HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Microsoft's ClickOnce Firefox add-on

With Firefox, I just went to download a certain new version 2.0 web browser and and was surprised that after hitting the license accept button Firefox started up an installer, downloaded the application and installed it without any prompts or questions. This is not the security experience with Firefox I've been accustomed to.

I did some digging around in the page's code, a little searching, and found I had the "Microsoft .NET Framework Assistant" installed into my Firefox add-ons. A little more digging and I found it was silently installed with .NET 3.5 SP1. Yes, that's right, I said silently. What's more, the default settings of this add-on allow sites to start installers without prompting.

That second checkbox also points to another minor annoyance--that the add-on reports the installed .NET versions to every website you visit via the User-Agent string. Nice.

While you can change the settings via Firefox, and even disable it, the icing on the cake you can't actually uninstall it without jumping through hoops. Microsoft's Brad Abrams, in a blog post, said:

We added this support at the machine level in order to enable the feature for all users on the machine.  Seems reasonable right?  Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the "Uninstall" button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.  

Oh, Brad, I'm frightened. What kind of a place is this? No--it doesn't sound reasonable. Microsoft should have published it in Mozilla's add-on directory like everyone else and not quietly changed their biggest (browser) competitor's product , drastically weakening its security in the process.

To uninstall the extension completely, you'll have to follow the steps outlined in Brad's post, which involve registry editing and directly editing Firefox's configuration.

While this is not exactly ground-breaking news here on the internet--there are plenty of pages crying foul with this whole deal--I hadn't heard of it, so it seemed worth posting about to spread the word just a little bit. And we should all review our primary browser's add-ons/extensions on a regular basis.

Labels: Microsoft
| ‎05-23-2009 06:04 PM

Chris - this is yet another reason I hate all modern browsers.  They're supposed to be your pal, bring you cool content - but they silently turn on you and before you know it they pwn you

| ‎05-23-2009 07:37 PM

Blatant Stupidity really is alive and well in Redmond....

Chris Sullo | ‎05-26-2009 02:39 PM


I think it's more MS doing something they shouldn't (in IE or any other browser), but for their part, I would love to see Mozilla come up with a way to prevent this from happening *ever*, no matter how the plugin was installed.

In fact, it would be nice if they could detect a plugin was not installed via user action and put up a big fat alert (I realize, being open source, there are serious complications with this, but... they coudl try!).

| ‎06-01-2009 02:09 AM

They can't make neither Windows nor IE secure, so they try bringing Firefox down to their level... no surprises here!

| ‎06-01-2009 04:02 PM


| ‎06-01-2009 09:36 PM

Sniff..sniff...thats really low.

I just dumped MS yesturday like I did AOL 12 years ago for the same practice.

im thinking maybe server 2000 edition.

Chris Sullo | ‎06-03-2009 03:58 PM

Briank Krebs has posted an excellent write-up of how to remove this extension without going through all the registry editing and whatnot as linked above. It involves another Microsoft update which will allow you to uninstall it through the browser. A reader of his also dug up an interesting discussion where the Firefox developers argue about whether this "functionality" should be considered a bug or not.


| ‎10-04-2009 10:56 AM

cool blog

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.