Microsoft has decided to write an extension for Firefox on Windows. No that is not good news. Though I’ve watched this go back and forth over several blogs over a few days, the story was not reported in quite the same way, and I wasn’t willing to install Firefox in order to test it.
I see that one of the columnists at ZDNet has given his view on the situation, after some sitting back also.
The good news is that Microsoft is writing extensions for Firefox. The bad news is, the Redmond giant is slipping the extension onto systems without notifying users and making it difficult to get rid of the extension. Even worse? It’s an extension that allows Web sites to install software onto users’ PCs behind the scenes — meaning that Firefox users on Windows may not be as safe as they think.
Brian Krebs, who originally recommended the .Net Framework that sneaks the extension into Firefox writes:
Anyway, I’m sure it’s not the end of the world, but it’s probably infuriating to many readers nonetheless. Firstly — to my readers — I apologize for overlooking this…”feature” of the .NET Framework security update. Secondly — to Microsoft — this is a great example of how not to convince people to trust your security updates.
Krebs is right: It’s not the end of the world. But it seems like a violation of user trust to monkey with a third-party program — and top it off by making it difficult to remove the extension without editing the Windows Registry. By using the update mechanism to sneak software onto the system, Microsoft is telling security conscious users to be suspicious of updates and to deploy them only after they’ve been widely vetted, or choose a more trustworthy vendor.
As a Linux user, it makes little difference to me what Microsoft does via Windows Update –users on openSUSE and other Linux distros can see exactly what updates will do to their system: Down to the source code, if they choose to take the time.
But, failing a source code audit, Microsoft could at least provide a full disclosure of the packages and features modified when a user runs Windows Update. Without that, users should be wary indeed of trusting Microsoft’s updates — and missing a trust relationship for security updates, users should be wary of running Windows in the first place.
I had seen it reported that the fix was very easily done, and that reporter thought that, because of this, it is no big deal.
But editing the registry is something many won’t do, and besides, why should Microsoft be trying to alter anything that they have not authored? Simply because Firefox isn’t commercial doesn’t mean that Microsoft is within its rights to do this.
It also should not be trying to sneak this onto people’s systems. They might own the operating system, but they don’t own the hardware, and beyond that, the company should have learned its lesson with the Windows Genuine Advantage fiasco.
Is Microsoft a company that can’t learn from its mistakes? It certainly seems that way. I’m guessing that the Redmondians think that the DOJ is too busy with other things these days.
|When in doubt tell the truth.- Mark Twain|