\"Microsoft .Net Framework Assistant 1.0\"... What

[SirWinner]

\"Microsoft .Net Framework Assistant 1.0\"... Plug-in for Firefox...

Microsoft did a very bad thing lately concerning \"Windows Updates\"... they installed a Plug-in for Firefox without allowing someone to opt out of that choice. Then you were NOT allowed to uninstall it via the \"Tools\", \"Add-ons\", \"Extensions\" from Firefox.

The plug-in that was installed is called \"Microsoft .Net Framework Assistant 1.0\".

See this article on how to disable and remove it from Firefox:
http://robertnyman.com/2009/01/26/micro ... extension/

See this link too:
http://support.microsoft.com/kb/963707

---
\"In the .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the ClickOnce technology that is included in the .NET Framework. The .NET Framework Assistant is added at the computer level so that its functionality can be used by all users at the computer level instead of at the user level. As a result, the Uninstall button is unavailable in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.\"
---

The problem is that I didn't ASK for nor did I WANT this update... and the Part about not being able to \"uninstall machine-level components\" is extremely disturbing. This is similar to \"Rootkit\" fiasco in recent PC history by Sony Entertainment.

\"ClickOnce\" is not something that I was aware of before this was installed.

More Information on \"ClickOnce\" is here:
http://msdn.microsoft.com/en-us/library ... S.80).aspx

---
ClickOnce Deployment Overview

ClickOnce is a deployment technology that allows you to create self-updating Windows-based applications that can be installed and run with minimal user interaction. ClickOnce deployment overcomes three major issues inherent in deployment:

Difficulties in updating applications. With Microsoft Windows Installer deployment, whenever an application is updated, the user must reinstall the entire application; with ClickOnce deployment, you can provide updates automatically. Only those portions of the application that have changed are downloaded, then the full, updated application is reinstalled from a new side-by-side folder.

Impact to the user's computer. With Windows Installer deployment, applications often rely on shared components, with the potential for versioning conflicts; with ClickOnce deployment, each application is self-contained and cannot interfere with other applications.

Security permissions. Windows Installer deployment requires administrative permissions and allows only limited user installation; ClickOnce deployment allows non-administrative users to install and grants only those Code Access Security permissions necessary for the application.

---

This update can cause issues for the Firefox Internet Browser. Then add the further insult that you were NOT allowed to Uninstall it either!

So the bottom line is this: Microsoft installed software on our PC's without our permission to allow themselves to purposely bypass ALL Security Practices setup on our own PC's!

This is a very serious breach of trust purposely done by people inside of Microsoft.

So effectively Microsoft has now shown that they intend to further control our PC's and our choice of Internet Browsers without our consent or permission.

So what is next, Will they disable or cripple all Non-Internet Explorer browsers in the near future?

- I find out about items like this one by listening to \"Security Now\" Podcast on http://www.grc.com or http://www.twit.tv/sn

Thought that you all would like to be made aware of this new security breach caused by Microsoft.

SirWinner

[Ferno]

so.. what effects does it cause?

[SirWinner]

Here's just a few:

- opening firefox to unnecessary security risks from an add-on that was forced on us by Microsoft WITHOUT our knowledge.

- opens us up to unexpected software installs.

- runs software that I didn't ask to be running in the first place... Takes up extra hard drive space and takes processor time away from tasks that NEED to be running.

This is just the tip of the iceberg if you will.

[Foil]

...as it turns out, Microsoft issued a fix a month ago; details here.

Article

[Ferno]

Have there been any documented cases of security breaches due to this plugin?

how much space does it take up? does it change the priority level of anything?

[Duper]

apparantly, from what comments have posted, the \"glitch\" was fixed before anyone was aware of it.

Still, I doubt it was an accident.

[fliptw]

Trust, but verify.

Im on windows 7, so it existed before FF was installed.

ponder that.

[snoopy]

It's nice not to have to worry about Microsoft updates.

[Duper]

It's nice not to have to worry about Microsoft updates.

yeah, I decided a while back my next box is a Mac.

[Ferno]

until you find out you're locked into proprietary upgrades and drivers.

[Sirius]

Have there been any documented cases of security breaches due to this plugin?

how much space does it take up? does it change the priority level of anything?

To the first question - not that I've heard of. That doesn't mean it's impossible to exploit, but you would need to find a vulnerability in the ClickOnce system to do so. The extension is not a vulnerability in itself (unless you're being cynical enough to assume Microsoft code automatically is a vulnerability).

Second question; it's hard to say, but I tracked down the extension on my Firefox installation and it only seems to take up 30 KB. Not really something I'm concerned about.

Third question; I don't think Firefox extensions can actually do this... I would guess it works by reading certain code from web pages and forwarding the information to a .NET framework component. (P.S. Don't know much about the extension system except that it seems to run on JavaScript and a few other things, so I could be wrong about that.)

The real problem here is that Microsoft should know better than to install stuff into third-party software without giving the user notification or a chance to opt out; that kind of thing (as evidenced above) kind of riles people up. It's more the principle than the practice, since the chance that this specific thing leads to any major security breaches is practically nil (the ClickOnce system probably works on IE too!). Still, hopefully the lesson has been learned.

