OSNews:

OSNews: http://www.osnews.com/story/21591/Removing_NET_ClickOnce_Support_from_Firefox Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Fri, 24 May 2013 21:48:47 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Disable instead of remove? http://www.osnews.com/thread?366442 http://www.osnews.com/thread?366442 It seems to be possible to disable the extension instead of removing it. Assuming this disable button actually works. Mon, 01 Jun 2009 11:25:00 GMT donotreply@osnews.com (fkooman) Comments Comment by aacs http://www.osnews.com/thread?366447 http://www.osnews.com/thread?366447 This must be the plugin that got installed when I wanted to try VS2008 Express. While at it, the installer hosed all of my Firefox configuration resetting back to defaults. Not so nice. Mon, 01 Jun 2009 11:39:00 GMT donotreply@osnews.com (aacs) Comments Thom sounds like a fanboy http://www.osnews.com/thread?366448 http://www.osnews.com/thread?366448 Pushing unwanted extensions down FF users throat is great? Nothing malicious?

Not in my book.

I don`t want .NET and most FF users probably feel the same way. MS just wants more FF exploits. Mon, 01 Jun 2009 11:42:00 GMT donotreply@osnews.com (kragil) Comments .NET logo http://www.osnews.com/thread?366449 http://www.osnews.com/thread?366449 Maybe a bit off-topic, but the .NET-logo you show in the top right corner is the old .NET-logo. Maybe you should replace it with the new .NET-logo that was introduced last year: http://www.hanselman.com/blog/PDC2008NewNETLogo.aspx Mon, 01 Jun 2009 11:49:00 GMT donotreply@osnews.com (TommyCarlier) Comments Pretty scary http://www.osnews.com/thread?366453 http://www.osnews.com/thread?366453 I didn't know why there was that extension listed in Firefox. I use Firefox to test web sites and to use Firebug. I'm glad I don't have that problem in Opera, my default browser. Mon, 01 Jun 2009 12:00:00 GMT donotreply@osnews.com (Liquidator) Comments RE: Thom sounds like a fanboy http://www.osnews.com/thread?366457 http://www.osnews.com/thread?366457 Don't distort what I say to make it fit your own agenda. Where do I say that pushing Firefox extensions without consent is "great"?

It's great that Microsoft is supporting Firefox users, but it does seem like they still have some learning to do here. I don't believe there's anything malicious going on here, but it still would be better to at least ask for the user's permission, but preferably, to just put the extension on Mozilla's website.

Mon, 01 Jun 2009 12:14:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE: Disable instead of remove? http://www.osnews.com/thread?366462 http://www.osnews.com/thread?366462 Well even so, you should be able to remove it totally since why should it be there if you don't want it in the first place?

As for the title blurb of -"As it turns out, Firefox apparently has a limitation in that extensions installed at the machine level (instead of the user level) cannot be uninstalled from within the extensions GUI."

Ehh... the way I see it this has to do with file ownership and account privileges. Installing NET requires admin rights and as such any Firefox extensions installed by that NET package will be created by the admin account and thus the resulting files will be owned by the admin and not removeable by Firefox when running under a limited account. Mon, 01 Jun 2009 12:26:00 GMT donotreply@osnews.com (Valhalla) Comments Yet another CFAA violation http://www.osnews.com/thread?366467 http://www.osnews.com/thread?366467 As I read the Act, this is a clear violation of the Computer Fraud and Abuse Act--
yet another major violation (recalling Sony).

Someone should be doing jail time. This should not be just swept under
the rug as "corporations will be corporations."

DISCLAIMER: I am a 56-year-old Ph.D. software systems architect.
My experience has led me to have strong opinions. Mon, 01 Jun 2009 12:40:00 GMT donotreply@osnews.com (cjcoats) Comments RE[2]: Disable instead of remove? http://www.osnews.com/thread?366469 http://www.osnews.com/thread?366469

Ehh... the way I see it this has to do with file ownership and account privileges. Installing NET requires admin rights and as such any Firefox extensions installed by that NET package will be created by the admin account and thus the resulting files will be owned by the admin and not removeable by Firefox when running under a limited account.

