Microsoft Update Quietly Installs Firefox Extension

    A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.
    Earlier this year, Microsoft shipped a bundle of updates known as a "service pack" for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of thirdparty developers use to __[VERB]__ a variety of interactive programs on Windows.
    The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or interfered with third-party programs − and not finding any that warranted waving readers away from this update − I told readers __[A]__
    I'm here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult − if not dangerous − to remove, once installed.
    Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly
install software on your PC." I'm not sure I'd put things in quite such dire terms, but I'm fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.
    Big deal, you say? I can just uninstall the add-on via Firefox's handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the "uninstall" button on the extension. What's more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that − if done imprecisely − can cause Windows systems to fail to boot up.
    Anyway, I'm sure it's not the end of the world, but it's probably infuriating to many readers nonetheless. Firstly − to my readers − I apologize for overlooking this..."feature" of the .NET Framework security update. Secondly − to Microsoft − this is a great example of how not to convince people to trust your security updates.

(Adapted from http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html)