×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

500 comments

Surprise! (5, Funny)

jeffb (2.718) (1189693) | more than 4 years ago | (#28168225)

What, you think you know better than MICROSOFT what should be on your machine?

Re:Surprise! (4, Funny)

The Grim Reefer2 (1195989) | more than 4 years ago | (#28168285)

What, you think you know better than MICROSOFT what should be on your machine?

Well they did release Vista.

Re:Surprise! (5, Funny)

Smidge207 (1278042) | more than 4 years ago | (#28168331)

What, you think you know better than MICROSOFT what should be on your machine?

Well they did release Vista.

Well, they did release Bob.

Re:Surprise! (2, Informative)

The Grim Reefer2 (1195989) | more than 4 years ago | (#28168775)

What, you think you know better than MICROSOFT what should be on your machine?

Well they did release Vista.

Well, they did release Bob.

...And Clippy, and Windows 98 ME...

Re:Surprise! (-1, Offtopic)

Faireh (1523017) | more than 4 years ago | (#28168383)

I saw this and got a vision of the Family guy episode when Stewie hopped a plane and got past security pretending to be part of another family. I giggled at the fam guy thought, and grimaced when i remembered why i was remembering it. More and more I feel myself pulled to what I have long regarded as the 'Dark Side'.. the realm of half eaten fruit..

Re:Surprise! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28168925)

Dude, I don't want to ruin the surprise, bu we know you're gay. Everyone. It's obvious. It's actually kind of funny that you seem to be the only one who doesn't realize it. I don't know what this mumbo jumbo about dark sides and forbidden fruit is, but accept yourself for who you are: a guy who likes cock. We accept you for who you are.

Re:Surprise! (5, Insightful)

fatray (160258) | more than 4 years ago | (#28168919)

Firefox is a competitor to Microsoft. Automatically installing extensions to your competitor's products really is an innovative idea. I wonder if Microsoft has a patent on this?

This could be misused, though.

Uhuh (5, Funny)

jav1231 (539129) | more than 4 years ago | (#28168227)

The new extension allows Firefox to experience the same rich vulnerabilities that IE users have come to expect!

fairly sure that (5, Insightful)

Pvt_Ryan (1102363) | more than 4 years ago | (#28168239)

this is old news.. That extension was "added" at least a year ago i think..

Re:fairly sure that (2, Insightful)

Anonymous Coward | more than 4 years ago | (#28168299)

Yup. But not that long ago:

http://tech.slashdot.org/story/09/02/01/2143218/Microsoft-Update-Slips-In-a-Firefox-Extension

Someone should check these dupes...

Re:fairly sure that (5, Informative)

Taagehornet (984739) | more than 4 years ago | (#28168321)

...and we've already discussed it here at least once: http://tech.slashdot.org/article.pl?sid=09/02/01/2143218 [slashdot.org]

Re:fairly sure that (2, Insightful)

impaledsunset (1337701) | more than 4 years ago | (#28168549)

Are you sure that's the same one? There is no mention what extension it is in the summary (no, I didn't RTFS, but I asked a friend to read and summarize it for me). This might be a new one. Like one that makes Firefox use Trident, support ActiveX and use Bing as a default search! Oh noes! Just imagine! It could also include eat babies, remove Linux related stories from Slashdot, add DRM and even be incompatible with the GPL! Don't downplay it! That's serious!

Re:fairly sure that (1)

th3rtythr33 (1191409) | more than 4 years ago | (#28168951)

And how many more lives must this Extension claim before we stop ignoring the "a new add-on was installed" message when we start our Firefoxen?

Re:fairly sure that (1)

hellocatfood (937756) | more than 4 years ago | (#28168669)

I do think so. I've had it disabled for the last few months. Unfortunately I can't uninstall it

Re:fairly sure that (1)

Ouchie (1386333) | more than 4 years ago | (#28168779)

Yeah, Luckily I use Ubuntu for most stuff and I've found myself using Google Chrome more often under windows.

Re:fairly sure that (5, Informative)

Ark42 (522144) | more than 4 years ago | (#28168907)

Apparently, MS released a v1.1 of the plugin, but it can't install if you left 1.0 disabled (like I did). If you re-enable the plugin, then go manually re-download and re-install the hotfix which included this plugin more recently, you will get v1.1 of the plugin, after which, you CAN uninstall it.
Note that disabling the plugin still leaves a string in your user-agent saying what version of .net you have installed, so either get it uninstalled, or go check and delete the right entry from general.useragent.extra.* in about:config

Re:fairly sure that (2, Interesting)

morgan_greywolf (835522) | more than 4 years ago | (#28168915)

The new twist is that the article's author just realized that the extension can't be easily uninstalled:

I'm here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult -- if not dangerous -- to remove, once installed.

