE anyways. You will not find that junk anywhere on my machines. I have never seen any good reason to install it and when authors say they have a new version written using .NET I jump there ship and find something that does not use that JUNK.

Posted by: mmcgrane | May 29, 2009 10:19 AM | Report abuse

Brian

I was one who asked you about .NET about a year ago. As I am at work and unfortunately have Verizon Business, which comes with the slowest speed possible, I didn't accept the latest .NET update. Much like mmcgrane, I also disabled automatic updates since we never know what MS is actually pushing out to us. This is further proof that Microsoft seems ever untruthful!

Furthermore, how necessary is this framework? It would be nice to know which programs actually use the .NET framework. It’s an optional download, if you don’t use automatic updates. If it is a necessary feature, then why isn’t the framework part of the OS? Can users successfully remove .NET through "Add or Remove Programs"?

Posted by: ummhuh1 | May 29, 2009 10:56 AM | Report abuse

Even if one is using a Firefox version like 3.5b4, with which the add-on is incompatible (and therefore doesn't load), the latter can still be removed via another update which Microsoft released in February and which can be accessed here ( http://preview.tinyurl.com/cbx4me ). After the update has been installed, the «Uninstall» button for the «Microsoft .NET Framework Assistent 1.0», which can be accessed via «Tools» → «Add-ons», is no longer greyed out, and the add-on can be removed in the usual manner. The information provided with the update on the Microsoft page states that «To properly update the .NET Framework Assistant, this update must be applied while the extension is enabled in Firefox», but in my experience the update can easily be installed and the add-on removed, even in the case of Firefox versions like 3.5b4, with which the «Microsoft .NET Framework Assistent 1.0» is incompatible....

Henri

Posted by: mhenriday | May 29, 2009 11:36 AM | Report abuse

Looks like the author did not install the latest version for .NET Framework Assistant 1.0 for Firefox. The latest version support per-user uninstallation and FF 3.5.

Not sure why there is not a word on comparative analysis. Java Quick Starter does the same thing (from Firefox extension installation to application launching), except the app launched does not necessary run in a security sandbox.

.NET Framework Assistant is for launching ClickOnce applications into a security sandbox (something like java VM's sand box). The launcher will prompt the user if they want to download the app and run it (like other ActiveX and java applets). It is safer than than downloading an exe and run it because the security sandbox.

Posted by: sheng_jiang | May 29, 2009 12:18 PM | Report abuse

Mhenriday is correct (post above). Once you install the new MS add-on, you can remove it within Firefox. Then you can go to add/remove programs and remove MS .Net Framework, should you so desire. I just did. Fewer vulnerabilities, less moving parts....

Posted by: blowbush | May 29, 2009 12:20 PM | Report abuse

Thanks for that information, Henri.

Posted by: BTKrebs | May 29, 2009 12:29 PM | Report abuse

How to manually remove the .NET Framework Assistant for Firefox:
http://support.microsoft.com/kb/963707

Calling it a vulnerability is too strong. But certainly call it a pain in the rear.

Posted by: sbradcpa | May 29, 2009 3:01 PM | Report abuse

This should be the reason, everyone should switch to Linux, BSD, or Mac. Microsoft has been doing this for years, and the will continue to do so.

By making the switch and never using Micrsoft products. Your telling Microsoft directly to Buzz of and hitting where it hurts the most ( their profits).

If you need some Product only available on Windows you can always install Parallel, VBox, VMWare to emulate Windows and run the program you need.

Microsoft has continually regarded customers as disposable. With that kind of attitude im glad nothing I use is stamped with "Microsoft"

Posted by: Choice1 | May 30, 2009 10:33 AM | Report abuse

ummhuh1, many applications use the .Net Framework including applications shipped with the OS itself. You can still remove it entirely if you want to though via Add\Remove programs.

As others have mentioned the original extension could only be disabled (easily) but it has since been updated to allow a complete uninstall with the click of a button. It's not dangerous to either disable or uninstall it. All existing .Net applications will continue to work it simply means you'll need to use IE if you want to run ClickOnce applications directly from the browser. Sorry for the confusion this has caused.

