[huskerlug] Security Fix - Microsoft Update Quietly Installs Firefox Extension

  • From: GreyGeek <GreyGeek@xxxxxxxxxxxxx>
  • To: undisclosed-recipients:;
  • Date: Mon, 01 Jun 2009 19:56:35 -0500


Microsoft Update Quietly Installs Firefox Extension 

A routine security update for a Microsoft Windows component installed on
tensof millions of computers has quietly installed an extra add-on for an
untold number of users surfing the Web with Mozilla's Firefox Web browser. 

Earlier this year, Microsoft shipped a bundle of updates known as a "service
pack" for a programming platform called the Microsoft .NET Framework, which
Microsoft and plenty of third-party developers use to run a variety of
interactive programs on Windows. 

The service pack for the .NET Framework, like other updates, was pushed out
to users through the Windows Update Web site. A number of readers had never
heard of this platform before Windows Update started offering the service
pack for it, and many of you wanted to know whether it was okay to go ahead
and install this thing. Having earlier checked to see whether the service
pack had caused any widespread problems or interfered with third-party
programs -- and not finding any that warranted waving readers away from this
update -- I told readers not to worry and to go ahead and install it.
I'm here to report a small side effect from installing this service pack
thatI was not aware of until just a few days ago: Apparently, the .NET
updateautomatically installs its own Firefox add-on that is difficult -- if
not dangerous -- to remove, once installed.........

Big deal, you say? I can just uninstall the add-on via Firefox's handy
Add-ons interface, right? Not so fast. The trouble is, Microsoft has
disabledthe "uninstall" button on the extension. What's more, Microsoft
tellsus that the only way to get rid of this thing is to modify the Windows
registry[2], an exercise that -- if done imprecisely -- can cause Windows
systems to fail to boot up. 

When I first learned of this, three thoughts immediately flashed through my

1) How the %#@! did I miss this? 

2) The right way would have been to just publish the add-on at Mozilla's Add
Ons page[3]. 

3) This kind of makes you wonder what else MS is installing without your

Then I found that I wasn't the only one who had these ideas. Microsoft has
heard these criticisms from others who long ago commented on this
unfortunatedevelopment (see the comments underneath this post[4]). 

Anyway, I'm sure it's not the end of the world, but it's probably
infuriatingto many readers nonetheless. Firstly -- to my readers -- I
apologize for overlooking this..."feature" of the .NET Framework security
update. Secondly -- to Microsoft -- this is a great example of how not to
convince people to trust your security updates. For those Windows users that
got caught by this potential .NET spyware here is the removal sequence:

-- ---- GreyGeek “They’ll get sort of addicted, and then we’ll somehow
figure out how to collect sometime in the next decade.” –Bill Gates
“Bill Gates looks at everything as something that should be his. He acts
inany way he can to make it his. It can be an idea, market share, or a
contract. There is not an ounce of conscientiousness or compassion in him.
The notion of fairness means nothing to him. The only thing he understands
isleverage.” –Philippe Kahn I don't think it's any coincidence that
Microsoft achieved dominance in the American market during the same period
that bottled water became omnipresent. In both instances, clever marketing
convinced the general public that something that was clean, safe and free
wasinferior to a product encased in plastic. 

--- Links ---
   3 https://addons.mozilla.org/en-US/firefox/

Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

Other related posts: