Microsoft Updates Firefox ?

May 29, 2009

Brian Krebs of the Washington Post has a new article on his Security Fix blog about an unannounced side effect of one of Microsoft’s many security updates:

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser.

Briefly, Microsoft issued an update to its .NET Framework component of Windows via the Windows Update mechanism.  That update silently installed an extension to the Mozilla Firefox browser, called the .Net Framework Assistant. It appears that the extension is installed in such a way that it is quite difficult to remove via the normal user controls (although it can be disabled).  This is rather naughty behavior for a few reasons:

  • It really isn’t appropriate for Microsoft (or any vendor) to be updating another vendor’s software, especially without telling the customer.  (It is left as an exercise for the reader — and not a very diffcult one — to imagine Microsoft’s response if updating Firefox were to mess arounfd with the internals of Windows.)
  • The reason the “Uninstall” button for the extensions is greyed out is the Microsoft installed the extension in an unconventional way.  Normally, Firefox extensions are installed on a per-user-profile basis; this one, according to Microsoft,  is installed to provide “support at the machine level in order to enable the feature for all users on the machine”.  So, if you have a machine used by more than one person, everyone gets the “benefit” of any bugs or security flaws in the extension — without knowing it, of course.
  • The .NET framework itself is a mechanism that, in part, allows a Web site to provide executable content to be run in the browser context.   Some people may not want this, for good reasons.

Unfortunately, getting rid of the extension is a real pain.   Microsoft has instructions for doing so in a Knowledge Base article; be forewarned that this requires some manual hacking of the Windows Registry, which is not for the ten-thumbed or the faint of heart.

Apparently, a later version of the extension does partially remedy the problem, in that it allows per-user un-installation.  Further information and a download link for the new version are on Brad Abram’s MSDN blog.  More information is also available on the Web site, which deals with aspects of Windows that are, um, annoying.

%d bloggers like this: