MS sneaks in a Fx add-on at machine level!

General discussion about the NoScript extension for Firefox
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by dhouwn » Sat May 30, 2009 6:05 pm

In .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the ClickOnce technology that is included in the .NET Framework. The .NET Framework Assistant is added at the machine-level to enable its functionality for all users on the machine. As a result, the Uninstall button is shown as unavailable in the Firefox Add-ons list because standard users are not permitted to uninstall machine-level components. In this update for .NET Framework 3.5 SP1 and in Windows 7, the .NET Framework Assistant will be installed on a per-user basis. As a result, the Uninstall button will be functional in the Firefox Add-ons list. This update will also make this version of the .NET Framework Assistant for Firefox compatible with future versions of the Firefox browser. To properly update the .NET Framework Assistant, this update must be applied while the extension is enabled in Firefox. To remedy the result of installing this update while the extension was disabled, uninstall the update, re-enable the extension, and reinstall the update. Updates to the .NET Framework Assistant may include updates to the Windows Presentation Foundation Plug-in for Firefox causing it to be enabled upon its initial update.
http://www.microsoft.com/downloads/details.aspx?FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b4) Gecko/20090503 Firefox/3.5b4

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Sun May 31, 2009 12:47 am

Thank you for sharing but you can quote me the entire whitepaper for this and it won't change the fact that this did not happen to me, will never happen to me because for better or worse I don't just install things and click next without knowing what the hell I am doing. If its there, the user installed it one way or another. I am not saying that M$ installer didn't put it there, but it was initiated by the user not by some magic of its own. I have been dealing with .NET since the day it was a theory introduced and the old VS6 people were drafted to work on its whitepaper and plan its development and it was NEVER (up to 2008 and the beta release of 2010) released a forced installation other than requiring the installation of the framework for each stacked version to ensure that the IDE can run and compile based on compatibility level selected. So as said before, I am not saying people are not experiencing this but I am certain its because of complacency and failure to pay attention than anything malicious, otherwise the professionals dealing with it on a daily basis would have raised hell over it already and we are fine. Cheers.

Edit: any professional that is suffering from this, I am sorry to say, you pulled a bonehead rookie move and should quit bitching about it and move on, you failed.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

User avatar
therube
Ambassador
Posts: 7521
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: MS sneaks in a Fx add-on at machine level!

Post by therube » Sun May 31, 2009 4:28 pm

I believe you're incorrect ;-).

It may have been because of the order in which things were installed too.
AFAIK (can remember), there is no prompt, nor menu selection to allow or not ANY pieces to .NET.

If you're running 7, what version of .NET comes pre-installed?
Was SeaMonkey, probably more correctly Firefox installed prior to 3.5 being installed?

Is FF installed now?
If you were to (uninstall) reinstall .NET 3.5 (can you even do that?), I'm pretty certain you will see no dialog concerning this - it just happens.

Now with the update dhouwn posted that may change slightly - at least giving you the ability to uninstall.

This makes no sense to me, How to determine which versions of the .NET Framework are installed and whether service packs have been applied?

When I check mscorlib.dll it shows 2.0.50727.3082.

My entire directory looks like this:

Code: Select all

       Usage(B)   Dirs   Files  Eff  Path
--------------- ------ ------- ----  --------
        114,688      0       4  88%  v1.0.3705
          8,192      0       2   0%  v1.1.4322
     66,981,888     29     378  98%  v2.0.50727
     22,835,200      8      60  99%  v3.0
     29,696,000     12     164  98%  v3.5
--------------- ------ ------- ----  --------
    120,045,568     54     626  98%  E:\WINDOWS\MICROS~1.NET\FRAMEW~1

So presumably I do (?) have 3.5 (& further 3.5sp1) installed, yet mscorlib.dll shows otherwise?

Add or Remove Programs (for me, XP) shows 2.0sp2, 3.0sp2, 3.5sp1.


There is also a E:\WINDOWS\assembly\GAC_32\mscorlib\ directory, but I believe that to be a "virtual" type structure?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090530 SeaMonkey/2.0b1pre

`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

Re: MS sneaks in a Fx add-on at machine level!

Post by `nar » Sun May 31, 2009 6:43 pm

I have to agree with therube and dhouwn here. Guardian, just because you haven't seen it, doesn't mean that others are doing anything wrong. :roll: I update windows everyday for users and have never seen a .NET option other than the option in Windows Update about whether or not to install it. I also install FF for most of my clients, but I have not noticed this add-on yet even though I install addons myself. I will certainly look for it now. Most users still run XP, you obviously don't, so just keep in mind that everyone's situation is different. We can both be right, or we can both be wrong, it is not always true that one of us is right and so the other must be wrong. ;) I think we are both right, but that our situations are different, and I for one cannot speculate too much, much less assume, on what others in their situations did on this issue.