Posted by: IanET | May 30, 2009 5:27 PM | Report abuse

I suppose that I am saddened but not surprised.

It may be of interest to know that Firefox runs identically under Linux and all this nonsense just goes away.

Likewise, OpenOffice.org runs identically under Linux and you can even switch seamlessly between operating systems while editing the same file.

Articles like this make me glad that I am not a Microsoft customer.

Posted by: AlanUK | May 30, 2009 5:37 PM | Report abuse

@joseph4:

Google Gears may be removed by using the "Add/Remove Software" control panel. Same goes for the Java stuff.

Posted by: whomever9876 | May 30, 2009 6:15 PM | Report abuse

I once used Windows. Now I use Ubuntu-Linux. It's FREE and you don't need anti-virus software. Check it out...

http://www.Ubuntu.com

Posted by: wookie294 | May 30, 2009 6:17 PM | Report abuse

I got to agree with wookie294 it news like this that make me love my Ubuntu desktop. lolll

Posted by: johnupnorth | May 30, 2009 6:46 PM | Report abuse

Just adding my voice to those who use Linux and don't have to worry about such shenanigans.

I keep a WinXP install in VirtualBox for those few times it is necessary. You'll be expected to do the same in Win7, so why not go ahead and give Linux a good look now, before digging the hole of Microsoft dependency deeper?

Posted by: ushimitsudoki | May 30, 2009 8:23 PM | Report abuse

I have 5 Microsoft .NET listings in my add/remove program menu. Can I remove them all? XP Home is the OS. Yes, I just noticed the new Microsoft add on as well as the Java quick starter in my Firefox add ons. I have my Microsoft updates listed to as before installing, but I don't think they always ask.

Posted by: dreherd | May 30, 2009 8:52 PM | Report abuse

"A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser."

A service pack for the framework is in no way a routine security update. It is a cumulative patch that rolls up passed bulletins as well as new features and functionality. Also, as noted, firefox intentionally extends functionality for third party apps to integrate but does not also provide functionality to remove them from firefox.

In general this story was neither well researched nor accurate.

Posted by: joshbw | May 30, 2009 9:39 PM | Report abuse

Interesting. On my Windows 7 machine, my Firefox 3.0.10 has the 1.0 version of it, which I have disabled.

My 3.5beta (current nightly) has version 1.1, and it had an uninstall button.

I'm not even close to my 2003 desktop to see what's going on there.

Posted by: bytehead1 | May 31, 2009 1:05 AM | Report abuse

it's all well and good all you linx fans out there, but if there's no audio drivers out of the box for my pc and / or laptop, what's the use?

linux is wondeful for the nerds, i just want my plug and play....

Posted by: lesliewand | May 31, 2009 6:34 AM | Report abuse

Wow, if ever there was a reason to stop using Firefox (which I have used exclusively since it launched) NOW is the time! Chrome, here I come.

RT
www.online-privacy.vze.com

Posted by: clermontpc | May 31, 2009 8:28 AM | Report abuse

How can someone write an article in the Wash post and have no clue? Theres more useful knowledge in the replies. Go write some more stories about Obammy saving the world.

Posted by: chop999 | May 31, 2009 9:04 AM | Report abuse

Please forget Google's Chrome. They will own you, in their "cloud"!

I still use Win 98, and plan to migrate to Knoppix Linux.

You can side-step all Windows interference with the "Very Good" rated Firefox portable version, which operates relatively beyond the reach of Windows! Softpedia has it here:

http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Firefox.shtml

The K-Meleon Browser is great too - maybe better!:

http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Windows-Portable-Applications-Pocket-K-Meleon.shtml

Posted by: blues1 | May 31, 2009 10:03 AM | Report abuse

"it's all well and good all you linx fans out there, but if there's no audio drivers out of the box for my pc and / or laptop, what's the use?"

