• February 3, 2009
  • Old

When will Microsoft learn…


Once again, Microsoft has decided that when you install a “critical” security patch via their Update service, they can add unrequested software silently and it’s not only OK, but no one will notice.


This time around it’s the release of the .NET v3.5 Service Pack 1, which will also silently add a Firefox extension (even if you don’t have Firefox installed, and yes that’s possible). You will never be prompted if this is OK, and what’s more, you can’t easily uninstall it.

Yeah. Real cute.

So here’s how they do it. Here is how to remove the offending extension if you are so inclined. And here’s someone else who discovered the same thing, so props to him.


So what has Microsoft done wrong with this? Simply:

  1. Modified a user’s third-party application without permission, from either the user or the third-party vendor (Mozilla)
  2. Created yet another potential channel for  unsolicited software installs (ClickOnce)
  3. Prevented the average end-user from being able to uninstall the unsolicited extension
  4. Deceived users by implying this was a critical security patch when in reality it is much more

Anyone who has any version of .NET installed will be offered v3.5 as a critical security patch when they use Windows Update. If you have Windows Update set to automatically update then you’ve just been given a new Firefox extension.

It does not appear that this is the case with Vista users, though that is not fully confirmed yet.