

Microsoft Update Quietly Installs Firefox Extension - smharris65
http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html

======
solutionyogi
Personally, I would have been okie if Microsoft installed an extension in
Firefox to support .NET related applications [ClickOnce for instance.].

But it is completely unacceptable that it disables the Uninstall button! Who
is thinking of these ideas at Microsoft? Also, why does Firefox let an
extension decide whether it is uninstallable or not?

~~~
asmosoinio
Quoting a comment on the article by WladimirPalant:

\---------- Unfortunately, this is only partially Microsoft's fault. Firefox
makes it easy for applications to ship their own browser extensions - they
only need to add a registry entry that points to the extension's directory.
But Firefox cannot uninstall extensions that were installed like this (because
it didn't install them in the first place, because it might require
administrator rights and because doing that would affect other Firefox
profiles as well). So while this feature is great for application developers,
it is rather flawed from user's point of view. \-----------

~~~
solutionyogi
Yes, you are right. Here's the relevant documentation from Mozilla.

"Extensions that are installed this way include the Java Quick Starter
extension for Firefox (see above), the Microsoft .NET Framework Assistant [13]
[14] the RealPlayer Browser Record Plugin extension, [15] and the Lenovo
ThinkVantage Password Manager extension for Firefox [16] [17]. Although you
can disable the extension in the Add-ons manager, the Uninstall option may not
be functional (it will be "greyed out). In such cases, experienced users can
uninstall the extension by removing the associated Registry entry and/or the
contents of the folder containing the extension; otherwise, simply disable
it."

[http://kb.mozillazine.org/Uninstalling_add-
ons#Windows_Regis...](http://kb.mozillazine.org/Uninstalling_add-
ons#Windows_Registry_extension)

Microsoft has an article about how to remove this extension:

<http://support.microsoft.com/kb/963707/>

From the same KB article,

"In Windows 7 and in a forthcoming update for the .NET Framework 3.5 SP1, the
.NET Framework Assistant will be installed on a per-user basis. As a result,
the Uninstall button will be functional in the Firefox Add-ons menu."

I am using Windows 7 right now and I can verify that I do see that Uninstall
button is functional.

<http://imgur.com/gX5c8.png>

BTW, this just goes to show the kind of reputation Microsoft has achieved in
the marketplace. When the uninstall button was disabled, no one thought that
it could be problem in the way Firefox works. Everyone (including me) just
assumed that it was Microsoft who is deliberately doing this. I don't know how
can they possibly fix their image.

~~~
Herring
If you install an update & this annoying extension shows up, you say the
update caused the annoyance. That's how it works. It's their fault for pushing
the bug/feature & they still haven't taken it out.

Regarding your other point, I think 1 high profile FOSS project (eg webkit,
hadoop, V8 ) or would do a lot for microsoft's image among techies.

~~~
tl
Even that option has limited PR value; Microsoft either uses their "shared
source" licenses (and comes under fire for not using a more recognized license
like GPL or BSD) or they use such a license and feed ammo to the "shared
source is trap" crowd.

~~~
Herring
Well either way they'll come under fire from that crowd. (And i'd agree it
sort of is a trap.)

------
emilis_info
This is very old news. Even Slashdot had the story in february:
<http://tech.slashdot.org/article.pl?sid=09/02/01/2143218>

I feel sorry for voting this thing up, before investigating the links in the
article.

~~~
niels_olson
First I heard of it. Glad you voted it up.

------
ScottWhigham
This started happening well over a year ago and has been covered extensively
before.

[http://www.google.com/search?q=firefox+Microsoft+.NET+Framew...](http://www.google.com/search?q=firefox+Microsoft+.NET+Framework+Assistant+1.0)

------
socratees
The people at Microsoft who are responsible for this should be questioned.

~~~
wyday
Right, because nothing inspires risk taking in a corporation like a good old
fashioned witch hunt.

I agree with you in that this is a shitty thing for MS to do (hell, I was one
of the first ones to write a blog post explaining how to undo it -
[http://wyday.com/blog/2008/how-to-uninstall-microsoft-net-
fr...](http://wyday.com/blog/2008/how-to-uninstall-microsoft-net-framework-
assistant-from-firefox/) ).

But, a witch hunt is idiotic.

------
dinkumthinkum
I don't know what's scarier: this "update" from Microsoft or the Washington
Post reporting on technology.

~~~
blasdel
He may still usually misrepresent stories due to ignorance, but at least these
days Brian Krebs is less of an asshat tabloidist.

------
steveklabnik
Man, when this happened, it was the worst. See, at my college, it logs you in
with a fresh copy of everything, every time you log in. And it automatically
applies patches. This patch came out after the latest image was made, so when
you log in, it grabs the patch and installs it. Every time. Then, you start
Fx, and it has to install the patch, and restart itself. Every time.

Takes almost 8 minutes to log in. It's the absolute worst.

~~~
83457
So the installation of the extension occurs on the next run of Firefox and
takes 8 minutes? That does really suck regardless of the whole imaging thing.

~~~
steveklabnik
From typing username/password to being able to type something into Firefox, 8
minutes is a loose guess. It's really, really bad.

Part of the problem is also that the computers in the "social" CS lab are
pretty old by now. Lots of the newer labs are better, but they just won't
replace the computers in this one. So there's a lot of factors.

------
TweedHeads
"Secondly -- to Microsoft -- this is a great example of how not to convince
people to trust your security updates."

------
trezor
Besides this being old news, yes let's all hate on Microsoft for them writing
actual code and adding ClickOnce deployment support to Firefox.

I agree the lack of an uninstall option is silly, but calling this a "rougue
Firefox extension" just makes you look like an asshat.

~~~
huhtenberg
Well, sure. Next time when they silently install, say, an MP3 blocker in your
Firefox, let's also applaud all the troubles they went through coding it.

Just in case if it's not clear - what makes it a _rogue_ extension is the fact
that it was installed _silently_.

~~~
trezor
_Next time when they silently install, say, an MP3 blocker in your Firefox_

Protip: If you want to be taken seriously, omit bullshit like this the next
time you make a comment.

 _Just in case if it's not clear - what makes it a rogue extension is the fact
that it was installed silently._

So basically just like any Adobe product ever. Gotcha.

