.NET Extension Silently Added to Firefox via Service Pack

Met-AL said:
It looks like phide is the only angry at Microsoft so far. Maybe Terry too for posting it?
Click to expand...
I wouldn't say I'm angry, though I am a bit surprised and a bit perturbed. At this point, I do kind of expect this kind of thing from Apple, but it's atypical for Microsoft. The bottom line is that nobody has any business installing or updating Firefox add-ons without notifying me. The only company I approve of doing that is Mozilla, as it's their software that I'm consenting to using.

As for Terry, why would I be mad at Terry? Or are you just attempting to start something...?
 
For crying out loud do some of you ever bother to Google anything? You're all making a huge deal out of nothing. ClickOnce is mainly a security feature for .NET apps that are launched from central servers. God forbid MS supports it on a 3rd party browser. If ClickOnce wasn't supported some of you would be crying because they weren't supporting it.

Straight from MS:

Microsoft said:
A key goal of ClickOnce is to provide a trustworthy deployment model for users to be able to download and execute applications from centrally managed servers without requiring administrator privileges on the client machine. They are deployed in a safe manner that prevents ClickOnce deployed applications from interfering with or corrupting any other applications or data on the client. Applications deployed using ClickOnce also need to run in a secure execution context whose permissions are limited based on where the application is coming from or the trust assigned to the originator of that application.
Click to expand...

http://msdn.microsoft.com/en-us/magazine/cc163973.aspx

The wiki entry for ClickOnce is also quite informative.

http://en.wikipedia.org/wiki/ClickOnce

Oh and for those bitching about the Uninstall being disabled here's the update to .NET Framework Assistant 1.0 to enable the Uninstall button.

http://www.microsoft.com/downloads/...FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab
 
Vermillion said:
For crying out loud do some of you ever bother to Google anything? You're all making a huge deal out of nothing. ClickOnce is mainly a security feature for .NET apps that are launched from central servers. God forbid MS supports it on a 3rd party browser.
Click to expand...
The issue isn't the plugin per se.

The issue is the plugin is installed silently and allows remote code execution. This is typically something you want to ask the user about before installing.
 
jimmyb said:
I too enjoy having a big brother to make these difficult decisions for me.
Click to expand...

OhMyGod said:
People are getting to be such sheep. I guess that what happens in a welfare country.
Click to expand...

verteron said:
True that bro'
Click to expand...

Talk about blowing things out of proportion... If its worth my time I'll look into and make the decision myself. This? Are you kidding? Who the hell cares?

Find something of importance to bitch about people, these threads are ridiculous.
 
verteron said:
Can't "simply" uninstall it. I am the adminstrator, yet uninstall is greyed out. I can disable though. I can do the regedit procedure sure, but my point is that most people cannot. I suppose I could add/remove .NET 3.5 SP1 though and see if that works. Again, something most people won't bother to do. If so, then the argument becomes: why is .NET 3.5 a critical update? It should be optional. I just installed it to test that out, it was listed as critical. Likely, since I had .NET 2.0 for my ATI CCC.

A false sense of security is worse than no security. If people think FF is safe, now MS installs a backdoor as a "Critical Update," then they are potentially putting themselves at risk by thinking they are safer than using IE.
Click to expand...

Read the article, the updated version fixes the greyed out uninstall option.

you can "simply" uninstall it.
 
jimmyb said:
The issue isn't the plugin per se.

The issue is the plugin is installed silently and allows remote code execution. This is typically something you want to ask the user about before installing.
Click to expand...

So like many other pieces of software out there as well?

Picasa adds an addon silently to FF.
Java installs an addon to FF as well silently.
Quicktime installs an addon to FF silently.
MS Office 2007 does the same thing.

Yet I don't see anybody bitching about those commonly used ones.

And the comment about remote code execution means you haven't read any of the documentation.

If you were to hit a web page that made a ClickOnce call it would ask you to run the app. ClickOnce apps can be either installed or cached meaning it's not running any remote code without YOUR permission.

And straight from Wiki about how ClickOnce works:

Wikipedia said:
ClickOnce employs CAS (Code Access Security) to ensure that system functions cannot be called by a ClickOnce application from the web, ensuring the security of data and the client system in general.
Click to expand...

And CAS is this: http://en.wikipedia.org/wiki/Code_Access_Security Meaning once again the user or system administrator is responsible for allowing any of that supposed "remote code execution" to actually happen. So if it takes user interaction how is it "remote code execution"?
 
