MS sneaks in a Fx add-on at machine level!

General discussion about the NoScript extension for Firefox
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

MS sneaks in a Fx add-on at machine level!

Post by luntrus » Mon May 25, 2009 6:24 pm

Hi users of NoScript,

A number of users have come aware to the fact that Microsoft with the .NET 3.5 SP1 installation secretly installs a Firefox add-on. This is why for instance on the download-site of Google Chrome a license agreement has to be accepted: without further notification the application is being downloaded and installed. Standard the settings for the ".NET Frameworks Assistant" are that no alert is being shown when so-called ClickOne applications are being opened: http://www.communities.hp.com/securitys ... dd-on.aspx

The settings of the add-on can be changed around, but it is very hard to uninstall. "We have added support on machine level, so the feature can be used by all computer users, also the add-on has been grayed out and cannot be uninstalled just like that by standard users, while standard users are not allowed to uninstall software on machine-level", according to Microsoft's Brad Abrams here: http://blogs.msdn.com/brada/archive/200 ... refox.aspx

So if malcoders add software that cannot be easily uninstalled on machine-level they are considered cybercriminals, but when MS applies an add-on through the same sneaky methods (without being open and upfront about it, with the lame excuse it is because the poor n00b-users would else be without this feature (that does not benefit them all) everything at once is OK. What can NoScript do as an extension to block this if we do not want the add-on that is being forced upon us, or what to do to get rid of this completely,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090525 Shiretoko/3.5pre

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by dhouwn » Mon May 25, 2009 9:01 pm

The settings of the add-on can be changed around, but it is very hard to uninstall.
Depends. If the user running Firefox has the suitable rights for the folder "extensions" in the Fx installation path (not the one in the folder of the profile) it can be uninstalled from within Firefox, the uninstall button will not be greyed out in this case.

MS sneaks in a Fx add-on at machine level!
"We have added support on machine level, …
More precisely, the add-on was installed in the Fx application folder (globally) and not in a specific profile. Add-ons can be installed global by using the command line option "-install-global-extension".
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b4) Gecko/20090503 Firefox/3.5b4

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by luntrus » Mon May 25, 2009 9:30 pm

@dhouwn,

Thanks for that explanation, but is not it unusual for MS to install propriety software in this way without asking the end user specifically if they like to install this? What they will do to their OS that's their business, but what they do to third party software (Mozilla's fx) can that be done over the head of the users or was this brought in with explicit consent of the developers of Firefox 3.5 - http://weblogs.asp.net/scottgu/archive/ ... -beta.aspx

@giorgio maone
What control have NoScript users over this, and can you confirm this was being brought in by developer consent? I think it will be a better policy if these silent global add-on installs can be performed on a "per user basis", where the end user can decide whether he wants the added feature installed or not. Silent add-on installations remind me of spyware and I think this policy is questionable to say the least, judiciously it is wrong, because in GoogleChrome you have at least agree for it to be installed automatically.

http://www.annoyances.org/exec/show/article08-600
About the dangers of this add-on in Fx: This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC. Since this design flaw is one of the reasons you may've originally choosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.

Unfortunately, Microsoft in their infinite wisdom has taken steps to make the removal of this extension particularly difiicult for normal users,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090525 Shiretoko/3.5pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: MS sneaks in a Fx add-on at machine level!

Post by Tom T. » Mon May 25, 2009 10:39 pm

@ luntrus: Wow, I'm glad I got rid of .NET the first time I saw it (when it could still be uninstalled). Never missed it since.
MS does this type of criminal behavior constantly. You just have to vet every "patch", every "security update" (they tried to push IE8 on me as a "critical security update"), every download they offer or push. And don't allow automatic updating. Put it on "notify only", so that you can do as above *before* d/l - install.

Incidentally, there is a kludge for a lot of junk that MS won't let you "uninstall" officially. Just (back up your system, data, and HDD first) delete the offending components, usually in Windows\system32, although sometimes elsehwere (search). You may get "file protection" prompts. Click "cancel" and "yes". Copy the offending components, too, or just move them to a USB drive or CD rather than deleting, in case ever needed again. No, it won't remove the reg entries, etc., but that's good: if you ever *do* find that you need that component, it's still officially "installed" (registered). Done this many times.