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC." I'm not sure I'd put things in quite such dire terms, but I'm fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.

Big deal, you say? I can just uninstall the add-on via Firefox's handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the "uninstall" button on the extension. What's more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that -- if done imprecisely -- can cause Windows systems to fail to boot up.

The sad thing is that I think probably everyone missed this because this is not new behavior for Microsoft.

Some Left Over Stupidity from the Last Millennium (5, Insightful)

eldavojohn (898314) | more than 4 years ago | (#28168247)

Wow, well, you know what can I say? I applaud Microsoft for their work in Vista & Windows 7 in separating userspace from kernelspace [wikipedia.org] and then they just go and do something like this:

Microsoft .NET Framework Assistant 1.0
Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.

I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it. I really don't like the sound of ClickOnce either! Isn't this the mentality that has gotten IE users in trouble time and time again?!

I don't have a problem with the .NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).

Re:Some Left Over Stupidity from the Last Millenni (5, Informative)

Anonymous Coward | more than 4 years ago | (#28168473)

ClickOnce makes it possible to install applications over the web (WoWAceUpdater was an example of this) at the user's demand, it will not automagically download .NET-capable trojans to send back personal information. If you're truly paranoid and wish to disable it, the instructions are pretty simple and can be found by googling.

On that note, Java's JRE does the exact same thing (adds a firefox extension without the using knowing about it, and reports back version).

Re:Some Left Over Stupidity from the Last Millenni (4, Insightful)

Bert64 (520050) | more than 4 years ago | (#28168519)

Not exactly..
You have to explicitly acquire the JRE and install it, and the first version you install includes the firefox extension, subsequent updates may update functionality you already installed.

It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.

Re:Some Left Over Stupidity from the Last Millenni (0)

Anonymous Coward | more than 4 years ago | (#28168693)

It's not like the JRE shipped by default with the OS, and the original version didn't include the firefox extension while subsequent updates bring this new functionality.

Yup, we have microsoft to thank for that...

Re:Some Left Over Stupidity from the Last Millenni (1)

tepples (727027) | more than 4 years ago | (#28168797)

ClickOnce makes it possible to install applications over the web (WoWAceUpdater was an example of this) at the user's demand

This has been possible since the first EXE file was sent over HTTP. You click once to download the installer, and once the download finishes, you choose Run in the download manager. Why should it be even easier for less-knowledgeable end users to install fake video codecs that include fake antivirus software complete with a fake virus [2-spyware.com] ?

It's a string in the user-agent (5, Informative)

tepples (727027) | more than 4 years ago | (#28168507)

Adds ClickOnce support and the ability to report installed .NET framework versions to the web server.

I do not like the sound of that nor does Annoyances.org as the article notes. I don't like the idea of sending anything about software on my computer to a web server without me knowing about it.

But do you know what your browser is already sending? Mine is sending this:

User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

"Windows NT 5.1" is Windows XP, and "Gecko" is the HTML/CSS engine used by Firefox, Iceweasel, SeaMonkey, Fennec, etc. Sites can query the versions of various addons that handle an object type, such as Java SE and Flash Player, by embedding such an object. What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?

Re:It's a string in the user-agent (4, Informative)

mrsteveman1 (1010381) | more than 4 years ago | (#28168625)

What's so different between querying the .NET Framework version through this add-on and doing so through the Silverlight addon?

Because i don't want either one?

Re:It's a string in the user-agent (0, Redundant)

lightning_queen (861008) | more than 4 years ago | (#28168829)

Then do a little research and don't download the update. Or disable the addon.

Re:It's a string in the user-agent (0, Insightful)

Anonymous Coward | more than 4 years ago | (#28169015)

How about Microsoft not taking liberties with my computer and installing spyware in the first place? Why should one NEED to "do a little research" in the first place, you god damned apologist retard?

Re:It's a string in the user-agent (5, Informative)

slashd'oh (234025) | more than 4 years ago | (#28168891)

You can go to "about:config" and clear the value of "general.useragent.extra.microsoftdotnet" to remove the "(.NET [...])" part of the UA string.

Re:Some Left Over Stupidity from the Last Millenni (5, Funny)

Brett Buck (811747) | more than 4 years ago | (#28168523)

I don't have a problem with the .NET framework ... as long as we're not heading back to blurring the line between what the browser should have access to (certain user space files) and what the browser inadvertently has access to (.NET libraries right in the kernel).