Vermillion said:
Picasa adds an addon silently to FF.
Java installs an addon to FF as well silently.
Quicktime installs an addon to FF silently.
MS Office 2007 does the same thing.
Click to expand...

FWIW, I have all those installed except for QT and none of them installed FF extensions...

On the other hand, Skype does in fact add an extension.
 
Vermillion said:
So like many other pieces of software out there as well? Yet I don't see anybody bitching about those commonly used ones.
Click to expand...
The reason being that we don't see any news posts about it. You assume some sort of anti-Microsoft vitriol when it's really just a case of "it's shitty when vendors silently install Firefox add-ons", and Microsoft just so happens to be the main focus of this particular story. If it were Apple, I'd be here bashing Apple. Google, I'd be bashing Google.

And as for QuickTime, you're made aware that it installs a plug-in during setup.
 
Honestly, I don't use Firefox anymore (IE8+UAC is better than anything else from a security standpoint, period).

I use occasionally in webdev, but again I really don't care about this enough to fuss over it ;)

I'm on the fence about it. Other companies do the same thing, and it does add functionality (What the heck would the checkbox say??? "Add .Net Extension to FireFox"? Nobody would know what that is in the "real" world).
 
MartinX said:
I think the implication is meant to be that .net is a microsoft product, and therefore a massive security disaster area that can be used by hackers to re-write your will and mug your aunt, so having a .net extension into the bullet-proof ultra secure Firefox is tantamount to doing a barrel roll with a loaded shotgun in your mouth.
Click to expand...

Aahahahaha... I lol'd pretty hard. This sums it up perfectly :D
 
Here is the thing that makes me scratch my head. They are complaining about the security problems of having a MS .NET add-on in Firefox and how they can't uninstall it easily. However if they were keeping their computer secured, properly patched and up to date then they would have an updated version of the add-on that activates the uninstall button.

This reminds me of that last worm the went around and people complaining about MS being not secure when if they had properly patched their machines it wouldn't have been a problem.
 
wfalcon said:
I was going to mention I had the option to uninstall 1.1 (not greyed out) on my system as well. But then, I'm running Win7 and didn't install a Service Pack. I see all sorts of hysteria about removing it, but I don't see anything on what it's purpose is, or why it can be helpful. I would assume that it provides some level of compatibility between Firefox and various MS apps? I know with Sharepoint, I still have to switch to IE (or IEtab) for full functionality.
Click to expand...

I haven't tried it yet but I AM having trouble with Firefox and .NET 2.0 right now. That browser behaves with .NET like IE does with the rest of the Web.
 
phide said:
The reason being that we don't see any news posts about it. You assume some sort of anti-Microsoft vitriol when it's really just a case of "it's shitty when vendors silently install Firefox add-ons", and Microsoft just so happens to be the main focus of this particular story. If it were Apple, I'd be here bashing Apple. Google, I'd be bashing Google.

And as for QuickTime, you're made aware that it installs a plug-in during setup.
Click to expand...

You couldn't have said it more clearly. Ohh the power of the Media.

Where's James Bond when you need him?:rolleyes:
 
phide said:
A question for you: if Apple did something similar, what would your opinion be of that?
Click to expand...

The question wasn't aimed at me, but personally I think Apple pulls stuff that's far worse than this and they get very little crap over it... I'm not gonna say it's unfair to MS though, because they're both big corporations in charge of their own marketing and image, but Apple definitely gets away w/more in this specific case. iTunes itself is a pretty spot-on example of this kinda scenario; it installs QT, Bonjour, an updater, at one point I think it auto-installed Safari IIRC (and still pushes it aggressively thru the updater), etc etc... I find all that bloat worse than an extension which does have some merit, even if it's crossing over to another 3rd party app.

All that being said, MS is neither the best nor the worst at this kinda thing... I'm pretty sure the Adobe FF extension is just a download manager type of thing and you can (not very intuitively) opt out of installing it by simply declining when asked to download the installer (yes there's an installer for the auto-downlader that downloads the Flash/Reader installs, lol) and then clicking the manual download link when you're trying to get Reader/Flash.
 
phide said:
Why is it "junk"? Are we supposed to be completely okay with Microsoft reaching into our third-party applications, installing extensions to those applications we don't want, then denying us the ability to uninstall those extensions? That's acceptable practice for an OS vendor, is it?

Nah, I don't think so, bub.
Click to expand...

I just find it hard to get excited about it. Can you disable it? yes you can. Can you uninstall it? Apparently MS has provided a fix so that you can. Is this plugin any different than the plugins for Java? Not really. Would 99% of those who installed the SP clicked yes if asked about installing the plugin? Yes they would have.

