Microsoft Update Quietly Installs Firefox Extension

http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html?wprss=securityfix

Arrrg they got me.

Thank you!

Forewarned is forearmed. Or four-armed.

Anyway, the next time I hit the updates, I hope I remember to dodge the network update.

They've already changed it so you can uninstall it if you get the update.

.NET 4 Beta installs an extension too. What's worse is if you preemtively try to block such installations as I did, the entire installer fails without error and you have to sift through the logs to figure out it was the dumb Firefox extension :argh:.

Basically, check your HKLM\Software\Mozilla\<Something Firefox>\Extensions key(s). There will be a bunch of values for different GLOBAL extensions (these can't be uninstalled by users as they are not per-user extensions). Delete a value to uninstall the extension. What I tried to do was deny all write permissions system-wide to the key but like I said that breaks MS installers.

I used this to uninstall it:

1. Open Registry Editor
2. Expand the branches to the following key:
* On 32-bit systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Mozilla \ Firefox \ Extensions
* On x64 systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Mozilla \ Firefox \ Extensions
3. Delete the value named {20a82645-c095-46ed-80e3-08825760534b} from the right pane.
4. Close the Registry Editor when you're done.
5. Open a new Firefox window, and in the address bar, type about:config and press Enter.
6. Find the general.useragent.extra.microsoftdotnet setting.
7. Right-click general.useragent.extra.microsoftdotnet and select Reset.
8. Restart Firefox.
9. Open Windows Explorer, and navigate to %SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation.
10. Delete the DotNetAssistantExtension folder entirely.

.

why can't you just disable it in the addons menu (which is not grayed out)

Microsoft is actually 2 companies:
"Evil" and "Windows Dev Team"

You guys are all idiots. Why would you want to remove it? It just adds ClickOnce support to Firefox. I mean, I understand about it quietly adding the extension, but if they had given you a popup informing you of it, no one would complain.

So, complain about the method of delivery, not the extension itself, because it's harmless.

Pfft, M$ is the debil and you're clearly working for them.

I was thinking the exact same thing, it's a harmless addon, granted they should have informed you it was being installed, but it's not malicious. What's the big problem?

That pretty much covers anybody who is anti-Microsoft anywhere. The reason you can find basically all open source applications for Windows is because it's the easiest platform to port to by whole orders of magnitude. In a lot of cases you can just compile an existing application and get it working, with a few gotchas that might require a tool from msys or cygwin. Developing for more than one Linux distribution is an exercise in futility, and maintaining that application once it's released is almost impossible without relying on the continuing support from actual (not perl, php or bash) programmers who for whatever insane reason use Linux: a group of people who are fickle, unreliable and historically much too stupid to cooperate.

I've been saying it for years. It's really nice reading posts from former Linux advocates like the lead developer of Chrome (formerly from Mozilla) talking about how god awful it is to develop any software for Linux, or Adobe representatives complaining about how much money they're wasting trying to keep Flash Player working with the literally thousands of possible sound subsystem combinations you can have in Linux.

The Open Source world is the ultimate expression of NIH syndrome. They all have an infantile attitude that things have to be done their way or they'll fork. That's why there are a hundred different distributions, a dozen different packaging systems, three different ways of driving an AGP card at kernel level, three different kernel level sound subsystems and a dozen user-land mixers, two major and utterly incompatible GUI frameworks, two major and a dozen minor window managers.

Linux fans like to call this choice. But... whose choice? If you're developing software for Linux you have to support all of this ****, so the developer sure as **** isn't getting any choice. Is it the user's choice? Is there any value at all in the user being able to choose between several conflicting subsystems that all do exactly the same job in subtly incongruous ways?

OSX is simultaneously slightly better and abysmally worse.


So... what Emon said.

O.o

Typical M$ h8r :

damnit JM why must you bring other peoples stupidity here

From Slashdot, I imagine?

I bet his day job is computer janitor. Maybe Java developer, but that's pushing it. Computer janitors seem to enjoy pressing 'next' buttons.

How dare they put Internet Explorer 4 in my Windows 98!?

Uh, their Windows 98!

Can you give me the gist as to why in words that I'll understand? Just curious.

The best case situation with Linux is if you have two Ubuntu users: one running ubuntu-desktop, and the other kubuntu-desktop. You're still looking at a lot of work to make your user experience seamless (which is something most Linux application developers don't bother doing), but it's survivable in other areas like package management. The worst-case for Linux is if you have a bunch of users running Gentoo or some from-scratch system with weak package management, where the user hand-picked every module. Developing and testing an application against an environment that is (because there are simply no better terms for it) a dependency cluster**** is literally impossible. If Windows is a dangerous monoculture, Linux is a Pre-Cambrian pool of goo.

