Microsoft: Stop the Sneaky Firefox Sabotage!

Tweet

Sneaky Firefox add-onsWe have all experienced software products that usefully offer to install browser tool bars and extensions which will enhance our web experience. In most cases, you can politely decline the add-on or uninstall it later (if you happened to miss the pesky 6pt opt-in box).

Unfortunately, a dangerous precedent is being set by companies surreptitiously installing Firefox add-ons. The worst culprit is Microsoft and the .NET Framework 3.5 Service Pack 1. Most people will receive SP1 as an automatic update, so there is no obvious download or installation. Behind the scenes, the update will install a Firefox add-on named the “Microsoft .NET Framework Assistant”. Microsoft — this looks bad. Very bad…

1. No information
The user is not informed about the add-on prior to, during, or after installation.

2. No authorization
The user can not decline the add-on installation.

3. No uninstallation
The add-on can not be uninstalled via the Firefox Add-on dialog. According to Brad Abrams’ blog, this was a mistake rather than a malicious choice, but it makes you wonder what other mistakes they made in the code? download movies

Firefox .NET add-on

(Note that Brad’s post links to a patch. Manual removal instructions are also provided, although it involves risky registry tampering.)

4. Additional security risks
The extension enables ClickOnce support. This allows additional software to be installed with minimal user intervention. One of the primary reasons users switch browsers is to avoid the malware issues that plagued IE; how many people want an add-on which circumvents Firefox security?

5. Microsoft is a competitor
At best, this is incompetence. At worst, it’s a serious conflict of interest. Although I do not believe Microsoft intended to sabotage Firefox, this add-on could do anything. Microsoft had the opportunity to make a competing browser slow, unstable, or unreliable — even if that was not their intention.

I suspect this is a case of developer naivety and can only assume the add-on bypassed quality assurance checks because few people were aware of its existence. The company has been working hard to rebuild user trust, but actions like this will not help.

Unfortunately, Microsoft is not the only offender. Take another look at the Add-on dialog above — Sun helpfully installed a “Java Quick Starter” extension with the Java VM. There was no information during installation, it could not be declined, and it can not be uninstalled from the Firefox add-on dialog (an option is hidden deep in the Java Control Panel applet – Advanced > Miscellaneous > Java Quick Starter).

Microsoft and Sun — by all means create Firefox extensions, but there is no need to be unscrupulous. Tell the user, provide opt-outs, or simply release them through the normal Mozilla channels.

See also: What is a Web Browser? No One Knows!

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Peter Osting

    I’ve noticed this addon too some time ago and it annoyed the hell out of me. With all the negative feedback about software installing things without asking in the recent years, one would think, MS wouldn’t be so ignorant.

  • http://www.bitsymphony.com Kailash Badu

    Disappointed but not surprised. Microsoft has just dig itself into a hole one more time.

  • Andrei Eftimie

    wow. and i just started to change my perspective about microsoft. Seeing them *change* (regarding Windows 7, its availability – so it could probably be tested better, its better UI and better resource management).

    I started thinking that microsoft might actually try to embrace a new way of dealing with its clients. A more transparent and client based approach to business.

    But the recent IE8 campaing (which only tries to throw dirt onto the competition) and now this (i have found myself with some add-ons for Firefox i didn’t install, and that from a Sitepoint article).

    Thank you microsoft. My recent trust gain and mouth-to-mouth publicity i have made to your new RC OS and your *new way of thinking* have suddenly dissapeard.

    I may be a naive optimist (and i have been known to be called that) but i really hoped microsoft would change and stop beeing *bad* (at least on some points).

  • http://www.waterfallweb.net/ RockyShark

    Hmmm. While it’s right to condemn Microsoft for this (no argument there), how is it that 90% of the article is about Microsoft’s mistake, and then at the end, “oh yeah, another company did this too”.

    Balanced reporting, anyone?

  • http://pixopoint.com/ ryanhellyer

    Jeeze, that’s not cool at all.

  • http://www.dangrossman.info Dan Grossman

    This is 4 or 5 month old news, isn’t it? Has anything changed in that time?

  • OddThomas

    Yet another black mark against Microsoft – we’re running out of wall space!

  • http://www.optimalworks.net/ Craig Buckler

    @RockyShark
    Microsoft’s installation is considerably worse than Sun’s. It occurs via the Windows update, so many people will not realise an installation is even occurring. It’s also impossible to remove unless you install a patch or hack around in the registry. At least Sun provide a way to remove their add-on, even if it is well hidden.