At home I leave AU turned off, I hate being sideswiped by bad updates so they are more of a problem for me than malware. :x I am now installing that very .NET 3.5 SP1 KB951847 x64 update on my system. Yes, my system is 64 bit XP, so my results will not necessarily be representative of most users. I run Win7 x64 RC at work now, and I can check some Vista machines as well. But it may have a lot to do with the order of things. What is installed first, when was it updated, what are the users rights? Most of my users are administrators on their machines already, so is this only a domain issue with limited users? I have some clients on domains, including myself actually, and still, I haven't seen this. But I still don't assume that the user is at fault, not until I know what causes it. Most of what I fix may be preventable by the users, but that by no means is user error.

One last thing, do we know yet if NS can prevent the silent or oneclick installs that this .NET update is supposed to enable? Does anybody here actually have this addon installed and can test that?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

Re: MS sneaks in a Fx add-on at machine level!

Post by `nar » Sun May 31, 2009 7:59 pm

It did install on my XPx64 machine. I can disable, but not uninstall. I just accepted the critical security updates. I usually criticize them, but I wanted to see if just installing those security updates did it, that aforementioned .NET 3.5 SP1 I am sure. No prompt about .NET that I noticed.

Some good info, or at least good questions over at http://www.hardforum.com/showthread.php?t=1423288 forums:
This is old news and the author is a fool for writing up such bullshit about it without researching.

.NET 3.5 SP1 first installed this. All it does is add support for ClickOnce functionality.

http://en.wikipedia.org/wiki/ClickOnce

This support was originally only by a third party here: https://addons.mozilla.org/en-US/firefox/addon/1608

MS is just now officially supporting it. OMG the world is coming to an end! MS is supporting one of their products for a competitor!!!!

Keep tightening those tin-foil hates people.
__________________
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by luntrus » Sun May 31, 2009 11:01 pm

Hi posters in this thread,

Anyway I like to have full control always over what I want and do not want to import inside OS or browser etc, and not see it performed over the head of the user.
If we saw the thing in reverse and Mozilla would do this for Windows with HTML 5 support, what would the comments be?
Well I think a hearty welcome on part of IE, because it is playing into their scheme of things.
And again with global installs that could present a security issue on IE8, why do I want to import that for the Mozilla browser that I choose to prefer over IE8 and to have NoScript coming to the rescue in the aftermath and rescue our glorious behinds if there should be any issue eventually with this.
This is not how it is performed, it is a question of principles, - I want to check what I am doing, that is why I always update and patch manually and never allow automatic updates,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090531 Shiretoko/3.5pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: MS sneaks in a Fx add-on at machine level!

Post by Tom T. » Mon Jun 01, 2009 12:51 am

What luntrus said. Every_word_of_it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Mon Jun 01, 2009 12:58 am

therube wrote:I believe you're incorrect ;-).

It may have been because of the order in which things were installed too.
AFAIK (can remember), there is no prompt, nor menu selection to allow or not ANY pieces to .NET.

If you're running 7, what version of .NET comes pre-installed?
Was SeaMonkey, probably more correctly Firefox installed prior to 3.5 being installed?

Is FF installed now?
If you were to (uninstall) reinstall .NET 3.5 (can you even do that?), I'm pretty certain you will see no dialog concerning this - it just happens.

Now with the update dhouwn posted that may change slightly - at least giving you the ability to uninstall.

This makes no sense to me, How to determine which versions of the .NET Framework are installed and whether service packs have been applied?

When I check mscorlib.dll it shows 2.0.50727.3082.

My entire directory looks like this:

Code: Select all

       Usage(B)   Dirs   Files  Eff  Path
--------------- ------ ------- ----  --------
        114,688      0       4  88%  v1.0.3705
          8,192      0       2   0%  v1.1.4322
     66,981,888     29     378  98%  v2.0.50727
     22,835,200      8      60  99%  v3.0
     29,696,000     12     164  98%  v3.5
--------------- ------ ------- ----  --------
    120,045,568     54     626  98%  E:\WINDOWS\MICROS~1.NET\FRAMEW~1

So presumably I do (?) have 3.5 (& further 3.5sp1) installed, yet mscorlib.dll shows otherwise?

Add or Remove Programs (for me, XP) shows 2.0sp2, 3.0sp2, 3.5sp1.


There is also a E:\WINDOWS\assembly\GAC_32\mscorlib\ directory, but I believe that to be a "virtual" type structure?


