Microsoft is really making it hard not to distrust them, aren’t they? We already talked about Mono and Moonlight this weekend, and now we’re notified of something else. Apparently, the Microsoft .NET Framework 3.5 Service Pack 1, released earlier this year, installs a Firefox extension which could not be uninstalled easily (registry hacking was needed). To make matters worse, this extension came with a pretty big security hole (at least, that’s what everyone says). A newer version of this extension has been pushed out in May, which can be uninstalled the proper way. As it turns out, Firefox apparently has a limitation in that extensions installed at the machine level (instead of the user level) cannot be uninstalled from within the extensions GUI.
The situation was already discovered in February of this year, by Annoyences.org. The extension, called the Microsoft .NET Framework Assistant 1.0, is installed without asking the user for permission, and includes a fairly hefty security flaw also present in Internet Explorer. “This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC,” Annoyances.org writes, “Since this design flaw is one of the reasons you may’ve originally choosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.”
This extension enables support for ClickOnce for Firefox users, a feature that enables .NET applications to be installed with – you guessed it! – one click. I could not find any information on the security hole which would allow silent installs, so if anyone has any information on that, let us know.
Microsoft claims that this was an oft-requested feature, and as such, they wrote an extension for Firefox to support it. However, they made the extension install itself at “machine level” to enable support for all users, and this revealed a limitation in Firefox: extensions installed at that level cannot be uninstalled from within the extensions GUI. I guess Firefox does not have a privilege elevation GUI.
Microsoft has since updated the extension to work on a per-user basis via an update to the Microsoft .NET Framework Assistant 1.0, meaning the extension can now be uninstalled the normal way. If you still have the old version installed, and do not wish to update to the new version just to uninstall the extension, uninstall instructions are here.
It’s great that Microsoft is supporting Firefox users, but it does seem like they still have some learning to do here. I don’t believe there’s anything malicious going on here, but it still would be better to at least ask for the user’s permission, but preferably, to just put the extension on Mozilla’s website.