Microsoft Update Sneaks In Security Vulnerability - As A Firefox Extension!



From: Brian Krebs Security Fix Column in The Washington Post

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a "service pack" for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

...

I'm here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult -- if not dangerous -- to remove, once installed.

---

From: Annoyances.org

The Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows in February 2009, installs the Microsoft .NET Framework Assistant Firefox extension without asking your permission.

This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC. Since this design flaw is one of the reasons you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.

Clicking on Annoyances.org will take you to a page where it shows the complex and dangerous (if you don't know what you're doing) Registry change, which is the only way to get rid of this new security vulnerability, secretly provided to you by your caring friends at Microsoft.

ISNT this illegal??  or is it covered in the MS EULA, that MS can augment/change ANY program that is used in their OS.

I would imagine it is in the EULA that they can update without notice and I don't doubt they didn't give any notice because corporations don't use FireFox so it won't hurt them... meanwhile I am on 3.5 Beta 4 and the extension is not installed on my system.

Thanks, Cináed , for pointing this out.  Those slimebuckets.  And it's gonna cost me a regedit?  Big deal, but it still makes me mad they grayed out the uninstall button.  Jerks.

It's my mistake for not highlighting it somehow but Mr. Krebs mentions in his article of yesterday this is something he - and apparently a LOT of other people, including me - missed a while ago. It's all true and valid and people should clean up their Firefox but apparently one of Microsoft's recent security updates un-grayed-out the Uninstall button and it can now be uninstalled without diving into the Registry. It also didn't work on the newest Beta versions of Firefox.

I don't feel too bad about missing this originally, not when the techie expert at The Washington Post also missed it. Still, I wonder HOW I could have missed it...