KB963707 question

Since I don't use Firefox, is there any reason why I should install this
update?

DJ_Bach wrote:
> Since I don't use Firefox, is there any reason why I should install
> this update?

How to remove the .NET Framework Assistant for Firefox
http://support.microsoft.com/kb/963707

No.

Also, if you get something in the mail for a car you do not own/have (like a
parts recall) - don't take the car you do own/have in for the repair. ;-)

However - since all Windows OSes past a certain point are multi-user (no
matter if you use them that way or not) - I feel compelled to ask, "Do you
have users that *do* use Firefox on your computer? Is it even installed?"

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

I don't have Firefox installed so I'm going to bypass this update. Thanks

"Shenan Stanley" wrote:

> DJ_Bach wrote:
> > Since I don't use Firefox, is there any reason why I should install
> > this update?
>
> How to remove the .NET Framework Assistant for Firefox
> http://support.microsoft.com/kb/963707
>
> No.
>
> Also, if you get something in the mail for a car you do not own/have (like a
> parts recall) - don't take the car you do own/have in for the repair. ;-)
>
> However - since all Windows OSes past a certain point are multi-user (no
> matter if you use them that way or not) - I feel compelled to ask, "Do you
> have users that *do* use Firefox on your computer? Is it even installed?"
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>

I went ahead and installed this update because it was high priority. No
problems yet.

"DJ_Bach" wrote:

> I don't have Firefox installed so I'm going to bypass this update. Thanks
>
> "Shenan Stanley" wrote:
>
> > DJ_Bach wrote:
> > > Since I don't use Firefox, is there any reason why I should install
> > > this update?
> >
> > How to remove the .NET Framework Assistant for Firefox
> > http://support.microsoft.com/kb/963707
> >
> > No.
> >
> > Also, if you get something in the mail for a car you do not own/have (like a
> > parts recall) - don't take the car you do own/have in for the repair. ;-)
> >
> > However - since all Windows OSes past a certain point are multi-user (no
> > matter if you use them that way or not) - I feel compelled to ask, "Do you
> > have users that *do* use Firefox on your computer? Is it even installed?"
> >
> > --
> > Shenan Stanley
> > MS-MVP
> > --
> > How To Ask Questions The Smart Way
> > http://www.catb.org/~esr/faqs/smart-questions.html
> >
> >
> >

Actually, this is a little different. This is something like you own a Ford
and the service department for Chevrolet came in to your car in the middle of
the night and snuck in a defective Chevrolet fuel pump into your Ford - and
welded it in and then rigged it so that if you use force to uninstall the
pump your car may burn up. So when Chevrolet offers to remove the part for
you, you definitely want to let them do it.

You should install this update whether or not you currently use FireFox.
Otherwise, if you ever do use FireFox (and you should be using it instead of
IE anything) then you will still have the dangerous add-on that Microsoft
snuck onto your PC and is now lying in wait for when you do install FireFox.
The only way to remove it safely is to use this patch so the uninstall button
becomes available.

Definitely install this patch. And definitely uninstall any Microsoft
add-ons to FireFox. Afterall, that's why we use FireFox - because it's not
Microsoft. Now Microsoft has hijacked it to inject security flaws from IE
into FireFox.

"Shenan Stanley" wrote:

> DJ_Bach wrote:
> > Since I don't use Firefox, is there any reason why I should install
> > this update?
>
> How to remove the .NET Framework Assistant for Firefox
> http://support.microsoft.com/kb/963707
>
> No.
>
> Also, if you get something in the mail for a car you do not own/have (like a
> parts recall) - don't take the car you do own/have in for the repair. ;-)
>
> However - since all Windows OSes past a certain point are multi-user (no
> matter if you use them that way or not) - I feel compelled to ask, "Do you
> have users that *do* use Firefox on your computer? Is it even installed?"
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>

Dale wrote:
> Actually, this is a little different. This is something like you
> own a Ford and the service department for Chevrolet came in to your
> car in the middle of the night and snuck in a defective Chevrolet
> fuel pump into your Ford - and welded it in and then rigged it so
> that if you use force to uninstall the pump your car may burn up.
> So when Chevrolet offers to remove the part for you, you definitely
> want to let them do it.
>
> You should install this update whether or not you currently use
> FireFox. Otherwise, if you ever do use FireFox (and you should be
> using it instead of IE anything) then you will still have the
> dangerous add-on that Microsoft snuck onto your PC and is now lying
> in wait for when you do install FireFox. The only way to remove it
> safely is to use this patch so the uninstall button becomes
> available.
>
> Definitely install this patch. And definitely uninstall any
> Microsoft add-ons to FireFox. Afterall, that's why we use FireFox
> - because it's not Microsoft. Now Microsoft has hijacked it to
> inject security flaws from IE into FireFox.