...in which case Firefox should notify you of this, and offer an elevation prompt - which it doesn't. Hence, a limitation in Firefox. Mon, 01 Jun 2009 12:44:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments an often requested feature? http://www.osnews.com/thread?366470 http://www.osnews.com/thread?366470 Why would anyone request such a feature?
I haven't a clue about what it does and disabled it.

Features I could request are maybe a silverlight plugin and linux drivers for an microsoft webcam. Mon, 01 Jun 2009 12:45:00 GMT donotreply@osnews.com (gfx1) Comments RE: .NET logo http://www.osnews.com/thread?366471 http://www.osnews.com/thread?366471

Maybe a bit off-topic, but the .NET-logo you show in the top right corner is the old .NET-logo. Maybe you should replace it with the new .NET-logo that was introduced last year: http://www.hanselman.com/blog/PDC2008NewNETLogo.aspx

Thanks, updated the logo. Shift+refresh your browsers. Mon, 01 Jun 2009 12:46:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments A Flawed But Useful Feature http://www.osnews.com/thread?366472 http://www.osnews.com/thread?366472 I agree that it is admirable to see Microsoft recognising another major player in the browser market. A feature like this can be quite useful for deploying .Net software easily in much the same way as Java Web Start. It's unfortunate that the initial deployment was flawed, but at least this has been rectified now.

By the wayâ"

I could not find any information on the security hole which would allow silent installs, so if anyone has any information on that, let us know.

Is it too much to ask to do some research first before submitting your stories? You shouldn't make claims like this and expect people to do the work to back up your statements for you. Mon, 01 Jun 2009 12:50:00 GMT donotreply@osnews.com (testman) Comments RE[2]: Thom sounds like a fanboy http://www.osnews.com/thread?366478 http://www.osnews.com/thread?366478 OK, but calling this malware attack "supporting Firefox" is just as bad. Mon, 01 Jun 2009 13:43:00 GMT donotreply@osnews.com (kragil) Comments Problem here is http://www.osnews.com/thread?366479 http://www.osnews.com/thread?366479 ..people have no idea what ClickOnce is.

http://www.ddj.com/security/196801171
ClickOnce deployment is designed from the ground up to be a limited user deployment mechanism, and it has various security features in place to ensure a trustworthy deployment.

While I think that installing the Add-On at the system level instead of the user level is a bad idea (That has since been addressed), the practice of shipping and installing extensions without consent is not one limited solely to Microsoft.

Firefox stores extensions in a user folder, a malicious user could do way more harm than simply installing a few extensions, if they wanted to. Mon, 01 Jun 2009 13:43:00 GMT donotreply@osnews.com (Nelson) Comments Cnuts http://www.osnews.com/thread?366496 http://www.osnews.com/thread?366496 That is all Mon, 01 Jun 2009 14:50:00 GMT donotreply@osnews.com (B12 Simon) Comments RE[3]: Thom sounds like a fanboy http://www.osnews.com/thread?366499 http://www.osnews.com/thread?366499 Malware attack?
How is this malicious software?

It's not Thom who needs to rethink his choice of words, it's you. Mon, 01 Jun 2009 15:10:00 GMT donotreply@osnews.com (gedmurphy) Comments RE[4]: Thom sounds like a fanboy http://www.osnews.com/thread?366522 http://www.osnews.com/thread?366522 The Linux community considers Microsoft software as malware. Mon, 01 Jun 2009 16:55:00 GMT donotreply@osnews.com (Liquidator) Comments RE[5]: Thom sounds like a fanboy http://www.osnews.com/thread?366526 http://www.osnews.com/thread?366526 Those little rabid dogs, those Linux users

Mon, 01 Jun 2009 17:38:00 GMT donotreply@osnews.com (Novan_Leon) Comments RE[4]: Thom sounds like a fanboy http://www.osnews.com/thread?366536 http://www.osnews.com/thread?366536

Malware attack?
How is this malicious software?

It's not Thom who needs to rethink his choice of words, it's you.

ok call it software that install without user permission... but as they say.. the road to hell is paved with good intentions. It was not malicious per se but open the door to others.

