Microsoft .NET Framework Assistant update secretly installs Firefox extension

Microsoft .NET Framework Assistant update secretly installs Firefox extension

Community backlash is building against a routine .NET Framework update for Microsoft Windows that quietly installs a browser add-on for user who surf the Web with Mozilla’s popular Firefox browser.  From WaPo’s Brian Krebs:

I’m here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult — if not dangerous — to remove, once installed.

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says “this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC.” I’m not sure I’d put things in quite such dire terms, but I’m fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.

Big deal, you say? I can just uninstall the add-on via Firefox’s handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the “uninstall” button on the extension. What’s more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that — if done imprecisely — can cause Windows systems to fail to boot up.

The Firefox extension is delivered through an update to Microsoft .NET Framework.  Once installed, it seems to be difficult to remove depending on your Firefox browser version and other factors, as the in-browser Uninstall button is disabled.  Manual removal instructions – which aren’t for novice users, as they involve some registry hacks – are here.

On my browser, Firefox 3.0.10, the add-on is present and uninstallable via the browser, although I can kill the extension through Add/Remove Programs.  Other reports suggest that there is a 1.1 version of this .NET Framework Assistant that allows the add-on to be removed directly within Firefox.

Questionable design decisions here.  Microsoft wants people to update their systems automatically, which requires implicit trust.  When an OS vendor starts shipping unpublished modifications to competing browser platforms, it’s a great way for users not to trust your updates.

If the functionality is important, then publish what you’re doing and explain why – provide notice and set context.  Don’t assume you have the rights to do what you want to a user’s applications, regardless of your intent.  As an OS vendor, this sort of thing isn’t tolerated well.  A simple Google search gives you the zeitgeist opinion of the situation, and it’s not what I would want to see.

+ posts