My latest Windows Update run just downloaded an update to Microsoft‘s .Net Framework 3.5. Here are the details of the update:
Microsoft .NET Framework 3.5 Service Pack 1 is a full cumulative update that contains many new features building incrementally upon .NET Framework 2.0, 3.0, 3.5 and includes cumulative services updates to the .NET Framework 2.0 and .NET Framework 3.0 subcomponents. The .NET Framework 3.5 Family Update provides important application compatibility updates.
Sounds fairly innocuous, right? Wrong! Besides deploying the fixes to the .NET framework mentioned above, the update also installed a stealth Add-in for FireFox, without any warning, permission or request for consent:
To add insult to injury, not only is the plugin useless (Not compatible with Firefox 3.1b2) as you can see above, but the Uninstall button is actually disabled!
Looks like it’s not a new problem, with reports of Microsoft violating Firefox since last August, but this is now bundled as part of a package that is described as an “Important Update”, rather than a component of development software (Visual Studio) that a person may or may not choose to install.
You can hack your way through uninstalling the plugin, but it’s not the sort of thing someone inexperienced should try. Here are the instructions from the site above:
Against what many people think, though, it can be uninstalled – but by nothing less than hacking the actual registry of Windows! Open your Start Menu and choose Run. Type in regedit and press enter/click OK. Within there, you have to look for something called
HKEY_LOCAL_MACHINE\SOFTWARE\and delete the key there (for Windows Vista 64-bit \Firefox\extensions
When you have done that, type in
about:configin the address bar in Firefox, accept the warning and then remove
And, to finish it off, open Windows Explorer and go to
\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\to remove the last remnants of the evil extension.
Instructions thankfully found through Remove the .NET Framework Assistant 1.0 from Firefox
My question to you is this. Granted that Microsoft may “own” the operating system you’re running your software on, but does that give them the right to install additions to non-Microsoft software on your machine? The plugin didn’t work in my case, but let’s say it broke Firefox for me, would Microsoft have acknowledged this was a problem they caused and fixed it? Is it right for them to circumvent any features Mozilla put into Firefox to protect their users and violate their software in this way? Isn’t this the sort of installation route you’d expect malicious software to take?