Adobe, Skype, and almost every client software developer automatically and silently adds plugins to Firefox and other browsers. I recommend looking at your list of Firefox add-ons now (especially the plugins tab) and see how many of them were never specifically added to Firefox by you.
This is the kind of situation where the software vendor is damned if they do and damned if they don't. Mozilla simultaneously complains when they aren't getting the same treatment as IE, and when they do. People hate multi-page installation wizards that ask them to check all kinds of boxes; people hate when the software decides automatically what to do in order to avoid those pages of checkboxes.
Why don't firefox make it so that the only way a plugin can be installed is with user confirmation? I'd never want a plugin automatically installed without knowing about it (I've never had that happen, but may be different on OSX).
That's impossible under traditional system configurations. Windows Update can always update whatever "user has confirmed" record Firefox stores, because it has administrative access to the machine.
Neither does including anti-Microsoft code in your product. (it doesn't protect against shadier players because those don't care about having friends.)
Like I said, it's not effective. If malware wants to futz with your browser executable, it's just going to patch the executable, not conveniently go through the plugin interface around which you've designed some forgeable security token.
the software vendor is damned if they do and damned if they don't.
Not true - the biggest problem with Microsoft's add on was the lack of an easy method of uninstalling it. All I ask is that vendors do two things when installing add-ons to firefox:
I recommend looking at your list of Firefox add-ons now (especially the plugins tab) and see how many of them were never specifically added to Firefox by you.
That's a good suggestion. I usually only look at the Extensions tab from the Add-ons menu, and the Plugins tab includes plug-ins I just had to look up on Google to even know what they are.
After edit: I just got the reminder from Firefox to restart to disable those Microsoft add-ons only just now, more than an hour after this thread opened. I should have already had a relevant Microsoft update by now, but Firefox is treating the add-ons as untrustworthy, and that's all right by me.
The minute I saw the Microsoft add-on in Firefox that I hadn't requested I disabled it. Same thing with Skype, Google bar, Yahoo bar, and any other add-on that slips through my obviously lacking scrutiny.
Wish they'd just stop. Then again I wish automatically updated things I want. I see your point.
That is so ironic. At the same time you have to wonder if maybe they did it on purpose. Now all we need is for Firefox to mess around with Chrome security and it will have gone full circle.
If it made IE vulnerable to a drive-by owning, and was installed without the express permission of IE's users? I find it hard to imagine an argument against blacklisting it. So far all we have is conjecture though.
They didn't modify FF. FF includes a way to use plugins. They just put a plugin in a specified place. They didn't really change anything about other programs.
I'm not talking about tehnical aspects here. Firefox had no known security holes before the update. They clearly modified it in some way. How they did it is irrelevant. They should be liable, whether they modified FF direcly or indirectly via plugins etc. What they did fits the definition of malware to the letter: http://en.wikipedia.org/wiki/Malware
(Oh, and for the record, I'm not a anti-MS zealot, it's just kinda scary to think about the power MS has, to push updates to HUNDERDS of millions of PC. I think with that power should also come great responsability)
The patch has been out for a week. You've already got it if you're running Windows update. Firefox's reaction was all post-patch.
Lots of things install themselves in your browser to work. Acrobat, Java, etc. (In fact, the add-in is mostly equivalent to Java.)
I don't have sympathy with people who are worried about running a few thousand lines of Microsoft code on a platform that already contains hundreds of millions of lines of it.
On the other hand, the lack of uninstall is just bad. Microsoft is reliable about shooting itself in the foot, that's for sure.
There's a distinction though. Acrobat, Java, and others all asked to be let into Firefox. They update silently after that but they initially asked permission. If Microsoft made a .Net Assistant plug-in I can't imagine people would be upset.
But using Windows update (which most expect to update "Windows" not your other programs) is, imho, considered sneaking it in.
This is the geek's way of looking at the world, where we are God Lord and Master of all bits on our computer.
The average user is not. They do not understand that the browser and the operating system are separate. For that matter, they don't understand that the browser is not the Internet or Google.
(If you've ever done technical support for a web application with non-technical end users you end up answering many, many fun questions such as "I signed up for your website at home -- can I also use it at school? My email address there is different.")
Asking users to make complex install/update/etc decisions is asking users to fail. They should be presented with sensible defaults and a minimum of fuss. Windows Update is quite sensible: "This comes turned on. Turn it off only if you understand what you're doing. As long as you keep it on, we'll keep you mostly covered." Installing ActiveX, Java, Adobe PDF Reader, and Flash by default is also very sensible, because otherwise many users will have "The Internet is broken!" experiences.
This is the kind of situation where the software vendor is damned if they do and damned if they don't. Mozilla simultaneously complains when they aren't getting the same treatment as IE, and when they do. People hate multi-page installation wizards that ask them to check all kinds of boxes; people hate when the software decides automatically what to do in order to avoid those pages of checkboxes.