.NET Extension Silently Added to Firefox via Service Pack

Terry Olaes

I Used to be the [H] News Guy
Joined
Nov 27, 2006
Messages
4,646
Washington Post blogger Brian Krebs recently uncovered a “feature” that comes with the .NET service pack from Microsoft. Installing that service pack silently installs an add-on in Firefox called “Microsoft .NET Framework Assistant 1.0” and then conveniently disables the “Uninstall” button. You can get more details on it after the jump.

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC."
 
Reading the comments section was more informative than the article...
 
LoL, This ("article" in the WP) clearly brings the anti-MS hysteria into sharp focus.

fire that writer. Surprised that [H] would link to this junk article though. :(
 
I am shocked.

Shocked and appalled.

... at something... don't really know what.
 
fire that writer. Surprised that [H] would link to this junk article though. :(
Why is it "junk"? Are we supposed to be completely okay with Microsoft reaching into our third-party applications, installing extensions to those applications we don't want, then denying us the ability to uninstall those extensions? That's acceptable practice for an OS vendor, is it?

Nah, I don't think so, bub.
 
Why is it "junk"? Are we supposed to be completely okay with Microsoft reaching into our third-party applications, installing extensions to those applications we don't want, then denying us the ability to uninstall those extensions? That's acceptable practice for an OS vendor, is it?

Nah, I don't think so, bub.

RTFA
1) MS aint the only ones
2) the extension wasn't installed via FF, thus FF cannot remove it
3) it can be disabled

Still not right! even a "would you like the FF extension" tickbox during install from MS,Sun and Adobe would be better
 
Version 1.1 of the extension can be uninstalled. Just did it.

I was going to mention I had the option to uninstall 1.1 (not greyed out) on my system as well. But then, I'm running Win7 and didn't install a Service Pack. I see all sorts of hysteria about removing it, but I don't see anything on what it's purpose is, or why it can be helpful. I would assume that it provides some level of compatibility between Firefox and various MS apps? I know with Sharepoint, I still have to switch to IE (or IEtab) for full functionality.
 
This might be a silly question...

Isn't FF open source and governed by the the GPL?
Therefore anybody/group can modify the software as long as they comply with its terms?
 
This is old news - this happened like 2-3 months ago. But yes, it's pretty annoying, if you operate with the belief that MS doesn't have a right to touch other vendor's software on your computer.

This probably means that they will add the MSN/Bing search engine to FF at some point, if not a toolbar.
 
I have to say that it's a bad move on Microsoft's part. Whether or not the software actually has a negative effect on security or usability, Microsoft should not be greying out the Uninstall button, and they absolutely need to tell the user, before installing, that they will also agree to install this extension.
 
I should have underlined the part about complying with it's terms
ie, .net as implemented on FF would now be open source
hehe
 
Microsoft should not be greying out the Uninstall button, and they absolutely need to tell the user, before installing, that they will also agree to install this extension.
As mentioned in earlier posts, read the article comments. The extension is enabled by registry keys, like many others, and FF can't uninstall any of that type. MS should have had an opt-in check box for including the extension though.
 
Why is it "junk"? Are we supposed to be completely okay with Microsoft reaching into our third-party applications, installing extensions to those applications we don't want, then denying us the ability to uninstall those extensions? That's acceptable practice for an OS vendor, is it?

Nah, I don't think so, bub.

Yeah, let me know when they do that.
See, because Firefox is this much vaunted Open Sores (not a typo,) there's supposed to be these magical gatekeepers who could have told Microsoft "no, you can't add that." Especially when it wasn't Microsoft who did it - it was Firefox.

So of course, the zealots would rather stick their further up where it's at, and ignore those inconvenient facts.
 
Let's get to the point here.. what is so bad about the .NET extension anyways?

I don't run Firefox so clue me in here.
 
This is old news and the author is a fool for writing up such bullshit about it without researching.

.NET 3.5 SP1 first installed this. All it does is add support for ClickOnce functionality.

http://en.wikipedia.org/wiki/ClickOnce

This support was originally only by a third party here: https://addons.mozilla.org/en-US/firefox/addon/1608

MS is just now officially supporting it. OMG the world is coming to an end! MS is supporting one of their products for a competitor!!!!

Keep tightening those tin-foil hates people.
 
When you install Java, it automatically installs the Java plugin for Firefox. How is this different?
 
Let's get to the point here.. what is so bad about the .NET extension anyways?

I don't run Firefox so clue me in here.

I think the implication is meant to be that .net is a microsoft product, and therefore a massive security disaster area that can be used by hackers to re-write your will and mug your aunt, so having a .net extension into the bullet-proof ultra secure Firefox is tantamount to doing a barrel roll with a loaded shotgun in your mouth.
 
MS aint the only ones
So? What difference does that make?

the extension wasn't installed via FF, thus FF cannot remove it
The fact remains. Microsoft could have worked with Mozilla to come up with a solution that doesn't require hacking the registry.

it can be disabled
Again...so? It shouldn't be silently installed in the first place. I can disable malware too, sure, but that doesn't necessarily mean I have any appreciation at all for malware.

Therefore anybody/group can modify the software as long as they comply with its terms?
This isn't taking the source, modifying it and re-releasing it. This is installing extensions to an existing, non-Microsoft application without notifying you.

O noes, tighten your tin-foil hats everyone!...please
A question for you: if Apple did something similar, what would your opinion be of that?

I have absolutely no idea what you just said :)

MS is just now officially supporting it.
"Supporting" something and silently injecting your own software in third-party applications are two entirely different things, are they not?

Keep tightening those tin-foil hates people.
Keep regurgitating the same tired cliches uttered elsewhere in this thread.
 
