[Infowarrior] - Microsoft Quietly Installs Firefox Extension

[Richard Forno]

Microsoft Update Quietly Installs Firefox Extension

http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html

A routine security update for a Microsoft Windows component installed  
on tens of millions of computers has quietly installed an extra add-on  
for an untold number of users surfing the Web with Mozilla's Firefox  
Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a  
"service pack" for a programming platform called the Microsoft .NET  
Framework, which Microsoft and plenty of third-party developers use to  
run a variety of interactive programs on Windows.

The service pack for the .NET Framework, like other updates, was  
pushed out to users through the Windows Update Web site. A number of  
readers had never heard of this platform before Windows Update started  
offering the service pack for it, and many of you wanted to know  
whether it was okay to go ahead and install this thing. Having earlier  
checked to see whether the service pack had caused any widespread  
problems or interfered with third-party programs -- and not finding  
any that warranted waving readers away from this update -- I told  
readers not to worry and to go ahead and install it.

I'm here to report a small side effect from installing this service  
pack that I was not aware of until just a few days ago: Apparently,  
the .NET update automatically installs its own Firefox add-on that is  
difficult -- if not dangerous -- to remove, once installed.

Annoyances.org, which lists various aspects of Windows that are, well,  
annoying, says "this update adds to Firefox one of the most dangerous  
vulnerabilities present in all versions of Internet Explorer: the  
ability for Web sites to easily and quietly install software on your  
PC." I'm not sure I'd put things in quite such dire terms, but I'm  
fairly confident that a decent number of Firefox for Windows users are  
rabidly anti-Internet Explorer, and would take umbrage at the very  
notion of Redmond monkeying with the browser in any way.

Big deal, you say? I can just uninstall the add-on via Firefox's handy  
Add-ons interface, right? Not so fast. The trouble is, Microsoft has  
disabled the "uninstall" button on the extension. What's more,  
Microsoft tells us that the only way to get rid of this thing is to  
modify the Windows registry, an exercise that -- if done imprecisely  
-- can cause Windows systems to fail to boot up.

When I first learned of this, three thoughts immediately flashed  
through my mind:

1) How the %#@! did I miss this?

2) The right way would have been to just publish the add-on at  
Mozilla's Add Ons page.

3) This kind of makes you wonder what else MS is installing without  
your knowledge.

Then I found that I wasn't the only one who had these ideas. Microsoft  
has heard these criticisms from others who long ago commented on this  
unfortunate development (see the comments underneath this post).

Anyway, I'm sure it's not the end of the world, but it's probably  
infuriating to many readers nonetheless. Firstly -- to my readers -- I  
apologize for overlooking this..."feature" of the .NET Framework  
security update. Secondly -- to Microsoft -- this is a great example  
of how not to convince people to trust your security updates.