Linked by Thom Holwerda on Mon 1st Jun 2009 11:04 UTC, submitted by Rahul
.NET (dotGNU too) Microsoft is really making it hard not to distrust them, aren't they? We already talked about Mono and Moonlight this weekend, and now we're notified of something else. Apparently, the Microsoft .NET Framework 3.5 Service Pack 1, released earlier this year, installs a Firefox extension which could not be uninstalled easily (registry hacking was needed). To make matters worse, this extension came with a pretty big security hole (at least, that's what everyone says). A newer version of this extension has been pushed out in May, which can be uninstalled the proper way. As it turns out, Firefox apparently has a limitation in that extensions installed at the machine level (instead of the user level) cannot be uninstalled from within the extensions GUI.
Thread beginning with comment 366479
To read all comments associated with this story, please click here.
Problem here is
by Nelson on Mon 1st Jun 2009 13:43 UTC
Nelson
Member since:
2005-11-29

..people have no idea what ClickOnce is.

http://www.ddj.com/security/196801171
ClickOnce deployment is designed from the ground up to be a limited user deployment mechanism, and it has various security features in place to ensure a trustworthy deployment.

While I think that installing the Add-On at the system level instead of the user level is a bad idea (That has since been addressed), the practice of shipping and installing extensions without consent is not one limited solely to Microsoft.

Firefox stores extensions in a user folder, a malicious user could do way more harm than simply installing a few extensions, if they wanted to.

Reply Score: 3

RE: Problem here is
by Jemm on Thu 4th Jun 2009 11:36 in reply to "Problem here is"
Jemm Member since:
2005-07-25

By the way, Google Chrome uses Click Once to install on Windows (at least when downloaded with IE). The installation is very smooth and auto-updates work in the background.

The Firefox add-on just tries to make it as smooth for Firefox-users, too.

I agree that the .NET 3.5 SP1 -setup should have asked about installing the add-on, though.

Reply Parent Score: 1