I think the implication is meant to be that .net is a microsoft product, and therefore a massive security disaster area that can be used by hackers to re-write your will and mug your aunt, so having a .net extension into the bullet-proof ultra secure Firefox is tantamount to doing a barrel roll with a loaded shotgun in your mouth.

I can't sense your sarcasm in this post but I laughed pretty hard core
 
When you install Java, it automatically installs the Java plugin for Firefox. How is this different?

If you're installing the Java browser plugin then I think it's expected that it will install a plugin for the browser.

If you're installing just the runtime environment, then I would hope that it prompts you before installing a browser plugin. I don't recall offhand if it does or not.

In any case, comparisons to other vendor's practises isn't particularly relevant. Silently installing a plugin which allows remote code execution is not desirable, and justifying it via relative morality does little to comfort me.
 
A question for you: if Apple did something similar, what would your opinion be of that?

I wouldn't care, and why should I? How does this negatively affect me? It doesn't... you all just want something to bitch about.
 
I wouldn't care, and why should I? How does this negatively affect me? It doesn't... you all just want something to bitch about.

I've had that .NET extension in Firefox for awhile now. I didn't put it there, but I also don't care how it got there. Obviously someone who is in charge of things like that obviously thought It would be a benefit to me. Either way, its not NEGATIVELY affecting anything by being there, so why should I/anyone care?

Show me the proof that this little extension is negatively affecting people enough to warrant you people getting all hot and bothered over it.
 
I think the implication is meant to be that .net is a microsoft product, and therefore a massive security disaster area that can be used by hackers to re-write your will and mug your aunt, so having a .net extension into the bullet-proof ultra secure Firefox is tantamount to doing a barrel roll with a loaded shotgun in your mouth.

Sums it all up nicely. :D
 
I guess i dont see the problem, they installed a FF addon and people act like its a freaking virus jacking their credit card numbers...
 
It looks like phide is the only angry at Microsoft so far. Maybe Terry too for posting it?
 
Recently uncovered? What was this guy doing? Hiding under a bridge?

I've had this for a while now, and it was just like "Oh, so this is something that has to do with the .NET framework that I willingly installed. Moving along..."
 
No proof yet, that I know of, that this is actually bad, but I don't see proof that it is actually good either. If I leave my door unlocked so the neighbor can feed my cat, is that bad? What if I just leave the key under the mat? What if the company that made my door did it for me for my convenience? What if I don't have a cat? What if I live in a bad neighborhood, and my son has been hanging with a bad crowd? Do I really want that door unlocked. And what? I can't lock it back myself?!!

How do we know we aren't going to start seeing popups claiming your system is infected and stealing you identity info, your high schools grades, and your first born unless you clickonce on this application to install some uber security software?

I don't see its' need, only potential problems. I don't want it. If there becomes a need, I will install it then. If you are running Windows, then you already have IE anyway. If you can't "clickonce" in FF, and really need it, use IE. Companies require that all the time.

I killed that annoying language toolbar crap on my taskbar that IE7 installed as well. I don't need it, it clutters my taskbar, get rid of it! It is not like it changes the system language anyway, if you can't read the current system language, it doesn't help.
 
No proof yet, that I know of, that this is actually bad, but I don't see proof that it is actually good either. If I leave my door unlocked so the neighbor can feed my cat, is that bad? What if I just leave the key under the mat? What if the company that made my door did it for me for my convenience? What if I don't have a cat? What if I live in a bad neighborhood, and my son has been hanging with a bad crowd? Do I really want that door unlocked. And what? I can't lock it back myself?!!

How do we know we aren't going to start seeing popups claiming your system is infected and stealing you identity info, your high schools grades, and your first born unless you clickonce on this application to install some uber security software?

I don't see its' need, only potential problems. I don't want it. If there becomes a need, I will install it then. If you are running Windows, then you already have IE anyway. If you can't "clickonce" in FF, and really need it, use IE. Companies require that all the time.

I killed that annoying language toolbar crap on my taskbar that IE7 installed as well. I don't need it, it clutters my taskbar, get rid of it! It is not like it changes the system language anyway, if you can't read the current system language, it doesn't help.

Then just uninstall it... It really is just that simple.
 
As I understand it, this helps for deployment of software and updates. That implies business. How does this help home users? I install FF for many people for added security. This looks like a way for MS to make FF just as vulnerable as IE.
 
Show me the proof that this little extension is negatively affecting people enough to warrant you people getting all hot and bothered over it.
Why does it necessarily have to "negatively affect" anyone for me to be against it? If I wanted to be picky about it, I could say it takes up real estate in the add-ons screen and consumes some minor amount of memory despite the fact that it serves me no real purpose whatsoever (and cannot be easily uninstalled). I think those are perfectly reasonable gripes. That's not even mentioning potential security risks.

When it comes to computing, my stance is that if it isn't necessary, odds are I don't want it. When I don't have a choice, that's a very serious issue as far as I'm concerned.
 
Can't "simply" uninstall it. I am the adminstrator, yet uninstall is greyed out. I can disable though. I can do the regedit procedure sure, but my point is that most people cannot. I suppose I could add/remove .NET 3.5 SP1 though and see if that works. Again, something most people won't bother to do. If so, then the argument becomes: why is .NET 3.5 a critical update? It should be optional. I just installed it to test that out, it was listed as critical. Likely, since I had .NET 2.0 for my ATI CCC.

A false sense of security is worse than no security. If people think FF is safe, now MS installs a backdoor as a "Critical Update," then they are potentially putting themselves at risk by thinking they are safer than using IE.
 
Back
Top