You are certainly entitled to that but respect that it is indeed a matter of fact that I am entitled to defend. 7 came with the same RTM version 3.0 that is installed with Vista and obviously I installed fx long before I installed any updates as I refuse to use IE and install everything based on a meticulously updated and kept archive of softwares on the private NAS and everything is installed from those vetted files and usually is the most update unless something new was released in the last 2 days. Nothing show up, nothing was installed and that is fact. Believable or not, reproducible by others or not, its fact. Nothing to need to uninstall, as nothing is installed. Also keep in mind that .NET releases are stacked based on previous foundation frameworks that are required. So whatever version you have, the next release will ONLY update the new files and the foundation versions will remain pointed to the snapshot of the release they represent. So you can have 3.5 installed and still have components that read 1.x 2.x and that is fine and completely normal.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Mon Jun 01, 2009 1:01 am

`nar wrote:I have to agree with therube and dhouwn here. Guardian, just because you haven't seen it, doesn't mean that others are doing anything wrong. :roll: I update windows everyday for users and have never seen a .NET option other than the option in Windows Update about whether or not to install it. I also install FF for most of my clients, but I have not noticed this add-on yet even though I install addons myself. I will certainly look for it now. Most users still run XP, you obviously don't, so just keep in mind that everyone's situation is different. We can both be right, or we can both be wrong, it is not always true that one of us is right and so the other must be wrong. ;) I think we are both right, but that our situations are different, and I for one cannot speculate too much, much less assume, on what others in their situations did on this issue.

At home I leave AU turned off, I hate being sideswiped by bad updates so they are more of a problem for me than malware. :x I am now installing that very .NET 3.5 SP1 KB951847 x64 update on my system. Yes, my system is 64 bit XP, so my results will not necessarily be representative of most users. I run Win7 x64 RC at work now, and I can check some Vista machines as well. But it may have a lot to do with the order of things. What is installed first, when was it updated, what are the users rights? Most of my users are administrators on their machines already, so is this only a domain issue with limited users? I have some clients on domains, including myself actually, and still, I haven't seen this. But I still don't assume that the user is at fault, not until I know what causes it. Most of what I fix may be preventable by the users, but that by no means is user error.

One last thing, do we know yet if NS can prevent the silent or oneclick installs that this .NET update is supposed to enable? Does anybody here actually have this addon installed and can test that?


I maintain a Windows 7, Vista (ultimate, business), XP (home, professional and media center), linux (ubuntu, knoppix, suse, debian) and one pre-x mac images and actual machines. NONE of the windows configurations have this PERIOD. That's a lot of coincidence for me to have no point.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

User avatar
therube
Ambassador
Posts: 7521
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: MS sneaks in a Fx add-on at machine level!

Post by therube » Mon Jun 01, 2009 6:39 pm

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Mon Jun 01, 2009 8:01 pm

Google adds extensions, Digital Persona adds extensions, RoboForm adds extensions, Microsoft adds extensions, AVG, Verisign, McAfee, Norton, Orbit and the list goes on forever. You mean to tell me that each and everyone of these vendors is violating the law and secretly adding stuff or is it more likely that the user was not paying attention to uncheck the item during the installation? I am going with the latter since I have EACH AND EVERYONE of these software installed in combination, in whole or on various machines and I never had their Fx extensions installed or show up unless I asked for it. But everyone has their mind made up and if blaming someone else makes people sleep better at night, have at it, but my experience has been contrary and I don't care how many self proclaimed security experts blog about it (or whine about it) I can easily replicate the proof that it was user failure. I build at least 4 systems a week and NEVER had this problem, that's a whole a lot of evidence to be coincidence people.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

Nan M
Ambassador
Posts: 102
Joined: Thu Mar 19, 2009 12:44 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by Nan M » Tue Jun 02, 2009 9:23 am

Adding the experience of my home network XP Home SP3 user here.

They installed .NET 1 back when they installed a handy stickies app, but have never had to use .NET functionality itself and have kept any network functions disabled, and have never had any problem with .NET running anything at all without their admin knowledge.
They run Windows Update manually - no background installing is done on their system.
Any .NET offerings from Windows Update have been accepted, for the reasons that Guardian outlines.
Without ordered history of updates in this kind of thing, nothing can be extrapolated.

Famously (but I'm not going to link without checking the link carefully, and I don't have the time right now), a .NET 2 SP1 update back in late 2008 was very very buggy, and the fix was quite complicated. I don't doubt that quite a few installs are not quite right there.

Looking at the Windows Update report of the XP machine here's install of
Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86
intalled on 13Feb09
it appears that the update was successful, no system event log reports or application event reports.
Since I manage Firefox for all the home network machines, I can report that there has definitely never been any .NET Click Once support extension installed on their Fx.

Not the case for that pesky Java Quickstart extension :-/ But then, that's just expected from Sun, isn't it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by luntrus » Tue Jun 02, 2009 2:50 pm

Hi posters in this thread,

Somebody even filed this sneaky add-on as a bug: https://bugzilla.mozilla.org/show_bug.cgi?id=446139
And why defend it, as MS tells us they will install it on a as per user basis from Windows7 hence-on and provide a normal uninstall for the Fx add-on?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090601 Shiretoko/3.5pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Tue Jun 02, 2009 7:45 pm

@luntrus, no one is defending anything other than the fact that to make a blank statement of ignorance is just wrong. If you come here and post things just to hear yourself talk and don't want responses or discussion then please stop, but if you do it because you have a real point, then there are two sides to everything and jumping on the ignorant bandwagon is wrong and I will defend against it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Tue Jun 02, 2009 10:41 pm

Here, everyone can sleep well again :roll:

http://support.microsoft.com/kb/963707
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

Post Reply