WARNING: ADVANCED USERS ONLY. USE AT YOUR OWN RISK. UNOFFICIAL, NOT SUPPORTED, CARRIES NO WARRANTY, CONVEYS NO RIGHTS. PERFORM COMPLETE BACKUPS AS ADVISED. USE AT YOUR OWN RISK.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by dhouwn » Tue May 26, 2009 10:01 am

Oh you…

luntrus wrote:This update adds to Firefox […] the ability for websites to easily and quietly install software on your PC.
AFAIK, it adds support for XBAP and ClickOnce. Latter can be compared to Java Web Start.

Tom T. wrote:they tried to push IE8 on me as a "critical security update"
Actually it has security improvements over IE7, e.g.: DEP is activated by default and it has a workaround for most of those plugins which weren't working properly when DEP was activated for IE7.
Last edited by dhouwn on Tue May 26, 2009 10:18 am, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b4) Gecko/20090503 Firefox/3.5b4

User avatar
Giorgio Maone
Site Admin
Posts: 8955
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by Giorgio Maone » Tue May 26, 2009 10:18 am

dhouwn wrote:Actually it has security improvements over IE7, DEP activated by default for it and it has a workaround for most of those plugins which had problems when DEP was activated for IE7.

Not to mention anti-XSS and anti-Clickjacking!
What a pity they fall too short even when they're blatant and late rip-offs... :)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3352
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Tue May 26, 2009 9:18 pm

Interesting, I develop in .NET and it has NEVER installed anything into my Fx, globally or otherwise. It might be that people are not paying attention to what they are installing and giving it permission to install. MS is alot of things but they will always only install as part of some user initiated install. They may not always make individual components exposed to be unchecked but they do always install as part of a bigger user initiated install, so not illegal, annoying perhaps, not illegal. Especially that I use .NET extensively and I have NEVER had anything installed into my Fx, ever. I think people need to pay closer attention to what they are actually installing and authorizing, should lead to alot less whining after they do something and now want to undo it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

User avatar
therube
Ambassador
Posts: 7682
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: MS sneaks in a Fx add-on at machine level!

Post by therube » Wed May 27, 2009 2:03 am

I think it stinks.
(If not for TurboTax, I'd have no use for .NET.)

XBAP and ClickOnce. Latter can be compared to Java Web Start


Guess I'd have to read up on what XBAP & ClickOnce & Java Web Start are? And it looks like XAML too.

AFAIK, it does not "install" into Mozilla /plugins/.
It installs to a place like:

Code: Select all

\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll


And then also sets up a (Windows) Registry entry like:

Code: Select all

HKLM\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5


Mozilla must pick up items from that key branch (HKLM\SOFTWARE\MozillaPlugins\).
You'll find Adobe Flash there too.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090525 SeaMonkey/2.0b1pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: MS sneaks in a Fx add-on at machine level!

Post by Tom T. » Wed May 27, 2009 3:11 am

Giorgio Maone wrote:
dhouwn wrote:Actually it has security improvements over IE7, DEP activated by default for it and it has a workaround for most of those plugins which had problems when DEP was activated for IE7.

Not to mention anti-XSS and anti-Clickjacking!
What a pity they fall too short even when they're blatant and late rip-offs... :)

Yes, thank you, Giorgio. They can't even copy you competently. :P

I didn't accept IE 7, either, and when it came OOB on a new machine, I uninstalled it via Add/Remove. You can do that with 7, because they kindly (for once) made it a few-MB add-on to 6 rather than a complete package. I enabled DEP on my machine in 2006, when Steve Gibson made me aware that many machines had the capability, but it was off by default.

IE 6 is used for no other purpose than getting the MS Patches, and that is done via SSL/TLS connection, as described in this post.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: MS sneaks in a Fx add-on at machine level!

Post by Tom T. » Wed May 27, 2009 3:28 am

GµårÐïåñ wrote: MS is alot of things but they will always only install as part of some user initiated install.

