Brian Ladd’s Blog – Notes on Life

Just another weblog

Uninstalling the Clickonce Support for Firefox

Uninstalling the Clickonce Support for Firefox

A couple of years ago we heard clear feedback from folks that they wanted to enable a very clean experience with launching a ClickOnce app from FireFox.  James Dobson published FFClickOnce and got very good reviews, but we had many customers that wanted ClickOnce support for Firefox built into the framework… so in .NET Framework 3.5 SP1 we added ClickOnce support for Firefox!     This made ClickOnce apps much more accessible to a wide range of customers.

We added this support at the machine level in order to enable the feature for all users on the machine.  Seems reasonable right?  Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the “Uninstall” button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.

Clearly this is a bit frustrating for some users that wanted an easy way to uninstall the Clickonce Support for Firefox.  But good news!  We have a fix in place (enabling each user to uninstall the feature for themselves) and our testing team is making sure that is rock-solid now.. I expect that to be out in the next few weeks.   I’ll be sure to post more information on that when I have it.

Update (5/2009):  We just release an update to .NET Framework 3.5 SP1 that makes the firefox plug in a per-user component.  This makes uninstall a LOT cleaner.. none of the steps below are required once this update is installed.

Update to .NET Framework 3.5 SP1 for the .NET Framework Assistant 1.0 for Firefox

In .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the ClickOnce technology that is included in the .NET Framework. The .NET Framework Assistant is added at the machine-level to enable its functionality for all users on the machine. As a result, the Uninstall button is shown as unavailable in the Firefox Add-ons list because standard users are not permitted to uninstall machine-level components. In this update for .NET Framework 3.5 SP1 and in Windows 7, the .NET Framework Assistant will be installed on a per-user basis. As a result, the Uninstall button will be functional in the Firefox Add-ons list. This update will also make this version of the .NET Framework Assistant for Firefox compatible with future versions of the Firefox browser. Updates to the .NET Framework Assistant may include updates to the Windows Presentation Foundation Plug-in for Firefox causing it to be enabled upon its initial update.


In the meantime, if you want to disable the Clickonce Support for Firefox here are the steps directly from the dev in charge..

Stop-gap Solution To uninstall the ClickOnce support for Firefox from your machine

1) Delete the registry key for the extension

i.                     From an account with Administrator permissions, go to the Start Menu, and choose ‘Run…’ or go to the Start Search box on Windows Vista

ii.                   Type in ‘regedit’ and hit Enter or click ‘OK’ to open Registry Editor

iii.                  For x86 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Mozilla > Firefox > Extensions

For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions

iv.                 Delete key name ‘{20a82645-c095-46ed-80e3-08825760534b}’

OR alternatively

i.                     Open a command prompt window (must be ‘run as Administrator’ on Vista and later)

ii.                   Copy and paste the appropriate command below and hit ‘Enter’

For x86 machines:
reg DELETE “HKLM\SOFTWARE\Mozilla\Firefox\Extensions” /v “{20a82645-c095-46ed-80e3-08825760534b}” /f

For x64 machines:
reg DELETE “HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions” /v “{20a82645-c095-46ed-80e3-08825760534b}” /f

2) Reset the changes made to the Firefox user agent

i. Launch Firefox, go to the Firefox address bar and type in ‘about:config’

ii. Scroll down or use ‘Filter’ to find Preference name ‘general.useragent.extra.microsoftdotnet’

iii. Right-click on the item and select ‘reset’

iv. Restart Firefox

3) Remove the .NET Framework extension files

i. Go to the Start Menu, and choose ‘Run…’ or go to the Start Search box on Windows Vista

ii. Type in ‘explorer’ and hit Enter or click ‘OK’

ii. Go to ‘%SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\’

iii. Delete the ‘DotNetAssistantExtension’ folder and all its contents

Published 27 February 09 12:00 by BradA

# Silvr said on April 1, 2009 4:18 AM:
According to (

“This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC.”

Question is :

Is the above statement true. Is Brad Adams or anyone from Microsoft able to disprove it.

I respect this site since it gave me a lot of help for a lot of stuff microsoft had long-since discontinued support for, and it has provided me great troubleshooting advice.

I agree with other comments that this  secret install borders on the level of malware.(Sony anyone?)

It was stupid on Microsofts part for the following reasons :

1. Risking flak from security community and firefox community(if this indeed creates vulnerabilities in firefox)

2. Add the fact this was install without any user notification or consent. All my other plugins and extensions were installed with permission from me.

3. Risk antitrust allegations for using microsoft update to promote microsoft products over other(java).


June 1, 2009 Posted by | General Computer Tech, Security, Windows / Microsoft | Leave a comment

Microsoft Update Quietly Installs Firefox Extension

Microsoft Update Quietly Installs Firefox Extension

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a “service pack” for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or interfered with third-party programs — and not finding any that warranted waving readers away from this update — I told readers not to worry and to go ahead and install it.


