Nathan’s blog about software development, design and the people behind it.

Microsoft has been caught installing exploits into Firefox through Windows Update!

Written on June 9th, 2009

As part of their monthly set of security fixes to Windows, Microsoft has decided to make modifications to the Firefox web browser. The modification is an extension called Microsoft .NET Framework Assistant, featuring Microsoft’s “ClickOnce technology” which enables any website to easily and quietly install software onto the host computer.

Microsoft has literally modified Firefox without our knowledge or permission with the effect of adding a significant back door for malicious software creators.

Now the whole reason I use Firefox is because I do not want websites to have the ability to easily and quietly install software that could potentially mess up or take over my system. As mentioned in my previous post, this is the primary reason why I left Internet Explorer in the first place.

I personally think this is absolutely appalling and sheds even more light on Microsoft’s disgusting, anti-competitive business practices. These are the kinds of issues that the European Union have been fighting Microsoft about over the past few years, and continue to fight them about.

If your version of Windows is current, you’ll notice the new addition in Firefox under Tools, Add-Ons, Extensions.

Microsoft .NET Framework Firefox Extension

Making matters worse, the uninstallation process is far from simple. Microsoft has also disabled the uninstall button in Firefox, and the removal process is a painstaking set of instructions found on Microsoft’s support website.

The issue was first discovered by the Washington Post’s Computer Security columnist, Brian Krebs, in an article entitled “Microsoft Update Quietly Installs Firefox Extension“. I personally first heard the issue through Steve Gibson’s and Leo Laporte’s Security Now podcast, episode 199. Steve does a great job explaining the little details and has quite an in depth discussion with Leo on the subject. I recommend checking these resources out it out if you would like more details.

Posted in Firefox, Open Source, Security