I installed .NET but would have never agree to that extension (it happens that I saw it this morning - before this news and uninstall it right away) Mon, 01 Jun 2009 18:37:00 GMT donotreply@osnews.com (Ikshaar) Comments RE[5]: Thom sounds like a fanboy http://www.osnews.com/thread?366543 http://www.osnews.com/thread?366543 The real question is, why doesn't Firefox prevent this kind of behavior? I noticed that AVG was doing the same thing in order to install browser extensions (which slowed web surfing down to a crawl), which is one of the reasons I stopped using it.

The ONLY way you should be able to install extensions is through the browser itself. I'm not excusing the behavior of MS or anybody else who does this, but the fact that programs are able to do it in the first place is a security flaw in Firefox as far as I'm concerned. Mon, 01 Jun 2009 18:57:00 GMT donotreply@osnews.com (WorknMan) Comments RE[6]: Thom sounds like a fanboy http://www.osnews.com/thread?366576 http://www.osnews.com/thread?366576

The real question is, why doesn't Firefox prevent this kind of behavior?

How *can* Firefox prevent it? How can Firefox distinguish between an extension installed through the Firefox interface, and an extension installed through something writing the exact same content to disk? Mon, 01 Jun 2009 22:37:00 GMT donotreply@osnews.com (Delgarde) Comments Requested by developers http://www.osnews.com/thread?366582 http://www.osnews.com/thread?366582 .net developers wanted this feature so they could deploy their .net applications more conveniently. Mon, 01 Jun 2009 23:26:00 GMT donotreply@osnews.com (contextfree) Comments RE[7]: Thom sounds like a fanboy http://www.osnews.com/thread?366591 http://www.osnews.com/thread?366591

I don't know? Perhaps it could have a list of installed extensions in a file that was encrypted, so that outside apps couldn't write to it? Of course, it might get corrupted, but hey... there are smarter people than me to figure these things out

Tue, 02 Jun 2009 00:09:00 GMT donotreply@osnews.com (WorknMan) Comments useragent http://www.osnews.com/thread?366610 http://www.osnews.com/thread?366610 right, so I might eat the all-users installation required. However it also changes the UserAgent to spam all the .net platforms installed for each request. There is absolutely NO reason to do this.
Next they'll be sending along your version of office and whatever they feel they need to send along

Microsoft ARE abusing their rights when installing .net 3.5 - so dont. Tue, 02 Jun 2009 04:24:00 GMT donotreply@osnews.com (Matzon) Comments RE[8]: Thom sounds like a fanboy http://www.osnews.com/thread?366645 http://www.osnews.com/thread?366645 So let me get this straight. An Microsoft installer inserts an unwanted firefox extension which is also a security hole and it's firefox that should "protect" against it?

Yeah right, why don't we tell application programmers to "protect" against malware abusing their programs via OS security holes huh?

Seriously Thom? Wtf is this? It's an obvious move by Microsoft and you're defending them? Tue, 02 Jun 2009 14:06:00 GMT donotreply@osnews.com (Almindor) Comments Old news http://www.osnews.com/thread?366665 http://www.osnews.com/thread?366665 It is not unusual to have software that is impossible (or partly possible) to uninstall on Windows. Windows users should have got used to it by now.

After installing Microsoft Office, Outlook Express, NET framework itself, for example, the system is hardly possible or impossible to revert to previous state. You've got those, so called, "components" embedded, and can't get rid of them without reinstalling the whole system. Tue, 02 Jun 2009 17:58:00 GMT donotreply@osnews.com (trenchsol) Comments RE[3]: Disable instead of remove? http://www.osnews.com/thread?366724 http://www.osnews.com/thread?366724

And thus you enter into the realm of Kaiwai's argument as to why multi platform applications suck when there is an attempt to try and cater for every platform with no effort to customising each release for each platform - you have the worst of all worlds. Wed, 03 Jun 2009 05:24:00 GMT donotreply@osnews.com (kaiwai) Comments RE: Problem here is http://www.osnews.com/thread?366985 http://www.osnews.com/thread?366985 By the way, Google Chrome uses Click Once to install on Windows (at least when downloaded with IE). The installation is very smooth and auto-updates work in the background.

The Firefox add-on just tries to make it as smooth for Firefox-users, too.

I agree that the .NET 3.5 SP1 -setup should have asked about installing the add-on, though. Thu, 04 Jun 2009 11:36:00 GMT donotreply@osnews.com (Jemm) Comments