I’m here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult — if not dangerous — to remove, once installed., which lists various aspects of Windows that are, well, annoying, says “this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC.” I’m not sure I’d put things in quite such dire terms, but I’m fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.

Big deal, you say? I can just uninstall the add-on via Firefox’s handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the “uninstall” button on the extension. What’s more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that — if done imprecisely — can cause Windows systems to fail to boot up.

When I first learned of this, three thoughts immediately flashed through my mind:

1) How the %#@! did I miss this?

2) The right way would have been to just publish the add-on at Mozilla’s Add Ons page.

3) This kind of makes you wonder what else MS is installing without your knowledge.

Then I found that I wasn’t the only one who had these ideas. Microsoft has heard these criticisms from others who long ago commented on this unfortunate development (see the comments underneath this post).

Anyway, I’m sure it’s not the end of the world, but it’s probably infuriating to many readers nonetheless. Firstly — to my readers — I apologize for overlooking this…”feature” of the .NET Framework security update. Secondly — to Microsoft — this is a great example of how not to convince people to trust your security updates.

// By Brian Krebs  |  May 29, 2009; 7:40 AM ET

June 1, 2009 Posted by | General Computer Tech, Security, Windows / Microsoft | Leave a comment

While nobody is looking…

During the inauguration of the United States of America’s 44th President Barrack Obama, while no one is looking and the media is flooded with coverage of the event and every possible detail, the Washington Post decides to publish this article about a massive data breach where millions of credit card transactions may have been compromised.  Why post this during the inauguration?  Couldn’t they have posted this the day after so that other news agencies and media outlets could pickup the story and get the word out that the compromise of a credit card processing company had happened?

Well, the short version is Heartland Payment Systems was infected with a sniffer application on their network and had millions of transaction recorded.
“Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn’t know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I’ve written some additional analysis on this and similar breaches. It’s interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems.”

January 21, 2009 Posted by | General Computer Tech, Politics, Security, World News | Leave a comment

Wow.  I hate advertisers.  I really hate those advertisers that actually think that invading my privacy and treating my like nothing more than a target for their flying garbage.

“Lexus has announced plans to send targeted messages to buyers of its cars based on the buyer’s zip code and vehicle type. Unlike regular spam, these messages will be delivered directly to the buyer’s vehicle, and will play to the vehicle’s occupants as audio. Lexus has promised to make the messages relevant to the car buyers.” Imagine the fun that some targeted malware could do — not that such a thing could happen to a Lexus.

January 9, 2009 Posted by | Copyright / P2P / Law, Security | Leave a comment

FTC kills scareware operation that duped over a million users

“The Federal Trade Commission today got a court to at least temporarily halt a massive ‘scareware’ scheme, which falsely claimed that scans had detected viruses, spyware, and pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of Innovative Marketing, Inc. and ByteHosting Internet Services, LLC to preserve the possibility of providing consumers with monetary redress, the FTC stated.”
I have been waiting for this to happen.  I have fought this garbage software many times overthe lest few years, and I keep seeing it.   Several variations of the same crap.  Regardless of the details, same basic principles.  Convince some poor user that their computer will roll over and explode in a few minutes unless they pay for the software that is causign the problem.  Regretfully, as the software vendor is outside of US jurisdiction, I doubt this will be any more than an minor annoyance for the crooks.

December 11, 2008 Posted by | General Computer Tech, Security | Leave a comment

Massive hole in windows..(another one anyway)

“The worm exploiting a critical Windows bug that Microsoft patched with an emergency fix in late October is now being used to build a fast-growing botnet, said Ivan Macalintal, a senior research engineer with Trend Micro. Dubbed ‘Downad.a’ by Trend (and ‘Conficker.a’ by Microsoft and ‘Downadup’ by Symantec), the worm is a key component in a massive new botnet that a new criminal element, not associated with McColo, is creating. ‘We think 500,000 is a ballpark figure,’ said Macalintal when asked the size of the new botnet. ‘That’s not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it’s… starting to grow.'”

Some background on this hole and how it works:;jsessionid=8cbbb6719c907342334ffd9256d8?execution=e1s1

Microsoft Response to the hole:

I found proof-of-concept code available through google.  Took all of a minute.

December 2, 2008 Posted by | General Computer Tech, Security, Windows / Microsoft | Leave a comment

iPod Search & Seizure

Copyright deal could toughen rules governing info on iPods, computers

OTTAWA – The federal government is secretly negotiating an agreement to revamp international copyright laws which could make the information on Canadian iPods, laptop computers or other personal electronic devices illegal and greatly increase the difficulty of travelling with such devices.