    However, this biggest problem is this: Microsoft competes against Firefox, whereas Sun do not (if anything, Sun would prefer people to switch to Firefox). How would Microsoft react if Mozilla installed an IE add-on or OpenOffice installed a MS Office extension?

    Is it right for an OS vendor to silently alter a competing third-party application for their own commercial benefit? It may not be illegal, but it’s morally wrong and leads to further distrust of the company.

  • http://www.optimalworks.net/ Craig Buckler

    @Dan Grossman
    Yes, it was implemented a few months ago, but it appears that few people are aware of it (not surprising) and MS still have not fixed the issue via an automatic update.

    Worse, is that it’s starting a trend toward surreptitious Firefox add-on installations. If MS can get away with it, then why shouldn’t others? Add-ons are one of Firefox’s biggest strengths, but could they turn the browser into a junkware portal?

  • http://www.cemerson.co.uk Stormrider

    Microsoft had the opportunity to make a competing browser slow, unstable, or unreliable

    ..but they didn’t. What’s the problem here?

  • http://www.optimalworks.net/ Craig Buckler

    @Stormrider

    ..but they didn’t. What’s the problem here?

    Didn’t they? What happened to Firefox’s security? Will it make Firefox slower? (Undoubtedly – even if it’s imperceivable to users.)

    Bugs are another issue. MS have already admitted to mistakes with the installer, but it’s inevitable there are bugs in the add-on or that it clashes with some other extension. No matter how much testing they did, the risk of bad publicity should have been enough make them think twice.

    Firefox is open source and MS can write whatever add-ons they like. Automatically installing them and preventing uninstallation is the real problem here.

  • http://www.cemerson.co.uk Stormrider

    MS have already admitted to mistakes with the installer, but it’s inevitable there are bugs in the add-on or that it clashes with some other extension.

    You can say the same about almost any piece of software though.

    There are plenty of other examples of this – Google search bars in internet explorer for example – I still fail to see why this is a problem – or is it just so people can have another tiresome rant about Microsoft again?

  • Alicia

    I’m not sure how I managed it but I do have the .net assistant disabled in my addons. I can’t uninstall it but at least it’s not working (or it shouldn’t be anyway) While annoying that they installed it in the first place it is able to be disabled and thus shouldn’t be working right?

  • http://xslt2processor.sourceforge.net boen_robot

    If you ask me, this is actually a Firefox issue… and one that Mozilla should be fixing (Full disclosure: I’m not a Firefox fan; I prefer Opera). Firefox should have an option whereby non-uninstallable extensions will not be loaded into the browser.

    There is also an alternative, hinted by Brad Adams’ explanation. The reason the uninstall button is grayed out is that the add-on was installed on the machine level and not the user level. Firefox should provide users with the option to uninstall machine add-ons, even if it means a UAC call, as in the case of Vista. A warning that other users will be affected would suffice. A registry entry (or something…) could be used to enable and disable this behaviour in case IT admins (or parenting control software or whatever) need to always keep some add-ons on.

    With or without these fixes, you do know these add-ons can at least be disabled, right?

  • http://xslt2processor.sourceforge.net boen_robot

    Opps… It’s Brad Abrams (Sitepoint, seriously… edit capabilities to comments are a must).

  • http://www.optimalworks.net/ Craig Buckler

    @Stormrider
    Seriously? You’re happy for Microsoft to alter software that they do not own? You’re happy that MS are competing against that product? You’re happy for them to do so without your knowledge or permission? And you’re not concerned that you can’t remove it? (It sounds more like a virus to me.) Perhaps you’ll be pleased if Mozilla replace Windows with Linux to “enhance your OS experience” during the next Firefox update?!!

    Yes, all software has bugs and IE has it’s fair share of sneaky add-ons. However, YOU chose to install that software, you are normally warned, and you can always uninstall it. The decision wasn’t taken out of your hands by a company that should know better.

  • http://www.optimalworks.net/ Craig Buckler

    @boen_robot
    I was thinking that too – perhaps Mozilla could restrict add-ons until they’re approved or whatever. However, it’s more difficult than it sounds. Any solution can be circumvented … especially by the company that wrote the OS!

  • http://www.cemerson.co.uk Stormrider

    Seriously? You’re happy for Microsoft to alter software that they do not own? You’re happy that MS are competing against that product? You’re happy for them to do so without your knowledge or permission? And you’re not concerned that you can’t remove it? (It sounds more like a virus to me.) Perhaps you’ll be pleased if Mozilla replace Windows with Linux to “enhance your OS experience” during the next Firefox update?!!

