Home / Firefox Extensions May Have Been Installed Without Your Knowledge

Firefox Extensions May Have Been Installed Without Your Knowledge

Please Share...Print this pageTweet about this on TwitterShare on Facebook0Share on Google+0Pin on Pinterest0Share on Tumblr0Share on StumbleUpon0Share on Reddit0Email this to someone

It has come to my attention that recently some programs (Windows Update among them) have begun installing addons to the Mozilla Firefox Web browser, generally without informing the user that it's happening.  The two recent notable offenders are .NET Framework Assistant 1.0 for Firefox and Java Quick Starter.  While I use a number of addons myself (IE Tab, Pennypacker, Tab Mix Plus, Adblock, etc.), I certainly never installed either of these others deliberately, and rumor has it, the .Net addon in particular was snuck in without clear notification.  Understandably, Firefox users were incensed and raised a ruckus, particularly given how difficult it initially was to remove the unwelcome bit of code.

See, with most Firefox addons, there is a clear option to either Disable or Uninstall an addon if you no longer want it.  While you could Disable both of these addons, the Uninstall option was grayed out, making it impossible to do so without a bit of homework and effort.  What's more, some are going so far as to say, "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC."

When they finally spoke up on the issue, Microsoft's explanation was that the Framework Assistant is added "at the computer level so that its functionality can be used by all users … As a result, the Uninstall button is unavailable in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components."  Okay, but that doesn't explain why they felt the need to introduce what is potentially the greatest vulnerability to their biggest competitor without even notifying the end user.

If you check your addons list in Firefox (Tools>Addons on the top menu) and spot this entry, and would like to remove it, Microsoft has produced an update that now enables the Uninstall option.  You can get it here, as well as instructions on the longer, more involved method that involves editing the registry, should you not want to run the update.

As for the Java Quick Starter, a few seconds of research brought up a page at Java's website with details on the process, what it does, and how to disable and remove it if you so choose.  The short version is: click Start, go to Control Panel, open Java Control Panel, expand Miscellaneous on the list, uncheck the box for Java Quick Starter, click OK, then restart your computer.

As for what it does, basically it caches common files needed to launch and run Java applications so that they will start faster.  This sounds good for people who work with Java regularly, and it doesn't appear to have a large memory footprint, but the bigger issue seems to remain — "Why wasn't I told you were modifying my browser?"  Could it be exploited as a possible weakness in what's largely billed as one of the Web's safer browsers?  I can't say for sure, but I don't like having the option to choose whether I use the addon being made for me with a routine Java update.

If nothing else, this demonstrates that, even with the latest and greatest browser, security software, and a decent personal level of paranoia, changes can be made — sometimes by people you trust — which could introduce new vulnerabilities to what is perhaps the most important appliance in your home or workplace.

Powered by

About Mark Buckingham

  • Mark Buckingham

    FParker…It’s possible they’d be dumb enough to make the same mistake twice, but given that they issued a fix in response to public outcry — plus the fact that people will be on the lookout for this sort of thing now — I have to think they’d design future updates containing this extension with the option to remove it in mind.

  • Yes, I was highly annoyed and disabled the .NET one when it first installed itself with a .NET update. Folks complained that they couldn’t remove it (could only disable it), so Microsoft made it possible to remove it.

    I wonder if upon another update to .NET framework if it could be installed again? (if it’s been uninstalled instead of just disabled). Will keep an eye on that as well.

  • Bliffle

    I don’t surf from windows. I’ve also made sure my WinXP system doesn’t have ActiveX or Flash, both of which are dangerous. Usually I disable network access. I have no reason to surf from WinXP and I only use it for a TV viewer program, “WinTV”, everything else is linux. Even if I want to check “TitanTV” for schedules, I do it on a second computer.

    In the last three years of observing these precautions I have eliminated the frequent problems I used to have with Windows, especially ‘bots’.

  • Mark Buckingham

    Indeed, some users elsewhere had mentioned that the newest versions of Firefox didn’t seem to accept the .Net update, which bodes well for the future.

  • Brian aka Guppusmaximus

    Thanks for the info….

    NET Framework Assistant 1.0 for Firefox isn’t compatible with Firefox 3.5.2,so, I didn’t have to do anything.

    Java Quick Starter wasn’t enabled to begin with and it isn’t located in the “Miscellaneous” drop down box under the Advanced tab. It was in “Default Java for Browsers” AND that box was only checked was for IE(which I rarely ever use)

    All in all, I do agree with you that no browser is perfect but if you add the NoScript add-on along with Better Privacy and use the “Private Browsing” option, Firefox is one kick ass wall of security when surfin.

  • Thanks for the info. I removed them both, the bastards