I installed the latest Ubuntu (9.04) and all hardware functioned correctly out of the box. Canonical has done an outstanding job of stamping out bugs and fine-tuning hardware detection and driver installation. The only setup I had to do was answer "yes" to download and enable nVidia drivers for my video card. Same applied to my laptop. It was considerably easier to install than XP. I have not fired up my windows partition in about 6 months. Wine (a free windows translator) seems to run just about any windows application/game I throw at it. Rock solid and no complaints.

Posted by: daev64 | May 31, 2009 1:16 PM | Report abuse

The latest .NET update contains a version 1.1 of this extension, which can be uninstalled directly from the extensions menu.

Posted by: vladimir24 | May 31, 2009 4:05 PM | Report abuse

chop999 -- What good is your contribution to this conversation? Brian brought the matter to our attention, which allowed pthers to bring their knowledge to bear. That is the point of the web as a collaborative medium.

Obammy? God, are you that much of a crude racist hick to people's faces? How about to black people's faces?

Posted by: robtpublic | May 31, 2009 4:19 PM | Report abuse

Anyone know WHY in the current non-beta Firefox download 3.0.1x the Google toolbar for Firefox will not work>

And what of Google? It seems that their only combined Firefox-Google Toolbar download is for Firefox 2.

I did download the Firefox 3.5 beta, but scrolling up & down on the screen was not smooth [yet ???]

Posted by: brucerealtor@gmail.com | May 31, 2009 4:20 PM | Report abuse

If you are still that afraid of the registry, you have no business writing about tech issues.

Download a free tool like regmon and see how often that thing is updated. 100's of times a second.

If your readers are too stupid to follow directions on how to edit the registry they should stay off computers.

I have also edited the registry too many time to count without ever having one problem.

Microsoft sucks for installing this extension.

You suck for promoting a myth that the registry is too hot to touch.

Get out of tech writing. You don't know the first thing about it.

Posted by: puunjab | May 31, 2009 4:31 PM | Report abuse

Good thing to know, I will disable that sap.... Oh wait I'm on Linux nvm http://imgur.com/ikiHi.png

Posted by: astrocogz | May 31, 2009 4:59 PM | Report abuse

I wish google Chrome worked good in Jackalope Get the lead out google linux chrome is not usable yet

Posted by: astrocogz | May 31, 2009 5:05 PM | Report abuse

Come now people, this is a fault in the Firefox plugin design, not with Microsoft. And as for moving to the Mac, I really didn't appreciate the special "feature" of 10.5.4 or 10.5.5 that disabled the laptop power options. And programming in .net is very nice, and there is good cross platform compatability with Mono. And the addon is ridiculously small, and all of the .net stuff is well sandboxed; in the image given, all of the other addons constitute a much greater (though still basically negligible) security risk, much less than completely disabling automatic updates. That's just retarted.

Posted by: rob333 | May 31, 2009 5:07 PM | Report abuse

A service pack is not a "routine security update." This is extremely misleading.

Further, supporting ClickOnce deployment across all the major browsers (including Chrome!) is something I would have expected users of those browsers to applaud. Wasn't it just a few years ago that articles like this were complaining that Microsoft only ever supported IE with their technologies?

Damned if you do, damned if you don't, I guess.

Posted by: bhpaddock | June 1, 2009 1:31 AM | Report abuse

Well the way i see it is this its that easy to install anything into firefox add ons, thats the real risk. Its not that easy to install and run apps from a web site if you have your settings right. And what are you doing on bad web sites you would think these days you would have learnd to stay away just as you have learned not to install crap on your computer?

Posted by: markjclark1 | June 1, 2009 5:52 AM | Report abuse

Use your freedom - think Linux.

Posted by: dolanster | June 1, 2009 10:29 AM | Report abuse

And this is just one of the many reasons that my last computer purchase was Apple. As an IT pro I am forced to use MS products in the office for a few clients but for anything that I want 'secure' I use either Linux or Mac but NEVER a MS product.

Posted by: springman1 | June 1, 2009 11:26 AM | Report abuse

Really? I have never read the washington post before but I thought this was a real paper??? It seems that everyone here but maybe three individuals have no idea what the .net framework is? I think someone called it bloat ware.

