If you’re wondering what Microsoft is doing producing a plug-in for Mozilla Firefox, then perhaps you haven’t heard the complaints from Firefox users who are not only wondering how that Microsoft plug-in got there, but are puzzled as to how to get rid of it. Today, Firefox users are seeing an update for that plug-in in their Automatic Updates for Windows XP, Vista, and Windows 7 RC.
Whenever Microsoft automatically installs a service with an Orwellian sounding title, automatically folks become skeptical. In this case, the .NET Framework Assistant is a device that allows a kind of security pre-authorization feature that Microsoft tried to make prettier with the marketing name ClickOnce — which works in Internet Explorer — to extend to Firefox.
ClickOnce’s principal appeal is for .NET developers. Specifically, it enables them produce applications and Web apps that, just like unmanaged binaries, are capable of being updated automatically, without complete reinstallation. That sounds simple enough, except that there’s a security issue associated with this that ClickOnce tries to solve: Reinstallation can change the contents of a user’s system, and anything that does that — at least by default — requires administrator privileges. However, a user may want her app to be automatically updated without being bothered about the whole privileges mess (just recall how Vista users’ general appreciation of User Account Control).
So ClickOnce enables a kind of “permission granted” trick, elevating the privilege of a .NET application that was installed using administrator privileges to begin with. As Microsoft’s documentation explains it, “With Microsoft Windows Installer deployment, whenever an application is updated, the user must reinstall the whole application; with ClickOnce deployment, you can provide updates automatically. Only those parts of the application that have changed are downloaded, and then the full, updated application is reinstalled from a new side-by-side folder.”
The fact that Microsoft developed a feature, and gave it a marketing name, for a way for a .NET application to intentionally circumvent a security feature that Microsoft also developed, has given some users cause for skepticism. It’s the feeling that there may be some kind of “back door” for Microsoft security that was the original impetus for users jumping from Internet Explorer to Firefox in the first place.
While ClickOnce is a feature familiar to developers, the first instance of Firefox users encountering .NET Framework Assistant has been when Firefox users locate it in their plug-ins panel, and thinking it’s not something they authorized in the first place, try to uninstall it. They can’t, because the “Uninstall” button is greyed out.
As Microsoft .NET engineer Brad Abrams explained it last February, the reason users can’t uninstall the Assistant plug-in is — ironically enough — because of a privilege violation issue. Since it has to be installed at the machine level to enable machine-level privileges, as per protocol, it cannot then be uninstalled at the user level, by someone with lesser privileges.
“We added this support at the machine level in order to enable the feature for all users on the machine. Seems reasonable right? Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the ‘Uninstall’ button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.”
In a May update to that blog post, Abrams said that his team was working on a fix that, at the very least, addressed the uninstall-ability issue. That fix is showing up today, although Betanews tests show that the Uninstall button does remain greyed. However, a Microsoft bulletin does reveal at least two new uninstallation methods that are somewhat simpler for users (especially for folks familiar with Firefox) than making hacks to the System Registry, which is what was required before.
Perhaps the simplest such method involves pulling up the about:config page from Firefox’s address bar, then locating the preference item general.useragent.extra.microsoftdotnet, right-clicking on it, selecting Reset, and restarting the browser.