If you develop an application for OSX 10.5, you're guaranteed that it will run on any machine that can run OSX 10.5. With Windows 7 you have the same guarantee (previous versions have the guarantee as well, apart from Direct3D). Linux does not provide any guarantees of any form, including the guarantee of being fit for a particular purpose.

OSX is worse because it turns certain programmers and applications into second-class citizens. Carbon (C/C++ API) is deprecated as of 10.5. Future development of the Carbon happens entirely at the whim of Adobe; every other developer is expected to use the Objective-C programming language and Cocoa in order to access new operating system features, like 64-bit support.
A similar situation would be if, for example, Microsoft forced every developer to use C# for Windows applications. Or if Oracle/Sun entered into some lucrative agreements and suddenly Red Hat and Novell forced you to write all of your Linux programs in Java. For highly technical reasons I won't get into there is absolutely no justification for not providing C++ bindings for their new OS features. It is a purely deliberate, imperialistic attempt to make OSX applications utterly unportable to Windows.

Ta for that. So in a nutshell it's the move from the not even particularly redundant Carbon to the incompatible with Windows Cocoa that's the big pain in the arse?

Cheers Jon

Sorta.

Carbon has never been compatible with Windows for the general public. Apple has an in-house Carbon/Win32 compatibility layer they used to port Safari, Quicktime and iTunes to Windows but it's never been made available. iTunes in OSX is still written in Carbon, but it uses features only available in Cocoa (NSOperationQueue) which means they have more new features working in C++ than they want to admit.

You always had to do a lot of work to get a smooth user experience between OSX and Windows, but now it's much worse because you can't just abstract the problem away. You used to be able to write a generic internal GUI abstraction but now for a typical application you'd need to rewrite a full third of it in a very... er... ugly programming language. Carbon still works, but it's feature frozen at 10.4 Tiger so you won't be competitive against native Cocoa applications.

If Apple ever gets sent to antitrust court they're going to get their asses handed to them. They're damn lucky Psystar's claims were dismissed.

Youch.

On topic, I'm slowly coming to the realisation that I like Microsoft. I think that's because I use XP at work where the best features of Windows are useful - technical software, and a decent file explorer, and OSX at home.

That, and with my 360 the claims are (RRoD excluded, and I have had one) true: "it just works". That's a claim I find by and large to be true for my Mac, but not so for my PC.

They've pulled out a great show at E3. I'm impressed

Chrome remains safe

Use Visual Studio, and you will like Microsoft even more.

Also, the XNA game studio software is probably the most idiot-proof and simple to use toolset ever. One click deployment to your 360, and there is in your game list ready to play.

.NET is bloatware? LOL, wow. That's the best one I've heard in a while.

Wow lots of interesting conversation. Honestly I have made no attempt to disable or uninstall it, I just find it shocking the Microsoft would choose to install a FF addon without disclosing it to the user at all.

Because I won't use it? I don't think Microsoft is evil, nor do I really care that it was installed. I just don't need it.

Hmm I forgot about that. Thanks.

Doesn't this just open firefox to all the malicious drive-by software installations that plague IE users?

I didn't disable or uninstall.. but I did click the "prompt before yadda yadda" under options.

Also, I noticed this a couple months ago, right after I installed Vista and then Firefox, but I had no idea what it was, and didn't think anything of it.

Yeah, I also got that impression.

But apparently we're all idiots.

No, because ClickOnce applications have security barriers. ClickOnce applications install to you appdata folder. And you are running as a non-admin, right, RIGHT?

People run non-admin? I just find that annoying.

It's worth it

Besides, Run as is your friend

No, most IE vulnerabilities are thanks to ActiveX, ClickOnce is a .NET thing that lets you run desktop apps off the internet with minimal privileges. I think.

I don't use windows except when I have to and definitely not on my personal computer. However, I believe the vast majority of windows users run as the (default) admin user on the box (w/out even any login prompt).

So, what makes .NET applications inherently more secure than ActiveX ones? I really don't think application installation should be tied to or allowed directly from your web browser. You should be able to browse the web and when prompted for some crap or other, feel relatively safe that just clicking "ok" in a dialog box won't destroy your entire computer.

[Simplified].Net applications run inside the CLR, like Java apps inside a JVM, so it insulates the code from your physical system. ActiveX components are native code and have the full run of your system.[/Simplified]

Also, if you want out:
http://www.hanselman.com/blog/HowToRemoveTheNETClickOnceFirefoxExtension.aspx

Also there are more restrictions placed on applications depending on their manifest, how they were installed and how your CLR is configured. By default anything you install through ClickOnce runs in a sandbox.

Yeah I thought it was like similar to Java where apps state up front what permissions they need, and permissions they want (but don't need) and the program can "request" these permissions and be accepted/denied and can react accordingly. But I wasn't sure since I don't do Java.