Weekly Edition
Return to the Press page
| |||||||||||||
Microsoft installs Firefox extension without asking (The H)
The H has a report about a Firefox extension that was installed as part of a Windows Update without user approval. It is interesting that Microsoft is now writing Firefox extensions, but they may want to look at their policy of automatic installation without any (easy) way to uninstall it. "The 'Microsoft .NET Framework Assistant' add-on uses ClickOnce technology to allow users to install Windows applications by clicking a link in a web page. A number of people have raised concerns over the security of the technology, objected to the fact that the Service Pack installs the extension without asking and complained that once installed, the Uninstall button in the Firefox Add-on panel is greyed-out and the extension cannot easily be uninstalled (although it can be disabled)."
(Log in to post comments)
Microsoft installs Firefox extension without asking (The H) Posted Jun 1, 2009 17:58 UTC (Mon) by flewellyn (subscriber, #5047) [Link]
Woah! Dirty pool.
And doubly dirty that they'd do this to an application that wasn't written by them.
Microsoft installs Firefox extension without asking (The H) Posted Jun 1, 2009 18:08 UTC (Mon) by tzafrir (subscriber, #11501) [Link]
Installing "without any easy way to uninstall" - install in the system folder.
The workaround of installing in an uninstallable way: install in individual users directories.
As I'm not a windows user: I wonder if this is something you'd expect to be done in a service pack for a software installed through Windows Updates?
Microsoft installs Firefox extension without asking (The H) Posted Jun 1, 2009 18:46 UTC (Mon) by coriordan (guest, #7544) [Link] It's a good question. Does MS Windows modify Norton anti-virus or Adobe Photoshop? And would you know if it did?
Microsoft installs Firefox extension without asking (The H) Posted Jun 2, 2009 6:02 UTC (Tue) by petegn (guest, #847) [Link]
Well if you are using Norton Anti Virus then one thing is for certain you are crammed full of all sorts of virus and other Mal-Ware that Norton very conveineantly (SP) completely ignores i know i got clobber once on a work machine (not any longer thou no MS junk left)
Microsoft installs Firefox extension without asking (The H) Posted Jun 1, 2009 18:30 UTC (Mon) by pr1268 (subscriber, #24648) [Link] Is Microsoft planning such an extension patch for Opera and Safari? (Both of which have a noticeable user share on Windows systems, albeit less than that of Firefox.) Oh, wait, Opera and Safari are closed-source. I suppose Microsoft finds it substantially easier to hack Firefox like this than the other proprietary browsers. Still, I think it's sour grapes for the whiners in Redmond.
Microsoft installs Firefox extension without asking (The H) Posted Jun 2, 2009 3:38 UTC (Tue) by Kit (guest, #55925) [Link]
>Oh, wait, Opera and Safari are closed-source. I suppose Microsoft
>finds it substantially easier to hack Firefox like this than the >other proprietary browsers.
I really don't see how being open source has anything to do with this. They wrote an extension/plugin for Firefox, not modified the application itself.
Microsoft installs Firefox extension without asking (The H) Posted Jun 2, 2009 4:26 UTC (Tue) by pr1268 (subscriber, #24648) [Link] Yes, but the idea that Firefox lends itself to be incredibly easy to write plugins for (allegedly more so than Opera or [especially] Safari) would imply that Microsoft could (1) write the plugin for Firefox and (2) make it near-impossible to remove (since their own OS code is closed-source).
Microsoft installs Firefox extension without asking (The H) Posted Jun 2, 2009 7:14 UTC (Tue) by Kit (guest, #55925) [Link]
Actually, they could have just written it as a NetscapePlugin and it (should) work on all three browsers (and any other browser that follows the NS Plugin api... which is basically anything that's not Internet Explorer).
Also, extension support is nothing intrinsic to Firefox being open source, there's quite a lot of closed source software that supports extensions/plugins, including many very high profile pieces of software (including ones from Microsoft). I just don't see this as being an Open vs Closed battle for why Firefox was targeted (for lack of a better word) and Safari/Opera weren't... I'd imagine it'd be more so because Firefox has easily 10x the market share of the other two combined (especially on Windows), by most surveys I've seen (that trend often follows even to Apple/OS X centric websites).
Honestly, I don't really see this whole thing as being *that* big of an issue, it's trivial to disable the extension (I have had it disabled as long as I can remember it even being there). Although I do understand and agree with the concerns over what the extension does (hell, I see no reason to have it enabled in the first place), having it installed with an update to .Net isn't really that big of a deal to me (and especially understand it if the same support was added to IE as well).