I'm sorry to disagree with you, my good friend, but most users have AU set to install automatically whatever MS thinks you *need*. It is the "recommended" setting in Control Panel > Automatic Updates. You will get warnings if you turn AU off. IIRC, last fall, many users had the phone-home-every-day Genuine Advantage Notification (not "Validation") tool installed silently on their machines with no user interaction, other than perhaps the usual reboot prompt. Or if there was a chance to read, the brief explanation did not mention that the tool would phone home every day. I know this because my friend with the MSCS (but not so security-obsessed) had this happen to her. There was no way to uninstall it, so we just went to %windir%\system32 and deleted it. NOT AN OFFICIAL RECOMMENDATION. PROFESSIONAL DELETER ON CLOSED COURSE. DO NOT TRY THIS AT HOME.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3352
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Wed May 27, 2009 5:20 am

Tom T. wrote:I'm sorry to disagree with you, my good friend, but most users have AU set to install automatically whatever MS thinks you *need*. It is the "recommended" setting in Control Panel > Automatic Updates. You will get warnings if you turn AU off. IIRC, last fall, many users had the phone-home-every-day Genuine Advantage Notification (not "Validation") tool installed silently on their machines with no user interaction, other than perhaps the usual reboot prompt. Or if there was a chance to read, the brief explanation did not mention that the tool would phone home every day. I know this because my friend with the MSCS (but not so security-obsessed) had this happen to her. There was no way to uninstall it, so we just went to %windir%\system32 and deleted it. NOT AN OFFICIAL RECOMMENDATION. PROFESSIONAL DELETER ON CLOSED COURSE. DO NOT TRY THIS AT HOME.


That's why I say its user failure to a great extent. I have NEVER EVER had this issue and I am one of the tools you mention who has automatic update and generally install the applications in the default path for providing easier support to people and I have never had anything sneaky do squat in any scenario. If its happening to others, they are doing something wrong, simple as that. You are not unchecking something or you are clicking the usual install everything option or whatever. Otherwise, it will not happen by default, I am the first to hate M$, there is no surprise there and no love lost, but in this case, I think we are resorting to the knee jerk reaction of blaming the big villain. I don't think there is honor in that, no matter how much I hate M$ corporate structure, a false assertion is wrong. I have no sneaky WGA issues, I have not sneaky .NET plugin issues, I don't have any sneaky information leak issues, there just isn't unless you failed somewhere in configuration.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

User avatar
therube
Ambassador
Posts: 7682
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: MS sneaks in a Fx add-on at machine level!

Post by therube » Wed May 27, 2009 5:34 am

Do you have .NET35 installed?
Does about:plugins show NPWPF.dll (Windows Presentation Foundation)?

(But you're on Vista/7 so things could be different as I believe at least some version of .NET came preinstalled.)

In the case of .NET (for XP users), I don't believe it is a failing of the user.

Separately, Firefox 3.x attacked by malware.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090525 SeaMonkey/2.0b1pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3352
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Wed May 27, 2009 5:56 am

therube wrote:Do you have .NET35 installed?
Does about:plugins show NPWPF.dll (Windows Presentation Foundation)?

(But you're on Vista/7 so things could be different as I believe at least some version of .NET came preinstalled.)

In the case of .NET (for XP users), I don't believe it is a failing of the user.

Separately, Firefox 3.x attacked by malware.


Yes I have .NET 3.5, its required part of my development environment using Visual Studio 2008. I also have all sub-version redistributable. No, about:config does not. I am using Win7 and many versions of .NET, up to 2.x are preinstalled to make itself work. The rest is installed during windows updates (or in my case Microsoft updates).
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by dhouwn » Wed May 27, 2009 10:29 am

I guess the plugin "NPWPF.dll" is for XBAP and the extension (add-on) is for ClickOnce support. The plugin has been there since .NET SP1 and the add-on has come with the ".NET Family Update", the thread is about the add-on, not the plugin. Sorry for mixing it up before.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b4) Gecko/20090503 Firefox/3.5b4

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3352
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Wed May 27, 2009 7:17 pm

That's the thing, I never got the addon either, I am familiar with the one everyone has a problem with, it shows up on AMO as well. The question is that unless its installed intentionally, I have yet to see anything installed on its own. Anyway it seems that I am in the minority of not being affected by some grace of a miracle apparently and what I say will not change anything, so I will leave you all to your discussion.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Post Reply