Microsoft may be Firefox's worst vulnerability

In a surprise move this year, Microsoft has decided to quietly install what amounts to a massive security vulnerability in Firefox without informing the user. Find out what Microsoft has to say about it, and how you can undo the damage.

Microsoft pushed out its .NET Framework 3.5 Service Pack 1 update this February. The “List of changes and fixes” article about this update says:

The .NET Framework 3.5 SP1 is a full cumulative update that contains many new features. These new features build incrementally upon the .NET Framework 2.0, the .NET Framework 3.0, and the .NET Framework 3.5. It also includes cumulative servicing updates to the dependent .NET Framework 2.0 and .NET Framework 3.0 subcomponents. This update should be applied as an important update for the .NET Framework 2.0 and later versions, and it is recommended for all other supported operating systems.

The article then goes on to list a dizzying array of changes delivered by the update.

According to Annoyances.org, however, it does something that isn’t listed there — it installs the Microsoft .NET Framework Assistant extension for Firefox, silently, without informing the user. If you had Firefox on your computer when this update was installed, you may be subject to some dire consequences. In Remove the Microsoft .NET Framework Assistant (ClickOnce) Firefox Extension, Annoyances.org says:

This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC. Since this design flaw is one of the reasons you may’ve originally choosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.

Yes, that’s right — the long-time, well known security hole present in Internet Explorer that consists of essentially letting Websites install dangerous, untrusted code on your computer willy-nilly has now been shoehorned into your MS Windows install of Firefox without your knowledge or permission.

Worse yet, Microsoft isn’t satisfied with just giving you vulnerabilities without your permission or even you knowledge. It has also gone out of its way to ensure that you’ll have a difficult time removing the vulnerability from your system if you should happen to become aware of it. The Uninstall button for this extension in Firefox has been deactivated. In Uninstalling the Clickonce Support for Firefox, Microsoft employee Brad Abrams says:

We added this support at the machine level in order to enable the feature for all users on the machine. Seems reasonable right? Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the “Uninstall” button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.

Brad Abrams explains that an update has been produced, in response to a lot of negative reaction from people who realized that MS was monkeying around with their Firefox installs without permission or notification, that turns the extension into a “per-user component”. Of course, he thoroughly downplays the negative reaction, saying:

Clearly this is a bit frustrating for some users that wanted an easy way to uninstall the Clickonce Support for Firefox.

Reading some of the Slashdot commentary, I’d say it was far worse than “a bit frustrating” for some user. It was downright enraging for some, and I don’t blame them.

He claims turning the .NET Framework Assistant into a per-user component makes uninstalling it “a LOT cleaner”. In some respects, this is true. The process for a full uninstall that was necessary to get it out of your hair as a standard system user can be pretty scary for someone who isn’t a bona-fide expert computer user. Even most so-called Power Users should be vary leery of following those instructions. Those of us who have actually gotten to the point where we edited registry keys for a living (yes, I had a job a few years back that included that unenviable task, and I got quite good at doing so quickly and safely), on the other hand, should find it pretty simple.

On the other hand, making it a per-user component means that when one user uninstalls it, another can still have it. If you’re uninstalling it for security reasons, this should set off a warning klaxon in your head, complete with flashing red lights. If you’re the only person who ever uses your computer, this might mitigate the problem somewhat, but anyone who manages to remotely exploit your system as another unprivileged user account may then be able to make use of the security hole represented by the .NET Framework Assistant to increase his or her hold on the system (among other nightmare scenarios that may spring to mind).

I guess you have to admire the sheer chutzpah of someone like Brad Abrams trying to put a bright, happy face on this situation. It takes real courage to stand out front telling users about this major hose-job and try to find a way to spin it so the users won’t turn into a lynch mob. At least he has the decency to tell us how to do the work necessary to remove the unwanted Firefox extension. Go read his Weblog post (linked above) now, and make the necessary changes, if you’re using Firefox on MS Windows.

I recommend you do the registry hacking necessary to carve this thing out of the guts of your system, get rid of Firefox entirely and use one of the other third-party Web browsers that isn’t known for screwing its users, or just get rid of MS Windows entirely, at this point. Do you remember when I listed 5 characteristics of security policy I can trust? Yeah. Anything that Microsoft can modify from afar like this doesn’t even begin to satisfy my criteria, and this incident is an excellent example of that.

It looks like the biggest security vulnerability in Mozilla Firefox this year is Microsoft.