        I sure hope they come up with a way to run ActiveX in Firefox, I want seamless integration of my botnet...

        Brett

Re:Some Left Over Stupidity from the Last Millenni (1)

doti (966971) | more than 4 years ago | (#28168697)

Isn't this the mentality that has gotten IE users in trouble time and time again?!

And now it will get Firefox users in trouble time and time again.
It's a win-win situation for them.

No .NET in Kernel (0)

Anonymous Coward | more than 4 years ago | (#28169013)

There are no .NET libraries in the kernel. It's all user space. Just like Java, .NET runs in a sandbox - web applets cannot touch or see your disk.

Dupe (2, Informative)

MyLongNickName (822545) | more than 4 years ago | (#28168249)

I read about this on Slashdot a couple weeks ago.

Re:Dupe (3, Informative)

MyLongNickName (822545) | more than 4 years ago | (#28168341)

Ah, finally found the link. Sadly enough, Slashdot's search engine didn't find it but Google's did.

http://tech.slashdot.org/article.pl?sid=09/02/01/2143218 [slashdot.org]

(would have posted sooner, but have to wait 5 minutes between posts)

Re:Dupe (5, Funny)

Anonymous Coward | more than 4 years ago | (#28168703)

Sadly enough, Slashdot's search engine didn't find it but Google's did.

Hey, be fair. Slashdot has only had a search feature for about 10 years - it takes time to make these things useful.

And their development team (Sid) has been feverishly at work all those years in order to bring us world-beating innovations the giant green "Reply to This" and "Parent" buttons (we has such a hard time finding those links before the advent of those buttons) and features to break certain browsers. Add to that the Herculean efforts to change the wait between AC posts (the "Slow Down, Cowboy" feature) from 2 minutes to an amount of time generated by a random number generator and added to 2 hours while telling us things like "it has only been 96 days and 14 minutes since you your last post - you must wait at least 2 minutes before posting" and you can see that Sid (who does this in his spare time between grade-school classes) has had a pretty full plate.

Oh, and Sid has discovered girls, so his mind is elsewhere these days (he has to adapt - he never had exposure to girls while working for Slashdot).

So, a little less of the bitching, if you please.

Microsoft patching 3rd party apps? (0)

GordonCopestake (941689) | more than 4 years ago | (#28168257)

What ever next!?

I wonder if Mozilla know about this? Probably done with their consent as it can only be a good thing, but whats next? Firefox updates on Windows Update?

Re:Microsoft patching 3rd party apps? (2, Informative)

ReverendLoki (663861) | more than 4 years ago | (#28168457)

As far as I know, Mozilla puts no restrictions on who can release what sort of Add-Ons. In this equation, Microsoft controls the OS and the software update program; they needed no permission from Mozilla to push this out.

And as an Add-On, it's not really akin to patching a 3rd party app exactly. It's just a MS program that closely works and integrates with the publicly documented interface of a 3rd party app.

Uhm... but this is old news, isn't it? (0, Redundant)

w4rl5ck (531459) | more than 4 years ago | (#28168261)

The .net-Update has "installed" this Add-On secretly for a few months now, as far as I know. It just got into the "normal" Windows auto-update stream, thus annoying more and more people? Or am I somehow mistaken?

Re:Uhm... but this is old news, isn't it? (-1, Redundant)

clone53421 (1310749) | more than 4 years ago | (#28168301)

Agreed, this is OLD news... and didn't I see an article here the last time it was old news?

Re:Uhm... but this is old news, isn't it? (2, Interesting)

asdf7890 (1518587) | more than 4 years ago | (#28168403)

The .net-Update has "installed" this Add-On secretly for a few months now, as far as I know. It just got into the "normal" Windows auto-update stream, thus annoying more and more people? Or am I somehow mistaken?

It has certainly been around for some time, and I think it has been in updates that Joe Public gets automatically for a while too. My guess is that this reported has only just heard about it so to him (and presumably other too) is it new news.

At first it turned up as part of the Visual Studio install/servicepack, so developers got it first, I'm not sure when I first noticed it appearing on machines that had the relevant .Net libraries but no VS.

I don't have a problem with the add-in existing, or it being installed by default. But being installed by default with no opt-out and with the uninstall/disable options removed from the user, is either bad customer care or plain malice (though for all the noise my inner tin-foil-hat is making I can't think of anything logical that such malice would achieve for MS, so "not caring about the customer" is the more likely option).