For those of you who care the framework is shipped with newer versions of windows. It's a way for developers to create applications on your PC. It is not an application itself.

many applications use the .net framework to interact with the operating system. The closest comparable thing to .net is java.

I know there are people who freak out at updates but .net isn't some scary application.

Posted by: RealisticComments | June 1, 2009 11:27 AM | Report abuse

This is EXACTLY why I went to Linux. Microsoft can no longer screw with me, my computer, or anything else that I do while online.
Every few years they pull something like this, and then they get smacked down, and it goes ok for a couple years, then BOOM, like the plague, the try again...
When will people get smart and STOP supporting Microsoft?
It is like paying someone to beat you up...

Posted by: efialtis | June 1, 2009 11:44 AM | Report abuse

Umm, re-read the end user license agreement you signed when you licensed your copy of Windows. Microsoft has the absolute right to do whatever they deem necessary to THEIR operating system. Just because it happens to be running on your computer gives you no rights over Microsoft's intellectual property. So please stop disingenuously complaining about Microsoft security updates, when you explicitly agreed to receive them when you licensed the software!

Posted by: poopie1 | June 1, 2009 12:00 PM | Report abuse

@bhpaddock:
You have a point, but the issue here is not that MS *is* installing for other browsers, but the method used.

It's doing it WITHOUT user knowledge and WITHOUT an ability to remove it. (now apparently fixed with an update)

But this is why people don't trust computers in general and MS in particular.

Posted by: rpixley220 | June 1, 2009 12:17 PM | Report abuse

Yet ANOTHER reason I'm glad I switched to Linux. My computer is MINE, not Microsoft's (as pointed out by poopie1) to use as I see fit. I worry a LOT less about things like unrequested software (aka "malware") whether it's from Microsoft or not.

Posted by: NoCaDrummer | June 1, 2009 12:18 PM | Report abuse

Just another reason why I went to Linux and have not looked back..... and I don't use that animal browser either. I use Konqueror and if your site doesn't work there guess what I move on.

This is exactly the reasons why the system(s) I support that are win based are updates disabled, various blocks on even getting to the update sites to install updates.

As for .net.... outlawed. Don't even bother to preach about it and Mono/Moonlight I don't want to hear about that crud. Not installing it on win or Linux. Same goes for Flex/Flash/AIR > /dev/null I am so sick and tired of these "WEB OS's"

Oh and when your PC's get shut down every 2 hours because you didn't pay your M$ fee's don't come crying to the Linux community, we've been telling you to get, and get out now!

LINUX !!

Don't fear the penquins!

Posted by: rec9140 | June 1, 2009 12:32 PM | Report abuse

Good article, Brian. Thanks for bringing this to our attention.

Now, what about all those "Microsoft DRM" plugins I just discovered in Firefox, right between my Java and Mozilla Default Plug-ins? I never asked for those, either -- but at least I can disable them without hacking the reg!

Posted by: Alphaman-ic | June 1, 2009 12:35 PM | Report abuse

That Microsoft disabled the "uninstall" button isn't true.

The story is that Addons can be installed via registration and there is no other way tor automatically install such addons.

Firefox can not uninstall such Addons because it doesn't know how to do that and that is the reason that the uninstall button is disabled in such cases.


Posted by: poopie1 | June 1, 2009 4:37 PM | Report abuse

Seems that computers are so open to attack because microsoft and other companies want the machines to be open. They want manipulate our computers to their own ends marketing ends. Take the targeted ads that show up on many pages I browse telling me I can find just what, or who, I am looking for in Olive, NY (where I live). There are around 3,000 people in Olive. Few to none of the things advertisers say I can find here exist in Olive. That a company can look in my computer, find out where I live and other info, then use that information to clumsily target an ad to me, is one of the big reasons our machines are so vulnerable. Write the operating system software so that nothing, and I mean NOTHING, can be pushed in from the Internet that changes our machines and most of the dangers that take up so much of our time would disappear. Not all dangers would end, but a lot would.

