Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Microsoft's ClickOnce Firefox add-on

Chris Sullo ‎05-22-2009 03:35 PM - edited ‎09-25-2015 09:06 AM

With Firefox, I just went to download a certain new version 2.0 web browser and and was surprised that after hitting the license accept button Firefox started up an installer, downloaded the application and installed it without any prompts or questions. This is not the security experience with Firefox I've been accustomed to.


I did some digging around in the page's code, a little searching, and found I had the "Microsoft .NET Framework Assistant" installed into my Firefox add-ons. A little more digging and I found it was silently installed with .NET 3.5 SP1. Yes, that's right, I said silently. What's more, the default settings of this add-on allow sites to start installers without prompting.



That second checkbox also points to another minor annoyance--that the add-on reports the installed .NET versions to every website you visit via the User-Agent string. Nice.


While you can change the settings via Firefox, and even disable it, the icing on the cake you can't actually uninstall it without jumping through hoops. Microsoft's Brad Abrams, in a blog post, said:


We added this support at the machine level in order to enable the feature for all users on the machine.  Seems reasonable right?  Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the "Uninstall" button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.  


Oh, Brad, I'm frightened. What kind of a place is this? No--it doesn't sound reasonable. Microsoft should have published it in Mozilla's add-on directory like everyone else and not quietly changed their biggest (browser) competitor's product , drastically weakening its security in the process.


To uninstall the extension completely, you'll have to follow the steps outlined in Brad's post, which involve registry editing and directly editing Firefox's configuration.


While this is not exactly ground-breaking news here on the internet--there are plenty of pages crying foul with this whole deal--I hadn't heard of it, so it seemed worth posting about to spread the word just a little bit. And we should all review our primary browser's add-ons/extensions on a regular basis.

0 Kudos
About the Author

Chris Sullo

on ‎05-23-2009 06:04 PM

Chris - this is yet another reason I hate all modern browsers.  They're supposed to be your pal, bring you cool content - but they silently turn on you and before you know it they pwn you

on ‎05-23-2009 07:37 PM

Blatant Stupidity really is alive and well in Redmond....

Chris Sullo
on ‎05-26-2009 02:39 PM


I think it's more MS doing something they shouldn't (in IE or any other browser), but for their part, I would love to see Mozilla come up with a way to prevent this from happening *ever*, no matter how the plugin was installed.

In fact, it would be nice if they could detect a plugin was not installed via user action and put up a big fat alert (I realize, being open source, there are serious complications with this, but... they coudl try!).

on ‎06-01-2009 02:09 AM

They can't make neither Windows nor IE secure, so they try bringing Firefox down to their level... no surprises here!

on ‎06-01-2009 04:02 PM


on ‎06-01-2009 09:36 PM

Sniff..sniff...thats really low.

I just dumped MS yesturday like I did AOL 12 years ago for the same practice.

im thinking maybe server 2000 edition.

Chris Sullo
on ‎06-03-2009 03:58 PM

Briank Krebs has posted an excellent write-up of how to remove this extension without going through all the registry editing and whatnot as linked above. It involves another Microsoft update which will allow you to uninstall it through the browser. A reader of his also dug up an interesting discussion where the Firefox developers argue about whether this "functionality" should be considered a bug or not.

on ‎10-04-2009 10:56 AM

cool blog

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all