How to disable... (5, Informative)

Anonymous Coward | more than 4 years ago | (#28168273)

Tools > Add-Ons > Plugins > Disable all Microsoft plugins.. and Adobe Acrobat's, QuickTimes & anythiing else that looks suspicious

Re:How to disable... (1)

blahbooboo (839709) | more than 4 years ago | (#28168515)

Tools > Add-Ons > Plugins > Disable all Microsoft plugins.. and Adobe Acrobat's, QuickTimes & anythiing else that looks suspicious

As it said in the article, you can't uninstall it nor disable it...

Thankfully it's not compatible with Firefox 3.5 beta 4!

Re:How to disable... (4, Informative)

YesIAmAScript (886271) | more than 4 years ago | (#28168611)

The article doesn't say you can't disable it. In fact, in the screenshot in the article, the disable button is clearly enabled.

The last .NET update did the same thing, put in an extension to FireFox that you couldn't uninstall, only disable. Java does the same thing, I have TWO Java SE FireFox extensions disabled in my list (neither can be uninstalled).

With this latest .NET update the uninstall button actually works for the .NET extension. At least on my Windows 7 machine.

Re:How to disable... (4, Informative)

Andy Dodd (701) | more than 4 years ago | (#28168613)

It says nowhere in the article that you can't disable it, just that you can't uninstall it.

In fact, the screenshot in the article shows an active disable button, but not an active uninstall button.

In a previous post, someone said that this is due to admin privileges issues. Most extensions are installed by a user and reside in a user-accessible directory. Firefox allows for system-wide installation of extensions by pointing to them with a registry entry. System-wide-installed extensions fundamentally can't be uninstalled directly by a user without some sort of privilege escalation, which Firefox doesn't support. MS didn't explicitly disable uninstallation, it's just a side effect of being a system-wide installation.

Time to try Opera? (0)

Anonymous Coward | more than 4 years ago | (#28168281)

"A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a "service pack" for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC.""

*Sigh*

Firefox needs to fix this. (5, Insightful)

Jartan (219704) | more than 4 years ago | (#28168297)

Several companies have pulled this stunt where they stealh in an addon and disable the uninstall button. Firefox makes this too easy and needs to change how it handles addons which are not installed expressly via the user.

Re:Firefox needs to fix this. (5, Insightful)

MyLongNickName (822545) | more than 4 years ago | (#28168429)

Hi. If you are running automatic updates, then by default, you have a process running on your computer with administrative privileges. So, you are proposing that Firefox somehow magically blocks that? Even if you find a way to do that, you would piss someone like me off. I am the defacto sysadmin for a small company. If I want auto update to run and update all computers, I do NOT want individual applications vetoing the updates. If I have a problem with an individual update, it is up to me to test the update before pushing it out to client computers. Simple as that.

It is goofy workarounds and disregarding of conventions that create the big messes.

Re:Firefox needs to fix this. (5, Informative)

Captain Hook (923766) | more than 4 years ago | (#28168505)

This isn't an update from Firefox's point of view, it's the installation of an add-on which has not be requested by the user, at the very least, Firefox should prompt the user at the next startup if a new add-on has been installed.

Re:Firefox needs to fix this. (1)

MyLongNickName (822545) | more than 4 years ago | (#28168553)

Irrelevant. I can see notifying the user. However, an update process running as root can do whatever the hell it wants.

Lessons to be learned.

1) In general, do not run as root (admin)
2) Don't run auto-update

For the 95% of the folks who don't care about what Windows puts on their system, this is irrelevant to them. To those who care about what add-in shows up in Firefox, simply obey these two rules. Non-issue.

Re:Firefox needs to fix this. (0)

Anonymous Coward | more than 4 years ago | (#28169039)

piss-ants like you are why we need better windows administrators.

processes on Windows never run as root - that would be administrator - never mix the two, they aren't compatible - ever.

If you work in a corporate environment and you rely on autoupdate to keep your systems patched, you're an idiot. sus, sms, 3rd party management applications all give finer grained control over which patches are deployed, when, and with which options. autoupdate can and will miss some updates from time to time - or install something that breaks another application.

Yes, I've blocked IE8 from installing - period - even though M$ thinks it's a CRITICAL patch.
I've also regedited the .Net applet from firefox so that it no longer loads.

Re:Firefox needs to fix this. (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#28168593)

Hi. If you are running automatic updates, then by default, you have a process running on your computer with administrative privileges. So, you are proposing that Firefox somehow magically blocks that?

