Skip to navigation
Real World Computing
Laptop help
 
Gallery

Microsoft must stop silently installing browser plugins

Posted on 9 Feb 2010 at 14:50

Davey Winder takes Microsoft to task for installing unwanted plugins on people's browsers

I’m not happy with Microsoft's security when it comes to browser plugins – in particular, when it comes to silently installing Microsoft plugins into non-Microsoft web browsers.

The Microsoft .NET Framework Assistant and Windows Presentation Foundation plugins were installed – without receiving informed consent from the users beforehand – into the Mozilla Firefox browser when Microsoft published a .NET patch back in May 2009. Those users who discovered these additions found they couldn’t easily remove them without hacking the Windows Registry, which isn’t good at all.

Microsoft did then bring out a removal tool for the Framework Assistant plugin, but stable doors and bolting horses come to mind.

Many people had no idea these plugins were even there until October, when Firefox threw up a warning about add-ons that might be causing a problem following the biggest Microsoft Patch Tuesday ever. I received such a warning on a machine here, informing me that the Microsoft .NET Framework Assistant 1.1 may be unstable or insecure, which surprised me because I’d never installed any add-ons for Firefox, ever.

I’m not so much concerned over the “is it or isn’t it” of a vulnerability as I am by Microsoft’s considering it okay to silently install the stuff in the first place

Mike Shaver, Mozilla’s Vice President of Engineering, explained that it had appeared there was a serious security vulnerability that could use the Framework Assistant as a vector for attack, and so it had been added to the Firefox plugin blocklist mechanism.

Within the week it turned out that this wasn’t the case and the plugin was removed from the blocklist, and Shaver confirmed that Mozilla was also working on a mechanism to re-enable the WPF plugin, ahead of its removal from the blocklist.

The thing is, I’m not so much concerned over the “is it or isn’t it” of a vulnerability as I am by Microsoft’s considering it okay to silently install the stuff in the first place. Microsoft might claim that the terms and conditions of the update stated, somewhere among the legalese, that it would do this and that I had therefore given my consent, but that sounds awfully like the kind of thing a dodgy spyware outfit would say when you discover it had managed to sneak unwanted software onto your computer.

I want clarity and consent to be right out in the open when it comes to the stuff that’s installed on my machine, and I expect better from Microsoft. A lot better.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here

From around the web

User comments

It's back again, in Firefox 3.6!

Just when you thought you were rid of it...

Se http://support.microsoft.com/kb/963707

By JohnGray7581 on 23 Feb 2010

You should read your Windows EULA. It's clearly covered in there that MS can do things like this without your acceptance. That's why I switched to Macs: having someone else decide what software is installed on my computer without me agreeing to it is a step too far.

Thankfully, on a Mac software isn't automatically installed, I have to give administrator authorisation for software installations.

By SwissMac on 2 Mar 2010

Not so quick SwissMac

The Apple Upgrade Assistant that comes with Quicktime is the most annoying piece of malware you can install on a PC; it constantly tries to trick you into instaling Safari and iTunes.

By milliganp on 4 Mar 2010

Toshiba as well,..

They sneakily install a fingerprint reader add-in in Firefox, but it just causes FF to crash on launch! There is also no easy way to uninstall it, you need to get the add-ins ID and then delete all references to it in the registry!

By big_D on 9 Mar 2010

Barking up wrong tree...

These plugins get loaded becasue FF scans the registry for loadable modules at startup, NOT because MS or whoever have modified FF.

To prevent this behaviour, edit your {FF Dir}\greprefs\all.js file.

By Anteaus on 11 Mar 2010

Swissmac - I'm a mac user as well, but giving yoiur permission to install software is fine as far as it goes. Let's say I install a patch for iTunes (which I detest) but as part of that it installs a Mozilla iTunes toolbar" or some other nonsense.

This is what happened with this update. A patch given permission to do one thing decided to do that, and something else as well. Giving permission for these changes is fine as long as you know. Microsoft didn't tell anyone (and neither would insert: Apple/Google/random software company).

By bubbles16 on 11 Jun 2010

Leave a comment

You need to Login or Register to comment.

(optional)

Davey Winder

Davey Winder

Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.

Read more More by Davey Winder

advertisement

Latest Real World Computing
Latest Blog Posts Subscribe to our RSS Feeds
Latest News Stories Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds

advertisement

Sponsored Links
 
SEARCH
SIGN UP

Your email:

Your password:

remember me

Create an account

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.