Odd isn't it, how Microsoft kicked up a fuss when Google announced the Chrome plugin for Internet Explorer on the grounds that it could make the browser more insecure. Indeed, it went as far as to suggest that it doubled the potential surface area for malware and scripted attacks. Yet, amazingly, Microsoft sees no such problem with installing a plugin into the Firefox browser. What's more it is installed without asking the permission of the user and, he says with more than a hint of irony, it left Firefox vulnerable to a drive-by exploit.

This is nothing new, as those with a memory for such underhand shenanigans will recall, as Microsoft started 'silently' installing a .NET Framework Assistant extension for Firefox users earlier in the year. The sting at the time was that it could not be uninstalled, and when an uninstall option was provided (after much media attention) it managed to break some other Firefox extension during the uninstall process.

So imagine the surprise when numerous Firefox users were presented with an 'Add-ons may be causing problems' popup when they had not added any new extensions. That popup quickly explained what was going on (see screenshot) determining that the Microsoft .NET Framework Assistant 1.1 may be "unstable or insecure". Given the option to restart Firefox so that the add-on could be disabled most punters would, I suspect, jump at the chance.

People have a right to be angry both at Microsoft for plugging something into a non-Microsoft browser client which could impact upon the security of that client, and doing so without their knowledge or prior consent I might add, but also with Firefox for allowing this silent installation in the first place.

But why the fuss now, when this plugin was pushed out some months back? Well it all boils down to the recent big Patch Tuesday roll out from Microsoft. On Tuesday Microsoft warned that unless Firefox users had installed the appropriate Internet Explorer patch then they would be vulnerable to an exploit enabled by a .Net Framework Assistant extension bug. Microsoft stated that installing Tuesday's MS09-054 patch protected all users from the exploit, no matter the attack vector, including Firefox users.

Mozilla responded, quite correctly, by telling Microsoft to Firefox off. It automatically turned on a system to block the extension for all Firefox users. Mike Shaver, Vice President of Engineering with Mozilla, explains "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."

The thing is, if you silently or stealthily install software which impacts upon the security of the user, without that users knowledge or prior consent, isn't that called malware?

271 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

So that's what it was, I received the same message after the update this week and was surprised to see an add on I hadn't installed myself.

You most certainly are not alone in being surprised, my friend.

Trust not Microsoft, ye who yearn to be free (of defects).

Interesting reading happygeek,

I happened to run across this the other day;

Add-ons Blocklist
This page lists blocklisted add-ons that should no longer be used with Mozilla products.

https://www.mozilla.com/en-US/blocklist/

And, this is a "Fix" "Remove the Microsoft .NET Framework Assistant (ClickOnce) Firefox Extension"

http://www.annoyances.org/exec/show/article08-600

I agree with EddieC!!!!