You make this sound impossible, but that's not the case. Firefox doesn't have to automatically load any plug-in in the right folder. It can keep a list of which ones the user has manually approved and only use those. It can keep that list in an encrypted config file if it has to to keep MS from manually editing it. That's not to say Mozilla should adopt this behavior, only that MS having an admin process does not mean they can realistically control the workings of software running.

Re:Firefox needs to fix this. (1)

flonker (526111) | more than 4 years ago | (#28168641)

An encrypted config file can be considered to be quite similar to DRM. It won't work. If FF can read it somehow, then anyone else can read it by looking at how FF does it. It's even easier because FF is open source.

With that said, an open, unencrypted system that allows updates to be automatically added, but gives you a list of which ones were added since you last started FF would be very similar, without making companies try to work around it.

Re:Firefox needs to fix this. (1)

Phroggy (441) | more than 4 years ago | (#28168913)

An encrypted config file can be considered to be quite similar to DRM. It won't work. If FF can read it somehow, then anyone else can read it by looking at how FF does it. It's even easier because FF is open source.

With that said, an open, unencrypted system that allows updates to be automatically added, but gives you a list of which ones were added since you last started FF would be very similar, without making companies try to work around it.

Except that in order for Firefox to give you a list of which add-ons have been added since the last time you started FF, it has to keep track of a list of which add-ons were installed the last time you started FF. All Microsoft has to do is append their add-on to this list, and the next time you launch FF, it'll think you already had this add-on installed before, the user has already been notified, etc. That was the reason for the encryption suggestion, but you're right, if Firefox can edit the encrypted list, anybody else can edit the encrypted list too.

Re:Firefox needs to fix this. (1)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#28169007)

An encrypted config file can be considered to be quite similar to DRM. It won't work. If FF can read it somehow, then anyone else can read it by looking at how FF does it. It's even easier because FF is open source.

Yes, very similar to DRM. Are you familiar with the DMCA?

With that said, an open, unencrypted system that allows updates to be automatically added, but gives you a list of which ones were added since you last started FF would be very similar, without making companies try to work around it.

The problem being, if it is unencrypted, MS can manually edit wherever the list of already approved files is stored, unless it is in the cloud or something, and even then it may be possible.

Re:Firefox needs to fix this. (1)

MyLongNickName (822545) | more than 4 years ago | (#28168661)

And what prevents the updater from marking it as "approved"? You are thinking tactically. But strategically, the mindset has to be "run as root and a process can do whatever it wants, for good or for bad". If you have this mindset, it changes your decisions about how to run systems. Least privileges is a good philosophy.

Bottom line, is this is not Firefox's fault. I think they are handling things properly in this case.

Re:Firefox needs to fix this. (1)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#28168923)

And what prevents the updater from marking it as "approved"?

My implication was that the file where it is "approved" was encrypted, requiring Microsoft to reverse engineer how Firefox unencrypts the file in order to change it instead of just corrupting it and requiring all the extensions to be manually approved.

. But strategically, the mindset has to be "run as root and a process can do whatever it wants, for good or for bad".

Except root can't do things unless it understands how and even then it is not necessarily legal.

Bottom line, is this is not Firefox's fault. I think they are handling things properly in this case.

That's not really the topic of this thread. One could make arguments either way depending upon one's priorities.

Re:Firefox needs to fix this. (0)

Anonymous Coward | more than 4 years ago | (#28168927)

You mean some sort of functionality to disable the addon? If only there was a button you could click...

Re:Firefox needs to fix this. (0)

Anonymous Coward | more than 4 years ago | (#28168563)

Letting the user install a addon makes the machine just as vulnerable. Machine owner != user. So really I get annoyed that the default mode is user addons, and not system wide addons. (yes we change firefox settings to just that)

Re:Firefox needs to fix this. (5, Informative)

BitZtream (692029) | more than 4 years ago | (#28168987)

They aren't 'stealth'ing in an add or nor are they 'disabling' the uninstall button.

The 'uninstall' button is for user specific addons, not system wide add ons. The uninstall button has never worked for system wide addon installations. It is a feature, and a required one if you expect Firefox to actually get anywhere in the business world. This is done by adding a single registry key and can be done for ANY add on, regardless of who makes it or where it is installed.

It serves two purposes. First it allows things to install add ons before the browser is installed so that when you later install Firefox it will be aware of existing items and not require you to jump through hoops to get them to work. Second, it allows administrators and other software packages to install something globally, for all users of the host, without requiring each user to manually install the add on and keep it updated.

