MS patch of… Firefox?

To quote an article on about the new ClickOnce install support that MS has added to .NET:

The Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows in February 2009, installs the Microsoft .NET Framework Assistant firefox extension without asking your permission.
This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC. Since this design flaw is one of the reasons you may’ve originally choosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.

Unfortunately, Microsoft in their infinite wisdom has taken steps to make the removal of this extension particularly difficult – open the Add-ons window in Firefox, and you’ll notice the Uninstall button next to their extension is grayed out! Their reasoning, according to Microsoft blogger Brad Abrams, is that the extension needed “support at the machine level in order to enable the feature for all users on the machine,” which, of course, is precisely the reason this add-on is bad news for all Firefox users.

And then follows a convoluted procedure to hack the crap out of the registry. Go there, read it, do it, if you run Windows, this service pack, and Firefox.

Tech Republic put it like this:

In a surprise move this year, Microsoft has decided to quietly install what amounts to a massive security vulnerability in Firefox without informing the user. Find out what Microsoft has to say about it, and how you can undo the damage.

Read the entire Tech Republic article.

PS: this isn’t exactly news (the article is dated February 27, 2009), but I only just noticed through a posting by Rob S on a private list.

Leave a Reply

Your email address will not be published. Required fields are marked *