    Skype installs a firefox addin without asking when you install that, and that actually HAS caused problems and compatibility issues, and casued bugs in firefox to appear for both me and a friend. Why is noone complaining about that?

    It happens a lot, why pick on MS’s example, when it has been around for months now, and causes no known issues / performance degradation that anyone has picked up on?

  • roberts126

    Being a network admin i’ve ran into several problems with add-ons and not just with IE or FireFox. My biggest complaint is about iTunes. I’ve had iTunes break the optical drive on computers because it changes the upper and lower filters of the drive. I’ve also see iTunes break RPC over HTTP by installing a plugin in Outlook. This was on a user’s desktop at home. The majority of software companies do this crap. Even some hardware vendors do it. Install an HP network printer and if you’re lucky you’ll be able to shutdown your computer, if not you have to modify the startup values. I’m not being pro-Microsoft or anti-FireFox. I used to use IE all the time, with all of the security settings turned off but now I use Opera since moving more toward design and pulling my hair out getting IE to “work” with a site. In my opinion all of them have thier own issues, it’s just a matter of who’s issues you are able to deal with better.

  • Stevie D

    I’m with boen_robot. What is Firefox doing, allowing miscellaneous software to install non-declinable and non-installable extensions? This is a serious security breach in their browser. There is absolutely no way that I want to run a browser that allows such things to be installed when, as you say, these could then be used with malicious intent, and at the very least compromise the security of the system.

  • israelisassi

    Maybe FireFox developers could implement code to improve security by not allowing new add-ons to load until a user approves it?

  • israelisassi

    and a side note. If you don’t believe Microsoft intended to sabotage FireFox then why put it in the subject line.

  • http://xslt2processor.sourceforge.net boen_robot

    @Craig Buckler

    I was thinking that too – perhaps Mozilla could restrict add-ons until they’re approved or whatever. However, it’s more difficult than it sounds. Any solution can be circumvented … especially by the company that wrote the OS!

    True. Any solution for installing add-ons can be circumvented, since installers, by definition, have administrative rights. That’s why I’d prefer if there are always ways to uninstall add-ons. Ways that are part of Firefox’s core (and are thus not circumventable, or at least not as easily). Right now, it appears all user-level extensions can be uninstalled, but none machine level extensions can (even if Firefox is elevated… I just tried that). Firefox should try to make all extensions uninstallable, even if it would mean requesting elevation in order to do so.

  • wwb_99

    On security–you don’t understand click once. It was designed when it was clear activeX was a nightmare and does not have the same issues. You need to either trust the source via PKI or explicitly allow for it to install. Moreover, it is a .NET only feature and the applications that run in the browser are very sandboxed, unlike their COM predecessors.

    Also, let’s look at the flip side here–Microsoft is desperately trying to support alternative browsers vis-a-vis their flagship technology rather than requiring anyone to use IE to take advantage of the technology.

  • TheBuzzSaw

    OK, everyone, please stop referring to Microsoft as a plural entity. I know grammar nazis are annoying, but it’s getting old seeing people say, “Microsoft are a bad company.” Microsoft is a bad company. In English, a group of any kind is still a singular entity in terms of how it fits into grammar rules. The main article has no excuse. It should state, “Microsoft is a competitor.”

  • http://www.optimalworks.net/ Craig Buckler

    Grammar noted and fixed.

  • Ketira

    Check your Windows Update – I got the uninstall for this in today’s packet. So now y’all can’t say that there’s no uninstall for this plug-in.

  • EvanKroske

    Skype installs a firefox addin without asking when you install that, and that actually HAS caused problems and compatibility issues, and casued bugs in firefox to appear for both me and a friend. Why is noone complaining about that?

    It happens a lot, why pick on MS’s example, when it has been around for months now, and causes no known issues / performance degradation that anyone has picked up on?

    You chose to install Skype, didn’t you? It didn’t just magically appear on your hard drive. However, Microsoft did automatically install this add-on to everybody who had Firefox installed and automatic updates turned on.

    The reason that Sitepoint is commenting on this particular add-on is that it was installed covertly by a competing company. In addition, Microsoft, the competing company, is notorious for the gaping holes in their browsers’ security. In fact, the “feature” that the .NET add-on adds is one of the primary reasons that IE is so unsafe.