I'm sorry that this doesn't fall into your narrow little view of the world, but for the rest of us this sort of thing is a requirement to use Firefox in the business world.

Finally, there is a very simple solution. Don't install software that does things you don't want it to do. You're an idiot if you think there is anything what so ever that Firefox can do to stop this sort of thing. There isn't. Add ons will ALWAYS be able to install themselves with out notifying you, welcome to open source, EVERYONE can see how to do it, thats a feature of open source. There is nothing Mozilla can do to stop it short of releasing a version with some non-OSS component that can be used to prevent it from happening using digital sigs to verify that only allowed add ons are installed or not load them. And as soon as they do that Slashdot will be ranting and raving about freedom to do whatever the hell it wants.

You got your software freedom, you wanted everyone else to have the same access to the software as you do. Great, they do, now you get to deal with the consequences of that.

Its not like user add-ons can't do the EXACT SAME THING. All you need to do is remove write permissions from your own files when you startup and Firefox won't do shit when you tell it to uninstall it except throw an error. Any add on can do that, and Firefox is unlikely to ever 'fix' that problem as its one that Firefox shouldn't be responsible for.

You can fix the problem on your computer yourself to make sure this doesn't happen with some registry permissions in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla, take away all write/modify access to this key from everyone after you've installed Firefox. Problem solved. That is where various addons for Mozilla software can be installed globally by a system administrator.

As for Firefox removing that feature, go ahead and let that happen. Find out how many IT departments suddenly want even less to do with Firefox. I'm sure they'll love you for having it removed when they have to do something retarded like run a login script to roll out extensions rather than just pushing a registry change via group policy.

The worst part is that this gets modded insightful. This isn't fucking insightful, its ignorant, short sided and shows a complete lack of understanding about whats going on and why.

Whats worse is ignorant dipshit comments like this end up making me fucking defend Microsoft.

Get a clue, then start bashing, people with far more intelligence and understanding of this sort of thing work on it, not you, ever consider there MAY be a reason?

Nice Security Update (5, Insightful)

causality (777677) | more than 4 years ago | (#28168309)

From the fine article:

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

If this was part of a "routine security update" then it's getting easier to understand why there are so many unpatched Windows machines out there. Things like this may seem minor but they really erode the trust that must be present in order to allow a vendor to automatically push system updates. It always did amaze me that whenever major worms come out and infect millions of PCs, they do it using vulnerabilities that have already been patched some time ago. I'm wondering how much this lack of trustworthiness has to do with it.

Re:Nice Security Update (2, Funny)

TheGratefulNet (143330) | more than 4 years ago | (#28168649)

I don't do windows updates. the last 'tinyXP' install was it and whatever came with it, came with it. period.

on WGA at all and - again - whatever level its at, its at.

BUT - no wga is a godsend and having a custom windows that is almost entirely crap-free (as much as we can make it) means we don't have to trust papa MS to give up new updates. the updates started being untrustworthy and doubtful a few years ago (around WGA time, really).

since the wga days, I stopped doing online updates and did only a 'walkaround cdrom' update. even that dried up so I had to stop that procedure.

if windows gets borked, I reinstall from that point again (or some backup). I do most of my 'dangerous' stuff on a vnc session with the real net i/o going on on linux and bsd (and opensolaris). the win box is just a vnc-viewier and not much else in a net work context (no local browsing, almost ever!).

this way, I really dont' CARE about this or that security update on windows. I avoid dangerous activity on windows and my win install never changes 'from under me' as it would during various windows updates from MS!

I prefer a slightly older system (of patches) on xp than trusting each new update.

I will trust 'apt-get update' on those boxes and I'll trust the solaris updates, but I will NOT TRUST MS binary updates! not anymore. I'd rather re-install if things go bad than trust their ever-infringing updates.

Re:Nice Security Update (0)

Anonymous Coward | more than 4 years ago | (#28168803)

Oh yeah. I bet that multibillion dollar company really cares if you install their updates. If you paid for XP they already got your money.

They save on bandwidth costs when smelly hippies like you dont update. Good Stuff...

Re:Nice Security Update (1)

Yvanhoe (564877) | more than 4 years ago | (#28169027)

I may also add that when Windows XP was released, fear of such (and worse) things happening was one of the main things holding back people on Win2k.

Microsoft Quietly Installs Firefox Extension (1)

bagsta (1562275) | more than 4 years ago | (#28168323)

The next thing will be Microsoft to automatically update Firefox :-P (even in Linux flavors...)