[Ferno]

Thing is, people did technically agree to the install, seeing as it's part of the .net package.

If it was a seperate piece of software, say a yahoo toolbar, then I can understand the issue.

[Jeff250]

Pushing this down as an update doesn't seem as bad as some of the other things they've pushed down in updates, such as WGA, and Windows users have already grown accustomed to that, so this too will blow over with them.

Third question; I don't think Firefox extensions can actually do this... I would guess it works by reading certain code from web pages and forwarding the information to a .NET framework component. (P.S. Don't know much about the extension system except that it seems to run on JavaScript and a few other things, so I could be wrong about that.)

Firefox extensions can run arbitrary native code. However, for unmalicious extensions, XUL/Javascript is the best to use for as much as you can, since it gives you both cross-platform compatibility and ease of development for free. Plus, it's what Firefox's chrome is written in, so you will need to use it to some extent to extend it.

[Sirius]

Yeah, that I suppose is true enough. It would be nicer though.

If they can run arbitrary native code they may be able to mess with priority settings and so on, though that might be blocked by the UAC system if it's enabled.

[SirWinner]

Have there been any documented cases of security breaches due to this plugin?

The fact that this was installed WITHOUT my permission is a security breach on its' own.

The method used bypassed my preferred security settings.

Like Steve Gibson's TNO (Trust NO One) policy, this really puts Microsoft on the Top of my list of Software to NOT Trust.

Unfortunately, I'm stuck with Windows because all of the software that is run on my PC's run on it.

"Windows Update" reached out beyond its' own turf and messed with my Firefox settings WITHOUT my permission.

I expect "Windows Updates" to update Internet Explorer and Windows Operating System files... NOT to install plugins for other Internet Browsers, etc.

[Krom]

Initially not having the option to disable or uninstall it was an amateurish mistake but it has been fixed, so there isn't much of a debate left there.

Mozilla left the add-on system in Firefox open on purpose, there is no reason Microsoft (or anyone else) shouldn't take advantage of it. And odds are it was mentioned somewhere in an excessively long EULA before you installed whatever .net framework update it came with.

[Duper]

until you find out you're locked into proprietary upgrades and drivers.

Meh, I'm not fussed. I won't be gaming anymore and the newer macs don't have those restrictions. But I doubt I'll be upgrading before the tech goes EOL.

[Ferno]

Meh, I'm not fussed. I won't be gaming anymore and the newer macs don't have those restrictions. But I doubt I'll be upgrading before the tech goes EOL.

Fair enough. good to see they took that direction.

[Tunnelcat]

I'm making a guess here as to why Microsoft did this. I'm betting it was because of the lawsuit brought by the EU and the resulting negotiated settlement. Microsoft's marriage of the IE Browser and the Operating system was one of the points of contention in the EU lawsuit, so I'm guessing that Microsoft added that little 'assistant' to Firefox (and I'm betting there will be a way for Google Chrome to use Microsoft Update as well) as part of the settlement. Microsoft would never do something to 'assist' another company's software on their own volition unless forced to.

[Foil]

Meh, I doubt it - this only came in an update to Visual Studio, so it's something generally only developers/tinkerers will get.

[Tunnelcat]

You don't think so, eh? Just my 2 cents. Microsoft just doesn't go out of their way to do anything extra, especially for third-party browser software, eeeeeeeeeeeek heresy!, without a reason.

[snoopy]

Worse- did you see that the Chinese government is requiring all PC's in the nation to have software installed that allows them to monitor what you're doing on it?

I gotta say that the US rocks compared to that.

[Jeff250]

Meh, I doubt it - this only came in an update to Visual Studio, so it's something generally only developers/tinkerers will get.

It reportedly comes as an update to the .net framework in general, and it was pushed through the Windows Update site.

[Jeff250]

I'm making a guess here as to why Microsoft did this.

It's for their ripoff of Java Web Start. It's so that server side scripts can directly know what version of .net you have installed as opposed to just the client side scripts being able to detect this. By putting your version of .net in your user agent string, the server side scripts have direct access to this information from the http header. Of course, I don't see why just doing this client side was ever a problem to begin with. This is what Flash and Java developers have been doing for what... over a decade, without issue?

[Jeff250]

It occurred to me that, since (as far as I know) .net doesn't already have a plugin for applet-like objects a la Flash or Java for browsers, version detection using client-side scripts wouldn't actually be possible without an additional plugin! However, I still think that it would have been better to have implemented detection client side. This way users could prevent sites from knowing their version of .net by disabling Javascript or using NoScript. Modifying the user agent string is questionable in my opinion, and it makes it more difficult to prevent broadcasting your .net version to sites that you don't trust.

[Foil]

Meh, I doubt it - this only came in an update to Visual Studio, so it's something generally only developers/tinkerers will get.

It reportedly comes as an update to the .net framework in general, and it was pushed through the Windows Update site.

D'oh, you're right. Something I had read (I can't find it now) gave me the impression it was limited to a Studio update. Thanks for the correction.