Microsoft: Stop the Sneaky Firefox Sabotage!

Craig Buckler

Sneaky Firefox add-onsWe have all experienced software products that usefully offer to install browser tool bars and extensions which will enhance our web experience. In most cases, you can politely decline the add-on or uninstall it later (if you happened to miss the pesky 6pt opt-in box).

Unfortunately, a dangerous precedent is being set by companies surreptitiously installing Firefox add-ons. The worst culprit is Microsoft and the .NET Framework 3.5 Service Pack 1. Most people will receive SP1 as an automatic update, so there is no obvious download or installation. Behind the scenes, the update will install a Firefox add-on named the “Microsoft .NET Framework Assistant”. Microsoft — this looks bad. Very bad…

1. No information
The user is not informed about the add-on prior to, during, or after installation.

2. No authorization
The user can not decline the add-on installation.

3. No uninstallation
The add-on can not be uninstalled via the Firefox Add-on dialog. According to Brad Abrams’ blog, this was a mistake rather than a malicious choice, but it makes you wonder what other mistakes they made in the code? download movies

Firefox .NET add-on

(Note that Brad’s post links to a patch. Manual removal instructions are also provided, although it involves risky registry tampering.)

4. Additional security risks
The extension enables ClickOnce support. This allows additional software to be installed with minimal user intervention. One of the primary reasons users switch browsers is to avoid the malware issues that plagued IE; how many people want an add-on which circumvents Firefox security?

5. Microsoft is a competitor
At best, this is incompetence. At worst, it’s a serious conflict of interest. Although I do not believe Microsoft intended to sabotage Firefox, this add-on could do anything. Microsoft had the opportunity to make a competing browser slow, unstable, or unreliable — even if that was not their intention.

I suspect this is a case of developer naivety and can only assume the add-on bypassed quality assurance checks because few people were aware of its existence. The company has been working hard to rebuild user trust, but actions like this will not help.

Unfortunately, Microsoft is not the only offender. Take another look at the Add-on dialog above — Sun helpfully installed a “Java Quick Starter” extension with the Java VM. There was no information during installation, it could not be declined, and it can not be uninstalled from the Firefox add-on dialog (an option is hidden deep in the Java Control Panel applet – Advanced > Miscellaneous > Java Quick Starter).

Microsoft and Sun — by all means create Firefox extensions, but there is no need to be unscrupulous. Tell the user, provide opt-outs, or simply release them through the normal Mozilla channels.

See also: What is a Web Browser? No One Knows!