I generally dislike it when MS does phantom updates, but this one is much ado about nothing.
 
I'm running Windows 7 x64 7127 and Firefox 3.0.10 and I had recently noticed that .NET thing but never gave a shit about it (why people do is beyond me but whatever). I just checked to see if it's still there after looking for updates to my addons, highlighted it, clicked Uninstall, restarted Firefox and now it's gone.

So exactly what is the big deal?
 
nilepez said:
I generally dislike it when MS does phantom updates, but this one is much ado about nothing.
Click to expand...
I hate to fall back to this "it's the principle of it!"-type argument, but that's pretty much what it boils down to. I assume the add-on itself is almost entirely harmless. It certainly never impacted the way I use my machine or caused any problems that I'm aware of, but that doesn't mean Microsoft reaching into third-party applications is okay.

Like you said, if there had been a screen during the .NET update that prompted the user, most would just click "OK" and be on their way. That's really the 'proper' way to approach something delicate like this given that most users are going to logically want to keep applications well-separated unless they specifically need them to be tied together in some way. The Firefox add-on certainly isn't required for average users, so it should be treated as an optional component upon installation.

And like I said earlier, this is surprising because it's pretty un-Microsoft. This isn't typically the way they do things -- where it's either their way or the highway -- and I think they need a light slap on the wrist (or a slap in the face, really) when they start going the way of Sun or Apple when it comes to silent install practices.
 
I think their reasoning was probably this is something that the common user wouldn't have a care about, they just installed it with the package.

I'm really not picking either side, I see both ways.
For advanced users, I understand your side.

For the majority of users though, I can see why Microsoft did it.
 
Vermillion said:
So like many other pieces of software out there as well?

Picasa adds an addon silently to FF.
Java installs an addon to FF as well silently.
Quicktime installs an addon to FF silently.
MS Office 2007 does the same thing.

Yet I don't see anybody bitching about those commonly used ones.
Click to expand...
In this thread alone I already said Java shouldn't do that (and in any case I seem to recall a prompt notifying the user for the JRE). But just to make it very clear, all those other examples you listed shouldn't do it either. Are you happy?

Since when did someone else also doing the same disagreeable action become a justification for it? Two wrongs doesn't make a right.

A simple check box or prompt of some kind would be trivial to have included.
 
Look at it from MS point of view too... When they present a check-box or prompt to people asking if they want a .Net Firefox plug-in for OneClick functionality the vast majority of average users are gonna go "what??". :p
 
Impulse said:
Look at it from MS point of view too... When they present a check-box or prompt to people asking if they want a .Net Firefox plug-in for OneClick functionality the vast majority of average users are gonna go "what??". :p
Click to expand...

Eh more likely the average user is just mashing the next button without reading a single word.
 
AreEss said:
Yeah, let me know when they do that.
See, because Firefox is this much vaunted Open Sores (not a typo,) there's supposed to be these magical gatekeepers who could have told Microsoft "no, you can't add that." Especially when it wasn't Microsoft who did it - it was Firefox.

So of course, the zealots would rather stick their further up where it's at, and ignore those inconvenient facts.
Click to expand...

You are either high or an idiot I haven't figured out which yet. That update is from Microsoft. Here is a link to an MSDN blog post about why it was built.

http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx
 
phide said:
Why does it necessarily have to "negatively affect" anyone for me to be against it? If I wanted to be picky about it, I could say it takes up real estate in the add-ons screen and consumes some minor amount of memory despite the fact that it serves me no real purpose whatsoever (and cannot be easily uninstalled). I think those are perfectly reasonable gripes. That's not even mentioning potential security risks.

When it comes to computing, my stance is that if it isn't necessary, odds are I don't want it. When I don't have a choice, that's a very serious issue as far as I'm concerned.
Click to expand...

Microsoft put in millions of other codes into the operating system without your approval too. They don't NEED your approval. They'll do what's needed to maintain a healthy operating system. If they fuck up, they'll try and fix it.

Oh noes they put Solitaire in your system. You didn't want Solitaire because you never play it! And also Windows Mail! I want my Outlook Express back! Who do they think they are to get rid of OE and put in Windows Mail? :rolleyes:

It's worlds apart from Apple sneaking in Safari in a Quicktime/iTune update. If you can't see the difference, then there's little hope for you.

Take your tin foil hat off.
 
Azhar said:
Microsoft put in millions of other codes into the operating system without your approval too.
Click to expand...
Firefox is not an operating system, nor is it Microsoft's software. Firefox is a third-party application that Microsoft doesn't need to be modifying without my express permission.

