Microsoft installs Firefox extension without asking

The Firefox Add-ons panel shows the Unistall option for the Microsoft .NET Framework Assistant add-on greyed out. The .NET Framework 3.5 Service Pack 1, pushed out by Windows Update earlier this year, installs the .NET Framework Assistant extension for Mozilla's Firefox web browser without asking the user for authorisation. The "Microsoft .NET Framework Assistant" add-on uses ClickOnce technology to allow users to install Windows applications by clicking a link in a web page. A number of people have raised concerns over the security of the technology, objected to the fact that the Service Pack installs the extension without asking and complained that once installed, the Uninstall button in the Firefox Add-on panel is greyed-out and the extension cannot easily be uninstalled (although it can be disabled).

Normally, uninstalling a Firefox extension would be a simple task, however, the extension is installed using functionality that allows applications to install extensions by modifying the registry, which makes it difficult to uninstall. Initially, the extension could only be removed by modifying the Windows registry, reseting changes made to the Firefox user agent and removing the .NET Framework extension files. Microsoft has now issued a fix which allows the Uninstall button in the Firefox Add-ons list to function properly.

A recent post by Brian Krebs of The Washington Post sparked discussions about the trust that users place in Microsoft by enabling automatic updates. By installing an extension without asking the user for authorisation, Microsoft risks undermining any confidence that users place in security updates. This leads users to wonder what else Microsoft might install without their knowledge and brings into question how much control users actually have over their own systems, should they allow the automatic updates to run.

(crve)