posted by Thom Holwerda on Thu 10th Jun 2010 00:08 UTC
IconIt's late here, but we're having election night, and the two leading parties are currently tied seat-wise, with a 10000-vote difference. Anyway, it gives me some time to cover a major problem: Microsoft is at it again. The company has pushed an update through Windows Update which silently, without user consent, installs two browser extensions - one for Internet Explorer, and one for Firefox.

Ars Technica has done the legwork here, and it's actually pretty bad. This Tuesday, Redmond pushed out its usual batch of updates, and one of them relates to the Windows Live Toolbar, MSN Toolbar, and Bing Bar. Without asking the user, and without any indications, the update in question, KB982217, installs two browser extensions - one for Internet Explorer, one for Firefox.

Since the update is related to these search toolbars (the MSN and Live ones are superseded by the Bing Toolbar), it's safe to assume affected users have one of these toolbars installed. They are available for both Internet Explorer and Firefox, so it makes sense that only these two are affected. Ars did some digging:

Since we could not find any official documentation from Microsoft, we checked the actual IE add-on and Firefox extension. Unfortunately, they were not terribly helpful; all we discovered was that the IE add-on is at version 3.0.126.0, so it has been around for a while, and that the Firefox extension is at version 1.0, so it's likely it was only released now. Both seem to be installed in "C:Program FilesMicrosoftSearch Enhancement PackSearch Helper." Inside, there is a file called "SEPsearchhelperie.dll" that is responsible for the IE add-on and a "firefoxextension" folder responsible for Firefox.

Ars installed the update on a test system where the Windows Live Toolbar was installed for Internet Explorer only - yet, the Firefox extension was installed as well. This is very troubling, and as you can imagine, Firefox users are not particularly amused, nor is Mozilla. "We're in contact with Microsoft, and are looking into it," a Mozilla spokesperson told Ars Technica, "As far as we know at this time, there are no security implications to this add-on's background installation."

Security issue or no, this is troubling on so many levels. First, an update description should properly list what is being altered and/or added to the system. Second, Firefox is not a Microsoft product, and is not updated via Windows Update, and as such, should not be tampered with. Third, if any of the toolbars in question is not installed for Firefox, the extensions should not be installed. Fourth, this is my computer. Just as much as I dislike Apple for pretending my iPhone is actually theirs, I dislike Microsoft for thinking my computer is theirs (okay I'm actually not affected - I use Linux).

Microsoft needs to act quickly on this one, because this is totally unacceptable.

e p (15)    65 Comment(s)

Technology White Papers

See More