I seem to be late to this party, but one of the security updates for Windows XP (.NET 3.5) silently installs a Firefox plugin that:
- tells every web server you visit which version of the .NET framework you have, in my case
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729) - allows websites to install software on your desktop using ClickOnce, a mechanism so abysmally stupid in its insecurity it gives ActiveX a run for its money.
The reason why Microsoft is doing this is to increase penetration of its also-ran Silverlight competitor to Flash for the 20-30% of Windows users who use Firefox instead of Internet Exploder. To make matters worse, the plugin uninstallation button is grayed out. A Microsoft staffer has published instructions on removing this on his blog.
This behavior is of course completely unacceptable. Perhaps Adobe will now join the line of Microsoft-bashers at the European Commission.
Update (2009-10-18):
Good news: Mozilla responded quickly to block this piece of malware. That should also disable Silverlight altogether. Two birds with one stone.
I decided to take action and wrote a letter (PDF) to EC Commissioner Neelie Kroes, apparently the only person in the world who has the cojones to confront Microsoft about its practices.
