Microsoft's ClickOnce Firefox add-on - The HP Security Laboratory Blog -

Microsoft's ClickOnce Firefox add-on - The HP Security Laboratory Blog -

Sign in | Join | Help

The HP Security Laboratory Blog » Microsoft's ClickOnce Firefox add-on

Microsoft's ClickOnce Firefox add-on

The HP Security Laboratory Blog

Home
Contact

Syndication

Recent Posts

Tags

Archives

With Firefox, I just went to download a certain new version 2.0 web browser and and was surprised that after hitting the license accept button Firefox started up an installer, downloaded the application and installed it without any prompts or questions. This is not the security experience with Firefox I've been accustomed to.

I did some digging around in the page's code, a little searching, and found I had the "Microsoft .NET Framework Assistant" installed into my Firefox add-ons. A little more digging and I found it was silently installed with .NET 3.5 SP1. Yes, that's right, I said silently. What's more, the default settings of this add-on allow sites to start installers without prompting.

That second checkbox also points to another minor annoyance--that the add-on reports the installed .NET versions to every website you visit via the User-Agent string. Nice.

While you can change the settings via Firefox, and even disable it, the icing on the cake you can't actually uninstall it without jumping through hoops. Microsoft's Brad Abrams, in a blog post, said:

We added this support at the machine level in order to enable the feature for all users on the machine. Seems reasonable right? Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the "Uninstall" button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.

Oh, Brad, I'm frightened. What kind of a place is this? No--it doesn't sound reasonable. Microsoft should have published it in Mozilla's add-on directory like everyone else and not quietly changed their biggest (browser) competitor's product , drastically weakening its security in the process.

To uninstall the extension completely, you'll have to follow the steps outlined in Brad's post, which involve registry editing and directly editing Firefox's configuration.

While this is not exactly ground-breaking news here on the internet--there are plenty of pages crying foul with this whole deal--I hadn't heard of it, so it seemed worth posting about to spread the word just a little bit. And we should all review our primary browser's add-ons/extensions on a regular basis.

Posted 05-22-2009 2:35 PM by Chris Sullo

Filed under: Microsoft

Comments

Rafal Los wrote re: Microsoft's ClickOnce Firefox add-on

on 05-23-2009 5:04 PM

Chris - this is yet another reason I hate all modern browsers. They're supposed to be your pal, bring you cool content - but they silently turn on you and before you know it they pwn you

Marc Handelman wrote re: Microsoft's ClickOnce Firefox add-on

on 05-23-2009 6:37 PM

Blatant Stupidity really is alive and well in Redmond....

Chris Sullo wrote re: Microsoft's ClickOnce Firefox add-on

on 05-26-2009 1:39 PM

Rafal:

I think it's more MS doing something they shouldn't (in IE or any other browser), but for their part, I would love to see Mozilla come up with a way to prevent this from happening *ever*, no matter how the plugin was installed.

In fact, it would be nice if they could detect a plugin was not installed via user action and put up a big fat alert (I realize, being open source, there are serious complications with this, but... they coudl try!).

Panta wrote re: Microsoft's ClickOnce Firefox add-on

on 06-01-2009 1:09 AM

They can't make neither Windows nor IE secure, so they try bringing Firefox down to their level... no surprises here!

MrH4x0r wrote re: Microsoft's ClickOnce Firefox add-on

on 06-01-2009 3:02 PM

SHABBA!!!

mike wrote re: Microsoft's ClickOnce Firefox add-on

on 06-01-2009 8:36 PM

Sniff..sniff...thats really low.

I just dumped MS yesturday like I did AOL 12 years ago for the same practice.

im thinking maybe server 2000 edition.

Chris Sullo wrote re: Microsoft's ClickOnce Firefox add-on

on 06-03-2009 2:58 PM

Briank Krebs has posted an excellent write-up of how to remove this extension without going through all the registry editing and whatnot as linked above. It involves another Microsoft update which will allow you to uninstall it through the browser. A reader of his also dug up an interesting discussion where the Firefox developers argue about whether this "functionality" should be considered a bug or not.

voices.washingtonpost.com/.../microsoft_patch_to_fix_firefox.html

Roberto wrote re: Microsoft's ClickOnce Firefox add-on

on 10-04-2009 9:56 AM

cool blog

Add a Comment

Name: (required)

Website: (optional)

Comments (required)

Remember Me?

Type the numbers and letters above:

Privacy Statement

Powered by Community Server (Non-Commercial Edition), by Telligent Systems

Information disclosed in this community becomes public. Exercise caution when deciding to disclose your personal information. HP reserves the right, but is not obligated to, edit or remove your comment if it contains personally identifiable information or other content HP deems unacceptable. Opinions expressed are your personal opinions or those of the original authors, and not of HP. Please see HP's web Terms of Use for more details.

Privacy statement | Using this site means you accept its terms