The deal could also impose strict regulations on Internet service providers, forcing those companies to hand over customer information without a court order.

Called the Anti-Counterfeiting Trade Agreement (ACTA), the new plan would see Canada join other countries, including the United States and members of the European Union, to form an international coalition against copyright infringement.

The agreement is being structured much like the North American Free Trade Agreement (NAFTA) except it will create rules and regulations regarding private copying and copyright laws.

Federal trade agreements do not require parliamentary approval.

The deal would create a international regulator that could turn border guards and other public security personnel into copyright police. The security officials would be charged with checking laptops, iPods and even cellular phones for content that “infringes” on copyright laws, such as ripped CDs and movies.

The guards would also be responsible for determining what is infringing content and what is not.

The agreement proposes any content that may have been copied from a DVD or digital video recorder would be open for scrutiny by officials – even if the content was copied legally.

“If Hollywood could order intellectual property laws for Christmas what would they look like? This is pretty close,” said David Fewer, staff counsel at the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic. “The process on ACTA so far has been cloak and dagger. This certainly raises concerns.”

The leaked ACTA document states officials should be given the “authority to take action against infringers (i.e., authority to act without complaint by rights holders).”

Anyone found with infringing content in their possession would be open to a fine.

They may also have their device confiscated or destroyed, according to the four-page document.

The trade agreement includes “civil enforcement” measures which give security personnel the “authority to order ex parte searches” (without a lawyer present) “and other preliminary measures”.

In Canada, border guards already perform random searches of laptops at airports to check for child pornography. ACTA would expand the role of those guards.

On top of these enforcement efforts, ACTA also proposes imposing new sanctions on Internet service providers. It would force them to hand over personal information pertaining to “claimed infringement” or “alleged infringers” – users who may be transmitting or sharing copyrighted content over the Internet.

Currently, rights holders must collect evidence to prove someone is sharing copyrighted material over the Internet. That evidence is then presented to a judge who issues a court order telling the Internet service provider to identify the customer.

The process can produce lengthy delays.

It is expected the new agreement will be tabled at July’s meeting of G8 nations in Tokyo, Japan.

Fewer has been following the progress of ACTA and has exhausted every avenue at his disposal to gain insight into its details.

He said Friday’s leak of a “discussion paper” which outlines the priorities of the agreement is the first glimpse anyone has into ACTA.

“We knew this existed, we filed an Access to Information request for this but all it provided us with was the title. All the rest of it was blacked out, ” he said. “Those negotiations can take place behind closed doors. At the end of the day we may be provided with something that has been negotiated which is a `fait accompli’ in which civil society gets no opportunity to critique it.”

Fewer expressed concerns about the part of the proposal that calls for ACTA to operate outside of accepted international forums such as the World Trade Organization (WTO), the World Intellectual Property Organization (WIPO) or the United Nations.

In the discussion paper, it is proposed ACTA create its own governing body and be overseen by a committee made up of representatives from member nations.

“This initiative is unprecedented,” he said.

The ACTA discussion paper was leaked online by Sunshine Media, the company that runs the website – a whistleblowing website created to help circulate secret documents.

In October, International Trade Minister David Emerson announced Canada would participate in ACTA’s creation. The initiative was originally aimed at stopping large-scale piracy, such as printing operations that make thousands of copies of movies that are still in theatres.

“We are seeking to counter global piracy and counterfeiting more effectively,” said Emerson at the time. “This government is working both at home and internationally to protect the intellectual property rights of Canadian artists, creators, inventors and investors.”

The new document is reported to be drafted by the Office of the United States Trade Representative.

A spokeswoman with the office refused to comment on the leaked document and directed all questions about ACTA to a short information circular about the initiative.

Michael Geist, Canada research chair of Internet and E-commerce law at the University of Ottawa and expert on Canadian copyright law, blasted the government for advancing ACTA with little public consultation. Geist said documents detailing ACTA’s plans would not need to be leaked online if the process was open and transparent.

“That’s what happens when you conduct all of this behind closed doors,” he said. “The lack of consultation, the secrecy behind it and the speculation that this will be concluded within a matter of months without any real public input is deeply troubling.”

Fewer and Geist said, once Canada signs the new trade agreement it will be next to impossible to back out of it.

In a situation similar to what happened in the Softwood Lumber trade dispute, Canadians could face hefty penalties if it does not comply with ACTA after the agreement has been completed.

The Department of International Trade did not respond to repeated requests for comment.

November 13, 2008 Posted by | Copyright / P2P / Law, Security | Leave a comment

More Vista fun… again…

Vista “Out of Memory” errors by ZDNet‘s Adrian Kingsley-Hughes — You just can’t seem to throw enough memory at Vista.