Actually - it's more like someone tagged your car (spray painted their logo
on it). You can clean it up with a little effort and it really doesn't
affect the performance of the vehicle - but it is annoying and you'd like it
not to be there.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

"Shenan Stanley" wrote:

> Actually - it's more like someone tagged your car (spray painted their logo
> on it). You can clean it up with a little effort and it really doesn't
> affect the performance of the vehicle - but it is annoying and you'd like it not to be there.
>

No, spray paint would be more like Microsoft skinned FireFox or injected a
3:00 AM theme. This definitely affects performance. It adds additional
processing and opens Firefox up to be compromised by Microsoft security flaws.

And, as long as we're continuing to discuss this, let me also add that the
uninstall feature that Microsoft re-enabled with KB963707 does not at all
uninstall the .Net add-on. By switching the package from a per-machine
install to a per-user install, Microsoft pulled a classic shell game on us.
Now when you uninstall, it only uninstalls for the current user! If you have
multiple users on the machine, you have to uninstall for each of them. But
guess what? You still haven't uninstalled the .Net add-on. If you create a
new user account, they automatically have the .Net add-on installed for them!

This is a virus. Computer viruses are generally defined as programs that
are self propagating and this bug does that - even if only within your one
machine. And another malware trait is that the .Net 3.5 SP1 package
installed other software (a patch to Firefox is NOT a patch to .Net 3.5)
without a separate notification and approval of the user. This is why I
refer to WSUS as trojan.WSUS.

You can read my blog on this at
http://dalepreston.com/Blog/2009/06/...us-part-3.html.

Dale wrote:

> And, as long as we're continuing to discuss this, let me also add that the
> uninstall feature that Microsoft re-enabled with KB963707 does not at all
> uninstall the .Net add-on.

There isn't actually anything to uninstall. The add-on is built into .NET, it
isn't a separate component.

> By switching the package from a per-machine
> install to a per-user install, Microsoft pulled a classic shell game on us.
> Now when you uninstall, it only uninstalls for the current user!

... like most other extensions? (The difference, of course, being that most
other extensions also *install* per-user.)

What I want to know is how a user is supposed to reinstall the extension having
previously uninstallled it. I'm going to have to sit down and figure out
exactly what KB963707 is doing, although knowing that the uninstall is per-user
is a good start.

From what I do know, the new system seems like an unnecessary mess. The
correct solution to the underlying issue would have been for Firefox to disable
all new global add-ons by default, so each user gets to opt-in. This would
solve the problem for all add-ons from all vendors, not just this particular
add-on from MS, and without creating complications.

> This is a virus. Computer viruses are generally defined as programs that
> are self propagating and this bug does that - even if only within your one
> machine.

Nice rhetoric, but factually incorrect - there's (presumably) only ever one copy
of the add-on code, it isn't being replicated. (At least, that is certainly how
the original add-on worked, as I said I haven't analysed KB963707 yet.)

> And another malware trait is that the .Net 3.5 SP1 package
> installed other software (a patch to Firefox is NOT a patch to .Net 3.5)
> without a separate notification and approval of the user.

Once again, an add-on isn't a patch. The Firefox installation itself is *not*
being modified.

Harry.

"Harry Johnston [MVP]" wrote:

> There isn't actually anything to uninstall. The add-on is built into .NET, it
> isn't a separate component.

That doesn't even make sense. How can an add-on for a third party
application not part of Windows be considered to be part of the .Net
framework? 70+ per cent of all computers don't even have Firefox installed.
Building this add-on into the .Net framework SP1 appears to be a choice made
to trick users into having Microsoft add-ons in their non-Microsoft browser.
This is one of the best examples I have ever seen of Microsoft using its
power and trust as owner of the operating system to push their other products
onto a public that doesn't want it. If the public wanted it, or if Microsoft
believed for a minute that the customers wanted Click-Once in Firefox,
Microsoft would simply have added the add-on to the Firefox site and
published announcements on their own site. This add-on wasn't even published
on their own site, no banners, no ads, no press release. Only a 3:00 AM
installation similar to Search 3.01 in 2007:
http://dalepreston.com/Blog/2007/10/trojanwsus.html.


> ... like most other extensions? (The difference, of course, being that most
> other extensions also *install* per-user.)
>
> What I want to know is how a user is supposed to reinstall the extension having
> previously uninstallled it. I'm going to have to sit down and figure out
> exactly what KB963707 is doing, although knowing that the uninstall is per-user
> is a good start.

And this install should have been per user and should have been installed
only when the user specifically requested to have the installation performed.

And if a user wants to reinstall the add-on after uninstalling, they could
easily go back to the Firefox site and download t he add-on. Or they could
go to Microsoft's download site and request an installation package. Except
that Microsoft did not make an installation package so they could hide this
add-on in a security patch and pretend that it doesn't fit the model of any
other software package or add-on. Really now, not even an MVP can be so
gullible as to believe the installation and uninstall model for this package
was anything other than a way to get this onto the PCs of users who would not
have otherwise installed the package.

