It has come to my attention that recently some programs (Windows Update among them) have begun installing addons to the Mozilla Firefox Web browser, generally without informing the user that it's happening. The two recent notable offenders are .NET Framework Assistant 1.0 for Firefox and Java Quick Starter. While I use a number of addons myself (IE Tab, Pennypacker, Tab Mix Plus, Adblock, etc.), I certainly never installed either of these others deliberately, and rumor has it, the .Net addon in particular was snuck in without clear notification. Understandably, Firefox users were incensed and raised a ruckus, particularly given how difficult it initially was to remove the unwelcome bit of code.
See, with most Firefox addons, there is a clear option to either Disable or Uninstall an addon if you no longer want it. While you could Disable both of these addons, the Uninstall option was grayed out, making it impossible to do so without a bit of homework and effort. What's more, some are going so far as to say, "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC."
When they finally spoke up on the issue, Microsoft's explanation was that the Framework Assistant is added "at the computer level so that its functionality can be used by all users … As a result, the Uninstall button is unavailable in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components." Okay, but that doesn't explain why they felt the need to introduce what is potentially the greatest vulnerability to their biggest competitor without even notifying the end user.
If you check your addons list in Firefox (Tools>Addons on the top menu) and spot this entry, and would like to remove it, Microsoft has produced an update that now enables the Uninstall option. You can get it here, as well as instructions on the longer, more involved method that involves editing the registry, should you not want to run the update.
As for the Java Quick Starter, a few seconds of research brought up a page at Java's website with details on the process, what it does, and how to disable and remove it if you so choose. The short version is: click Start, go to Control Panel, open Java Control Panel, expand Miscellaneous on the list, uncheck the box for Java Quick Starter, click OK, then restart your computer.
As for what it does, basically it caches common files needed to launch and run Java applications so that they will start faster. This sounds good for people who work with Java regularly, and it doesn't appear to have a large memory footprint, but the bigger issue seems to remain – "Why wasn't I told you were modifying my browser?" Could it be exploited as a possible weakness in what's largely billed as one of the Web's safer browsers? I can't say for sure, but I don't like having the option to choose whether I use the addon being made for me with a routine Java update.
If nothing else, this demonstrates that, even with the latest and greatest browser, security software, and a decent personal level of paranoia, changes can be made — sometimes by people you trust — which could introduce new vulnerabilities to what is perhaps the most important appliance in your home or workplace.