Microsoft installs Firefox extension without asking (The H) Posted Jun 2, 2009 11:37 UTC (Tue) by SEMW (guest, #52697) [Link] > (2) make it near-impossible to remove (since their own OS code is closed-source).I can't help but point out the slight hypocrisy here. Ubuntu user: Hey guys, I found this firefox extension the other day that I don't remember installing called "Ubuntu Firefox Modifications". The uninstall button is greyed out. Isn't this a bit dodgy, and how do I remove it? The Internets: It's obviously installed as a system-wide extension, so you need to run Firefox as root to uninstall it. Don't you know anything? Stop trying to cast Canonical in a bad light. n00b. As opposed to: Windows user: Hey guys, I found this firefox extension the other day that I didn't install called "Microsoft .NET Framework". The uninstall button is greyed out. Isn't this a bit dodgy, and how do I remove it? The Internets: Great Scott! Clearly, this Microsoft abusing their monopoly power and the closed-source nature of the OS to make it near-impossible to remove. Windows user: Hm. Could this be related to that Ubuntu user's question? Should I try running Firefox as administrator? The Internets: Absolutely not! Do not approach the computer under any circumstances. Contact your local European Commision anti-competition representative as soon as possible! OK, slightly exaggerated, but you see the point.
Microsoft installs Firefox extension without asking (The H) Posted Jun 2, 2009 12:37 UTC (Tue) by MathFox (guest, #6104) [Link] The BIG difference is that I installed Firefox on Ubuntu with the "Ubuntu pack", the Windows user installed Firefox without dotnet extension.Microsoft adds new functionality (a potential security hole for Firefox) as part of a service pack, without properly informing the consumer what will happen. I think it is fair to complain. Microsoft makes it hard to uninstall the potential security hole, another fair complaint. I would complain too, in the unlikely event that an Ubuntu update forces unwanted software (Mono) back onto my system.
Microsoft installs Firefox extension without asking (The H) Posted Jun 2, 2009 16:32 UTC (Tue) by Kit (guest, #55925) [Link]
Microsoft installed the .Net extension *as part of .Net*... If you're getting upset about that, I have to wonder how you feel about Java installing browser plugins? The only significant difference between the two I can see is that one is a new addition (which is trivial to disable!).
Microsoft installs Firefox extension without asking (The H) Posted Jun 3, 2009 10:16 UTC (Wed) by MathFox (guest, #6104) [Link] Microsoft installed the .Net extension *as part of .Net*My information says it was slipped in with a security update. I have to wonder how you feel about Java installing browser plugins.I have no problems when it is offered as a component that can be selected or deselected during installation. However, when I opt not to install that component I expect that it won't get installed as side effect from a security upgrade. I expect a trusted vendor to respect the choices I make for my machine; Microsoft has shown several times not to be worth that trust.
Microsoft installs Firefox extension without asking (The H) Posted Jun 4, 2009 8:02 UTC (Thu) by Cato (subscriber, #7643) [Link]
The point is that the Ubuntu Firefox extension is part of the installation of Firefox, providing a few minor customizations with no security impact, and the user asked to have Firefox installed, so there's really no need to notify the user as a results.
By contrast, the Microsoft .NET Framework ClickOnce Firefox extension is not something you would expect as part of a 'critical update' of the .NET Framework (similar to updating a JVM). It introduces a possible security impact, yet there is no opt-in confirmation from the user, and not even an opt-out.
When Sun produce new Java updates for Windows they try to get you to install toolbars etc, and it's an opt-out, but at least they give you a choice.
This is why so many in the Windows community are annoyed by Microsoft here - it's not just Linux users.
Microsoft installs Firefox extension without asking (The H) Posted Jun 1, 2009 20:11 UTC (Mon) by zeridon (guest, #46234) [Link]
With a slight risk of being the prick around ... why the hell do i think that the news is over 6 months old ... or is it just me. This happend quite a while ago FF was still 2.something.
No don't get me wrong. I think it is wrong to do such stuff but hey ... that's so in the leeway of MS. If i am correct even adobe tried smth like this (but don't quote me on that)
Some stupid and possibly irrelevant links:
Microsoft installs Firefox extension without asking (The H) Posted Jun 1, 2009 21:53 UTC (Mon) by MattPerry (guest, #46341) [Link]
Yes, it's several months old news. Slashdot article from 1 Feb 2009: http://tech.slashdot.org/article.pl?sid=09/02/01/2143218
Uninstall instructions from January: http://robertnyman.com/2009/01/26/microsoft-force-install...
Microsoft installs Firefox extension without asking (The H) Posted Jun 1, 2009 21:57 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
it's on slashdot again today.
the article being quoted may be referring to old news, but the article itself just came out today.
Microsoft installs Firefox extension without asking (The H) Posted Jun 2, 2009 3:37 UTC (Tue) by mchehab (subscriber, #41156) [Link]
>it's on slashdot again today.
It is also on Washington Post:
http://voices.washingtonpost.com/securityfix/2009/05/micr...
The rumors about magic keys that opens backdoors to install hidden software is old [1].
The only countermeasure for this risk is to only use open source software on environments where security is needed.
[1] http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/
|
|||||||||||||