>
> From what I do know, the new system seems like an unnecessary mess. The
> correct solution to the underlying issue would have been for Firefox to disable
> all new global add-ons by default, so each user gets to opt-in. This would
> solve the problem for all add-ons from all vendors, not just this particular
> add-on from MS, and without creating complications.

Oh, I see. It's Mozilla's fault that Microsoft did this because they
allowed it to happen. And the kid who steals a candy bar at the grocery
store isn't at fault; the store is at fault because they didn't put the candy
away.

> > This is a virus. Computer viruses are generally defined as programs that
> > are self propagating and this bug does that - even if only within your one
> > machine.
>
> Nice rhetoric, but factually incorrect - there's (presumably) only ever one copy
> of the add-on code, it isn't being replicated. (At least, that is certainly how
> the original add-on worked, as I said I haven't analysed KB963707 yet.)

Yep. You got me there.


> Once again, an add-on isn't a patch. The Firefox installation itself is *not*
> being modified.

Yep. Got me there, too. Semantics.

Dale wrote:

>> There isn't actually anything to uninstall. The add-on is built into .NET, it
>> isn't a separate component.
>
> That doesn't even make sense. How can an add-on for a third party
> application not part of Windows be considered to be part of the .Net
> framework?

Whether you "consider it to be" part of the .NET framework is a matter of
opinion, I suppose. Functionally, the code is located within the .NET code.

Since .NET is monolithic (in the sense that it has no optional components, thank
goodness) this means that there is no reasonable way in which it could be
removed, short of making it an entirely separate product.

> 70+ per cent of all computers don't even have Firefox installed.
> Building this add-on into the .Net framework SP1 appears to be a choice made
> to trick users into having Microsoft add-ons in their non-Microsoft browser.

I'm not sure there's much point in speculating over Microsoft's motives.
Personally I'm not convinced it was an intentionally malicious move, though I
think an ill-advised one. On the other hand, given the existing precedent I
suspect the outcry caught them by surprise.

It does seem surprising that there hasn't, to the best of my knowledge, been any
fuss at all over the fact that Adobe Reader installs a Firefox global add-on
without asking, or providing any way to uninstall it. Perhaps this is because
it's been doing it for at least the last four years! I'm not saying that this
excuses Microsoft's choices, but sometimes it really does seem that they get
picked on. :-)

Then there's the fact that Apple Quicktime does the same thing, *and* also
modifies Sun Java without asking - that last one used to be really nasty,
because it wasn't even done properly. At one point it actually broke Java.

No doubt there are other examples.

> If the public wanted it, or if Microsoft
> believed for a minute that the customers wanted Click-Once in Firefox,
> Microsoft would simply have added the add-on to the Firefox site and
> published announcements on their own site. [...]

Not an ideal solution, as it creates additional work for the end user. Not
everyone is comfortable with this sort of task.

> Really now, not even an MVP can be so
> gullible as to believe the installation and uninstall model for this package
> was anything other than a way to get this onto the PCs of users who would not
> have otherwise installed the package.

Technologically and in terms of usability including browser add-ons in the
product they relate to is a superior technique. This avoids people having to
download and install the add-on separately, and avoids people who don't have the
product (.NET) installing the add-on and then wondering why it doesn't work.

(Again, I'm still not saying it was a good idea in the absence of an opt-in
solution.)

>> From what I do know, the new system seems like an unnecessary mess. The
>> correct solution to the underlying issue would have been for Firefox to disable
>> all new global add-ons by default, so each user gets to opt-in. This would
>> solve the problem for all add-ons from all vendors, not just this particular
>> add-on from MS, and without creating complications.
>
> Oh, I see. It's Mozilla's fault that Microsoft did this because they
> allowed it to happen.

No, in my opinion it was a mistake for Microsoft to choose technological
simplicity and usability at the cost of user opt-in. But Mozilla could fairly
easily make it unnecessary to choose between them ... and simultaneously put the
opt-in choice in the hands of each user rather than the administrator, another
issue with the current model.

I should also note that I was presented with a dialog the next time Firefox ran
advising me of the new add-on and giving me the option to disable it. I'd have
preferred it to be opt-in rather than opt-out, but other than that I'm not
entirely sure what all the fuss was about - did this not happen in some cases?

>> Once again, an add-on isn't a patch. The Firefox installation itself is *not*
>> being modified.
>
> Yep. Got me there, too. Semantics.

Not at all. This is an important distinction because it means that disabling
the add-on is just as good as uninstalling it, making the behavioural changes
introduced by KB963707 entirely pointless IMO. If it had made it opt-in rather
than opt-out that would have been a positive move, but simply including a
per-user uninstallation option?

(Note also that keeping the add-on code within the product the best way to
provide add-ons, because it ensures that the order of installation doesn't
affect the result.)

Harry.