How inconsiderate! (5, Funny)

goldaryn (834427) | more than 4 years ago | (#28168339)

Man, this is so unfair to us Ubuntu users

Someone please send me the .xpi

Re:How inconsiderate! (4, Informative)

hansamurai (907719) | more than 4 years ago | (#28168463)

Well, Ubuntu users get the Ubuntu Firefox add-on which has actually conflicted and broken other popular add-ons like Tab Mix Plus. I never actually figured out what that add-on even does before I disabled it.

And yet... (4, Interesting)

someyob (1062238) | more than 4 years ago | (#28168353)

at the same time it was Firefox that quietly allowed it to happen. "I admit that maybe I missed the point", he said as he rushed home to check his Windows machine.

"Firefox allowed this" argument not valid... (0)

Anonymous Coward | more than 4 years ago | (#28168517)

I'm not sure the "Firefox allowed this to happen" argument is a completely valid one here. The people installing the add-on quietly in this case are the same people that make the operating system, and thereby the conditions that Firefox runs on.

We don't know what kind of obscure tricks they used to get this to work on *their own operating system*, obviously they are in control of it and can do pretty much they want. An application can't offer protection against tampering with the operating system by it's creators who have full control over their obscure source code.

Remove it! (5, Informative)

Dystopian Rebel (714995) | more than 4 years ago | (#28168369)

http://www.annoyances.org/exec/show/article08-600 [annoyances.org]

Note that Oracle (nee Sun) is also doing this with a Java extension.

Not Oracle (1)

Reality Master 201 (578873) | more than 4 years ago | (#28168653)

Note that Oracle (nee Sun) is also doing this with a Java extension.

Sun is still an independent company; the sale hasn't been completed yet, AFAIK.

BIG DIFF (1)

sproketboy (608031) | more than 4 years ago | (#28168753)

BIG diff: The Java plugin is not to allow silent installs of software. It's a small service to load core Java to make applets start faster.

How to remove (5, Informative)

NES HQ (1558029) | more than 4 years ago | (#28168409)

In case anyone's wondering:

http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx

Anecdotal problem (5, Interesting)

Dan East (318230) | more than 4 years ago | (#28168423)

I noticed this on a work machine and read about it last week. Instead of trying to manually remove the extension (the Uninstall button is disabled for this one and only extension) I simply disabled it. Starting that same day, the machine (2.3 Ghz dual core Vista with 4 GB RAM) has begun locking up hard when using Firefox. This doesn't happen with IE or any other software. It locked up 5 times on me with Firefox within 1 hour, and has not locked up at all since then, as I have not used Firefox. It is abundantly clear the problem is related to Firefox, and the only thing I did with Firefox was disable the extension and restart.

Has anyone else experienced anything like this after disabling the .NET extension? I'm curious how deeply this extension hooks into the OS and if it is capable of freezing up the entire OS. Firefox, on its own, should not be capable of locking up the entire machine.

Re:Anecdotal problem (5, Insightful)

bennini (800479) | more than 4 years ago | (#28168545)

Firefox, on its own, should not be capable of locking up the entire machine.

you must be new to Windows

Re:Anecdotal problem (1)

aarmenaa (712174) | more than 4 years ago | (#28168583)

It may or may not be a related issue, but after disabling the .Net extension a while back, visiting Hulu now locks up Firefox until I kill it. I also have a lot of addons in general, though.

Re:Anecdotal problem (1)

drinkypoo (153816) | more than 4 years ago | (#28168595)

The only thing I've noticed with Firefox on Vista (I just got a new-used desktop machine with it, so I'm checking it out... I've already got it dual-booting Jaunty x64) is that my downloads shit themselves. It's gotten to the point where I'm resorting to wget. I can't resume anything. I was trying to get the service pack downloadables in case I ever wanted to install Vista again. (Can't imagine why, probably just because I have a license. I have my XP license VM'd up on my laptop, too.) I have not yet disabled the extension, though. I haven't tried any big downloads since Vista SP2 but some ~9MB ones failed with weird symptoms before that, too, not just the 300+MB service packs.

Re:Anecdotal problem (0)

Anonymous Coward | more than 4 years ago | (#28168629)

Of course it's not, because by disabling it you prevent it from running. Maybe you should fix your machine; .NET hooks "into the OS" just as much as the Java standard library does.

Attention! (5, Funny)

Anonymous Coward | more than 4 years ago | (#28168447)

Would everyone who voted this old news to the front page kindly line up...thank you.