Posted by: kdoren | June 2, 2009 7:38 AM | Report abuse

An alert reader just brought this to my attention: A thread on a bug report filed with Mozilla that has some interesting back and forth about whether Mozilla should allow third party programs to install add-ons.

The last poster on the list appears to confirm what others have said here in the comments, which is that for whatever reason Microsoft does not do this with Windows 7.

https://bugzilla.mozilla.org/show_bug.cgi?id=446139

Posted by: BTKrebs | June 2, 2009 8:10 AM | Report abuse

OMG - you Linux guys continue to sound like drug dealers or bad coffee commercials!

"that's why I switched.." ad infinitum or "my L is so much smoother than your W"...
Please give that a rest - the true savvy use any or all of the above
Sorry to be sort of off topic...

Posted by: eddie7630 | June 2, 2009 11:38 AM | Report abuse

What do you expect? You must remember that Windows users are merely an inconvenience for M$,
their major clients are Hollywood, recording industry, software and anti-virus vendors.
If you have any doubt, just look at how well they are accommodated within windows.
Read the license, you have purchased the right to use windows, you did not purchase windows.
Windows is not for sale. Your rights as a user can be revoked any time Redmond deems you an
unworthy user through “deactivation” they don't even have to send Moose and Vito to give you
kidney punches, they are resident on your platform.

Now here's an amusing scenario, just suppose an imaginative group of hackers gets their hands on a cooperate edition key generator or the registered user data base, has bot or ghost net availability, and beans to spew fourth deactivation codes.

For extra credit... how long will it be before trans continental phone service crashes from support call volume? Financial burdens from such an occurrence? International security?

We haven't yet learned the wisdom of an old proverb, "Too many eggs in one basket." Especially This basket, so full of holes and haphazardly constructed.

Support open source migration, Your business,
family and nation's health and prosperity are
dependent upon sound security practices.

Posted by: rufus7 | June 2, 2009 2:08 PM | Report abuse

poopie1, sweetie,
this is exactly why I and many others think that anything out of M$ is a piece of junk. They just do not care about their customers, period.
And that corresponds very well to the opinion bhpaddock gave: you don't understand that it is a matter of the choice the customer makes. You can give the best functionality out there, but if the customer does not want it, he should be able to ignore it. It's customer's choice, not M$! That is one thing the MS folks would never get.

Posted by: sudorm-fr | June 3, 2009 10:47 AM | Report abuse

This is INFURIATING!!! I HATE MS and am moving away from windows AND MAC PCs for our entire office. Any suggestions for objecting to this with MS, litigation, whatever that may be pending? Any response from Mozilla yet?

Posted by: gailnow | June 3, 2009 1:59 PM | Report abuse

Say this is horn-tooting but I don't care. I still will NEVER get why people don't 'track' what they're installing. Never got this, never will. Thanks to Bk for catching this but how many millions of users just click and drool? Programs such as Neil Rubenking's InCtrl, Radsoft's E3, Rixstep's Tracker - or just the command line. Unix 'find' for example. Something/anything. But seriously: you take a download that's going to manipulate things on your hard drives in a way you can't control and you act surprised something bad happened? Know that adage about not attributing to malice? Sound familiar in this context? Because it should.

Posted by: Rixstep | June 3, 2009 3:27 PM | Report abuse

On my lonely Win XP, which I dual boot with PCLinuxOS and rarely use, I never use Express Install for updates. Besides I only use the Opera browser in Windows.
This article confirms what I have been thinking about the underhanded business practises of M$.
Here are a few alternatives to Windows: Zenwalk and Vector Linux (based on Slackware), Mandriva and PCLinuxOS, Linux Mint (based on Ubuntu). I make my old laptop fly with Puppy Linux which runs totally in RAM, and Puppy has out-of-the-box support for virtually any wireless configuration on the market. So do the others, but it is unusual for a lightweight distro.

Posted by: fschmeisser | June 4, 2009 3:28 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company