November 13, 2008 Posted by | Security | Leave a comment

URI Protocol Security Hole

Original Article:

WOW! This is a huge hole into a system. I can use a URL on a web page to launch an application and via the app’s command-line, get that app to perform operations on a remote system.
Wikipedia list’s several official and unofficial URI protocols and their associated applications:

I found the CERT vulnerability listing at: Vulnerability Note VU#403150
I found a blogger posting about his discovery at:
Microsoft KB Article 224816:

Internet Explorer 6 on the workstation I’m writing this entry on, is vulnerable to the URI exploit. I tested this by trying the harmlesss URL “telnet://localhost” on the system just to see if it would launch a telnet window. And… it works!

So, now to see what else I can do with a URI entry….
The blogger I found lists these as examples:

mailto:%00%00../../../../../windows/system32/cmd”.exe ../../../../../../windows/system32/calc.exe ” – ” blah.bat

Just paste that into a IE6 window or a Firefox and watch what happens.
IE7 and Firefox have been updated to be less susceptible to this. However, according to the articles I’ve found, the updated web browsers are still vulnerable, but you have to change the attack vector slightly.

Here’s the original article text:

New URI browser flaws worse than first thought

IDG News Service 8/15/07

Robert McMillan, IDG News Service, San Francisco Bureau
A little-known feature in the Windows operating system can lead to big problems for Web surfers.

Security researchers Billy Rios and Nathan McFeters say they’ve discovered a new way that the URI (Uniform Resource Identifier) protocol handler technology, used by Windows to launch programs through the browser, can be misused to steal data from a victim’s computer.

URI bugs have become a hot topic over the past month, ever since researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. This bug allowed an attacker to run unauthorized software on a victim’s PC.

Later, other researchers, including Rios and McFetters, showed how other browsers and applications could be misused to achieve similar goals.

In the past days, however, Rios and McFetters have shifted their focus away from malformed data and have taken a close look at how attackers could simply misuse the legitimate features of software that is launched via the URI protocol handler, something they call “functionality based exploitation.”

Their initial results show that there could be plenty of ways to misuse this technology.

Though they will not name the company responsible for the software, the researchers said they have found a major flaw in a widely used program that could be misused to steal data from a victim’s computer.

“It is possible through the URI to actually steal content form the user’s machine and upload that content to a remote server of the attacker’s choice,” said McFetters, a senior security advisor for Ernst & Young Global Ltd. “This is all through functionality that the application provides.”

Rios and McFetters plan to release the results of their research after the vendor has had a chance to fix the problem, but this may be the beginning of a new round of problems with a technology that is just starting to be scrutinized by security professionals.

“It’s a hacker’s dream and programmer’s nightmare,” said Eric Schultze, chief security architect with Shavlik Technologies LLC. “I think over the next six to nine months, hackers are going to find lots of ways to exploit standard applications to do non-standard functions.”

By using these custom URI protocol names, software developers are trying to make lives easier for their customers. The Windows Registry keeps track of the names and associates them with programs, so that any time they are called up in the browser, the appropriate software is launched.

For example AOL LLC’s instant messenger client uses the name “aim.” So clicking on a Web link that begins “aim:goim” or putting the address “aim:goim” in the browser’s address bar will open an AIM instant message window.

The problem is that software developers have rushed to enable their applications without properly thinking about how they could then be misused by attackers, McFetters said. “We’ve had a hard time with a lot of these applications understanding why these applications are registering the URI at all.”

Firefox, for example, has used the “FirefoxURL” handler so users can launch Firefox out of Internet Explorer. “I still have a hard time understanding why they registered that,” he added.

These URI issues are complicated, even for software developers. Mozilla Corp. initially thought that Larholm’s bug needed Internet Explorer in order to be triggered, but this assessment turned out to be wrong, and two weeks later the Firefox team was forced to patch the same problem. “If an organization like Mozilla is having issues with understanding how a URI handler increases the scope and the attack surface of their applications, think about how hard it is for a small development shop,” McFetters said.

Microsoft is working to educate users and developers about these security issues, but there’s only so much that it can do, said Mark Griesi, a security program manager with Microsoft.

Griesi said that he does not see any of these URI issues as something that needs to be fixed in Windows or Internet Explorer. That’s up to the individual software developers whose programs may be misused. “Security is an industry responsibility and this is certainly a case of that [principle],” he said. “It’s not Microsoft’s position to be the gatekeeper of all third-party applications.”

November 13, 2008 Posted by | Security | Leave a comment

Vista Vulnerabilities

MBR attack Vector

August 12, 2008 Posted by | Security, Windows / Microsoft | Leave a comment