Azhar said:
They'll do what's needed to maintain a healthy operating system. If they fuck up, they'll try and fix it.
Click to expand...
The .NET add-on does nothing to "maintain a healthy operating system". On my machine, it's done nothing but sit idly, consuming memory and serving absolutely no purpose whatsoever. We aren't even perfectly certain it doesn't have any exploitable vulnerabilities (given that it's Microsoft software, odds are quite good it does).

Azhar said:
Oh noes they put Solitaire in your system :rolleyes:
Click to expand...
They bundle solitaire, a separate application, with Windows. Firefox is a third-party, user-installed application. What business do they have installing extensions to it without so much as notifying me or giving me an option to decline its installation?

Azhar said:
It's worlds apart from Apple sneaking in Safari in a Quicktime/iTune update. If you can't see the difference, then there's little hope for you.
Click to expand...
Stop dissembling. I never said there was no difference. And you need to get your facts straight: Apple never "snuck in" Safari in any iTunes/QuickTime update. Apple mischaracterized what Safari was in the Apple Software Update and selected it for installation by default, and it could easily be deselected prior to updating. It's not as if it was installed without notification and designed to be impossible to uninstall except via the registry like the .NET add-on.

Azhar said:
Take your tin foil hat off.
Click to expand...
This is the third time I've seen this overused cliché in this thread. Is it really that much of a strain to think independently?
 
phide said:
Firefox is not an operating system, nor is it Microsoft's software. Firefox is a third-party application that Microsoft doesn't need to be modifying without my express permission.


The .NET add-on does nothing to "maintain a healthy operating system". On my machine, it's done nothing but sit idly, consuming memory and serving absolutely no purpose whatsoever. We aren't even perfectly certain it doesn't have any exploitable vulnerabilities (given that it's Microsoft software, odds are quite good it does).


They bundle solitaire, a separate application, with Windows. Firefox is a third-party, user-installed application. What business do they have installing extensions to it without so much as notifying me or giving me an option to decline its installation?


Stop dissembling. I never said there was no difference. And you need to get your facts straight: Apple never "snuck in" Safari in any iTunes/QuickTime update. Apple mischaracterized what Safari was in the Apple Software Update and selected it for installation by default, and it could easily be deselected prior to updating. It's not as if it was installed without notification and designed to be impossible to uninstall except via the registry like the .NET add-on.


This is the third time I've seen this overused cliché in this thread. Is it really that much of a strain to think independently?
Click to expand...

Is it that much of a strain to stop thinking of Microsoft as an overblown evil empire? I'd love to see you back up your claim about .Net consume memory when operating Firefox.
 
Azhar said:
Is it that much of a strain to stop thinking of Microsoft as an overblown evil empire?
Click to expand...
I don't consider them an evil empire. Far from it, in fact (read the rest of the thread, Azhar). That doesn't necessarily mean I should be as subservient to their occasional negligent practices as most here seem to be, and I certainly don't feel any compulsion to pray to the altar of Microsoft on a daily basis. They shouldn't get a pass just because they're Microsoft, for Christ's sake.

Azhar said:
I'd love to see you back up your claim about .Net consume memory when operating Firefox.
Click to expand...
I assume it follows the basic laws of computing whereby memory registers are used to store data, but, you know, that's just me and my silly assumptions.
 
phide said:
I don't consider them an evil empire. Far from it, in fact (read the rest of the thread, Azhar). That doesn't necessarily mean I should be as subservient to their occasional negligent practices as most here seem to be, and I certainly don't feel any compulsion to pray to the altar of Microsoft on a daily basis. They shouldn't get a pass just because they're Microsoft, for Christ's sake.


I assume it follows the basic laws of computing whereby memory registers are used to store data, but, you know, that's just me and my silly assumptions.
Click to expand...

There's another basic law of computing: something doesn't run until the function is called. Silly assumptions aplenty!
 
W7 update added it for me. I do have the option to uninstall.

What really had me pissed? The update changed my home page to MSN on FF.
 
delvryboy said:
W7 update added it for me. I do have the option to uninstall.

What really had me pissed? The update changed my home page to MSN on FF.
Click to expand...

All I can think of is 2 things:

1. you told Firefox to copy IE, or
2. you didn't read the final prompt that ask you to set your homepage and search provider when installing something else (most likely Windows Live Essentials).

I've never seen a dotNet Framework update wanting or needing to change your homepage.
 
You must log in or register to reply here.
Back
Top