  • Anonymous

    I was wondering what was up with firefox after I installed sp1. I thought microsoft might have had something to do with firefox now being unstable becuase firefox has been stable for me since I started using it a few years ago up intill this incident. But this is proof in my assumption being correct.

  • secoif

    @EvanKroske and what feature is that?

  • http://www.brianswebdesign.com skunkbad

    Why would MS do such a thing? It is very odd. Firefox is definitely a competitor of IE, and it looks really bad for them to install the Firefox extension, even if it now has an uninstall. What were they hoping to achieve.

  • http://www.optimalworks.net/ Craig Buckler

    @Ketira
    Have MS released the fix as an automatic update? I haven’t received it myself, but that’s very interesting … and about time.

  • http://logicearth.wordpress.com logic_earth

    @Craig Buckler, the update makes the extension uninstallable thought Firefox. That all it really did.

  • http://xslt2processor.sourceforge.net boen_robot

    @Craig Buckler

    Have MS released the fix as an automatic update?

    Yep. I can confirm that. I received it yesterday, shortly before my last post. I noticed it after it though. Note that I have Windows Vista, so there may be different schedules for Windows XP’s automatic updates. Also, unless you go to “http://update.microsoft.com/”, you’ll have to wait until your Windows copy decides to check for updates, which may take a while, depending on your last check.

  • http://www.optimalworks.net/ Craig Buckler

    I’m not aware of it in the last Vista update, so perhaps it’ll turn up next Tuesday? It’s probably a co-incidence … or perhaps someone at Microsoft is reading SitePoint?!!

    I still think they should either remove the add-on altogether or give users the option to install/reject it. Even an alert message would help.

    Anyway, well done Microsoft. You may have made the mess in the first place, but at least you’ve attempted to clear it up.

  • Biju

    People need something to spread ill about Microsoft…

  • http://www.dangrossman.info Dan Grossman

    @Craig: The update came out a few days ago, and it would’ve been in the pipeline for weeks at minimum, so no, it’s not because of this post ;)

    It’s part of the latest update to the .NET framework, with important priority so it’s an auto-install like the update that added the extension was.

    Specifically, it reinstalls the Firefox addon in user mode instead of machine mode, so the uninstall button becomes available as a side-effect.

  • http://www.optimalworks.net/ Craig Buckler

    @Dan Grossman
    Thanks for the information. (I wasn’t serious about MS reading this article, but they’ve been slammed for it so it doesn’t surprise me that a patch has been released).

    I’ve already applied the downloadable patch which makes the add-on removable. Let’s hope the new update doesn’t add it back again!

  • adimauro

    There is such a strong anti-Microsoft feeling running around SitePoint, that’s not a surprise. But, this article is quite biased. Big letters ‘MICROSOFT STOP YOUR SABOTAGE!’ and then you sneak in at the end…oh, by the way, Sun is doing the same thing. Why no Sun bashing, too? Afterall, the MS add-on has an option to inform you before it does anything. No options at all in the Sun add-on.

    It’s not that I’m some big Microsoft supporter, or anything, but the extremely biased comments and articles here have really turned me off to SitePoint. I think I’m going to move on to other blogs…where things can be more openly discussed without all the negativity. Afterall, MOST companies have done bad things over the years, but it seems that bashing Microsoft, even if they do something right, is the fashion these days.

  • http://www.optimalworks.net/ Craig Buckler

    @adimauro
    There are very good reasons why Microsoft’s add-on is far worse than Sun’s. Read through the comments, especially here.

    I don’t know of anyone at SitePoint who’s anti-Microsoft for the sake of it. Many articles feature MS in a positive light, e.g. the majority supported MS’s stance on removing IE from Windows 7 in Europe.

    However, in this instance, Microsoft made a very naive decision which I suspect they regret (they wouldn’t have issued a patch otherwise).

  • http://www.brothercake.com/ brothercake

    naive decision? More like they thought they’d get away with it but didn’t.

    Stuff like this is institutional at Microsoft – like racism in the police – and it’s never gonna change while Steve Balmer is there.

  • http://www.geoffrey.com.au Objectman

    Oh for God’s sake. The whole world is going pull marketing and these guys are putting even more oomph into “pushing”.

    Idiots.

  • Midna

    I have the Microsoft .NET Framework assistance 1.0 and the Java Quick Starter 1.0 and was also wondering how they got there. Does Firefox have a patch to keep it from installing yet?

    Also, many times my browser runs really slow (like dial-up slow or slower) and I’m on high-speed internet. Could these addons be the cause of it?