May 31st, 2009
Microsoft sneaks in Firefox extension via Update
The good news is that Microsoft is writing extensions for Firefox. The bad news is, the Redmond giant is slipping the extension onto systems without notifying users and making it difficult to get rid of the extension. Even worse? It’s an extension that allows Web sites to install software onto users’ PCs behind the scenes — meaning that Firefox users on Windows may not be as safe as they think.
Brian Krebs, who originally recommended the .Net Framework that sneaks the extension into Firefox writes:
Anyway, I’m sure it’s not the end of the world, but it’s probably infuriating to many readers nonetheless. Firstly — to my readers — I apologize for overlooking this…”feature” of the .NET Framework security update. Secondly — to Microsoft — this is a great example of how not to convince people to trust your security updates.
Krebs is right: It’s not the end of the world. But it seems like a violation of user trust to monkey with a third-party program — and top it off by making it difficult to remove the extension without editing the Windows Registry. By using the update mechanism to sneak software onto the system, Microsoft is telling security conscious users to be suspicious of updates and to deploy them only after they’ve been widely vetted, or choose a more trustworthy vendor.
As a Linux user, it makes little difference to me what Microsoft does via Windows Update –users on openSUSE and other Linux distros can see exactly what updates will do to their system: Down to the source code, if they choose to take the time.
But, failing a source code audit, Microsoft could at least provide a full disclosure of the packages and features modified when a user runs Windows Update. Without that, users should be wary indeed of trusting Microsoft’s updates — and missing a trust relationship for security updates, users should be wary of running Windows in the first place.
Joe 'Zonker' Brockmeier is a longtime FOSS advocate, and currently works for Novell as the community manager for openSUSE. Prior to joining Novell, Brockmeier worked as a technology journalist covering the open source beat for a number of publications, including Linux Magazine, Linux Weekly News, Linux.com, UnixReview.com, IBM developerWorks, and many others. See his full profile and disclosure of his industry affiliations. Follow Zonker on Twitter.
Subscribe to Community, Incorporated via Email alerts or RSS.