*SLAP*

*SLAP*

*SLAP*

*SLAP*

(etc...)

Now, don't do it again!

Unbelievably Evil (1)

dtjohnson (102237) | more than 4 years ago | (#28168511)

From TFA:

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC."

This is unbelievably evil, even for Microsoft. Has Steve Ballmer lost his flippin' mind?

Re:Unbelievably Evil (0)

Anonymous Coward | more than 4 years ago | (#28168757)

The article does need some fact checking. The update is infact uninstallable hand has been for quite a while .

ClickOnce deployment (1, Informative)

Anonymous Coward | more than 4 years ago | (#28168551)

As clearly no one posting here knows anything about it here is some info:
http://msdn.microsoft.com/en-us/library/t71a733d(VS.80).aspx

These are not "web" apps, this is for deploying a client side .NET app, and keeping it updated, it is not a vulnerability.

Horray, Thanks M$ (2, Insightful)

Co0Ps (1539395) | more than 4 years ago | (#28168555)

The fact that microsoft enabled .net support into my firefox simply can't get my upset. I'm just happy that they actually took time to code an addon for their biggest competitor. As long as the addon does something useful, why should I care? Horray, Thanks M$.

Re:Horray, Thanks M$ (1)

ConceptJunkie (24823) | more than 4 years ago | (#28168975)

My sarcasm meter blew a fuse on your post. The question I have is this: What does this thing do, and why would I, even in theory, want it?

Surprise sex is a nice way of saying... (1, Funny)

Anonymous Coward | more than 4 years ago | (#28168579)

rape.

--Jimmy Carr (iirc)

Grrr. (1)

apodyopsis (1048476) | more than 4 years ago | (#28168633)

Don't worry it says it only reports the installed .NET framework versions so websites can decide what version of garbage they can spew to your browser.

After all, we all know here on /. that we can trust that description implicitly given Microsoft's past history of 20 years of good karma, open and friendly practice and just nice old fashioned values.

Gah, I find the mere concept of this nauseating. It further illustrates that even now the idea of a standard web experience across operating systems and browsers is a pipe dream, because nobody codes to the lowest common denominator and the standards are too fragmented.

Not the only ones that are doing that (5, Informative)

joseprio (923259) | more than 4 years ago | (#28168635)

In my system I also have the "Java Quick Starter" (from Sun), and I already removed the Skype add-on.

As a Firefox extension developer, I've received several complaints about disappearing toolbar buttons, and the answer is always the same: check for the Skype extension that was installed without your consent, and uninstall it. Plus, navigating the browser history was a lot slower, and removing that add-on solved the problem (the Skype extension will scan the page contents to substitute phone numbers by Skype actions).

This is not limited to Firefox, as this stuff has been happening in Internet Explorer for a long, long time. Still, it would be nice if Firefox would protect its users from non-authorized extensions, warning of what was installed, and providing a easy way to uninstall/disable it.

f@ck you microsoft (0)

Anonymous Coward | more than 4 years ago | (#28168679)

this is the reason why i run on a cracked xp installation, M$ obviously doesn't deserve the consumer base they have, and I sure as hell will not let them fuck up my computer

Problem fixed. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28168745)

Ok, just checked since there was an "update", and I was able to uninstall the plug-in via the Firefox Add-On's window. Rabid /.'s can calm down now.

I don't have it (1)

Beelzebud (1361137) | more than 4 years ago | (#28168767)

I've been using Vista for a awhile now, and my machine is up to date, and yet I don't have this addon.

Bug in Firefox (4, Insightful)

Lord Bitman (95493) | more than 4 years ago | (#28169053)

This allows an extension to be installed:
  - Without notification
  - Without the option to "uninstall"
  - (apparently, from the article) With the ability to install more things to your PC (which I thought Extensions were forbidden to do, and only Plugins [eg: Flash] could do)

This is clearly a bug in Firefox, and a fix should be released immediately.
I'd think that firstly Firefox should default to considering the extension "unauthorized" and put up a big scary warning like "Unauthorized extension detected: An external program has installed an extension in a manner which bypasses Firefox's normal security features. It is recommended that you click "uninstall" below, unless you are absolutely sure you know what you are doing"
But there's no framework in Firefox (that I am aware of) for such an authorized/unauthorized check to be established. (It would mean defaulting everything except this Microsoft extension to "trusted")

Sounds like a move by Microsoft to say "see! Open source isn't safe! Look what we could do!" once Firefox releases a fix that says "Warning: Unauthorized extension signed by 'Microsoft Corp' detected!"

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...