Yesterday, I installed the SP1 of Visual Studio 2008, which included the .NET v3.5 SP1 as well. I was a bit surprised when the installer requested I close Firefox, but the Silverlight API installer wanted the same thing, so I just complied and let it go to work. Needless to say, when I finally got done installing the SP1 (about two hours later), I was awfully surprised to be greeted with this:
I was surprised, since I didn’t recall being asked to install any Firefox extensions, and I was pretty annoyed about it, so I just decided to tweet about it, telling the rest of twitter “VS 2008 SP1 installs a Firefox Extension without telling me about it. NOT COOL “. Surprisingly to me, about 4 hours later, I started to hear from the firefox_answers people on twitter, who hadn’t heard of this yet, and wanted more information. Once I told them about the extension, they were a bit annoyed, tweeting back “@foxxtrot Ugg. Not asking is really lame. I’ll forward that on to the Firefox add-ons team and let them follow up with Microsoft.”
So far, the primary annoyance has been that Microsoft never asked before installing this extension. Since I was a bit fuzzy about what it was for, I decided to go ahead and look it up as well. First problem I ran into, as that the extension wasn’t installed in either my Profile extension folder, or the Firefox install directory extension folder. Frankly, I didn’t even know that was possible, so I was a bit confused. Luckily, my extensions.cache file in my profile pointed me in the right direction. The extension had been hidden away at “C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension". The hunt, it was on.
But first, how did this install there in the first place? And how did it end up in my profile? Well, it turns out that Mozilla implemented a registry hack to make it easier for third-party developers to do exactly this. If you open up regedit, and go to “HKEYLOCAL*MACHINE\SOFTWARE\Mozilla\Firefox\Extensions”, programs can drop values in this registry key that will cause extensions to be automatically installed in *every instance of Firefox on the system. Something similar exists for Thunderbird as well. But hey, at least the feature is documented. I’m not sure why this is allowed, but it is, and I think it’s best people know all the ways that extensions can be added to their browsers.
Moving on to what the extension actually does. It has two parts. First, it modified the User-Agent of the browser to add .NET Framework information to it. With the “Report all installed versions of the .NET Framework to web servers” option not checked, my User-Agent becomes this:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:22.214.171.124) Gecko/2008070208 \ Firefox/3.0.1 (.NET CLR 3.5.30729)
If I do check that box, I end up with this:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:126.96.36.199) Gecko/2008070208 \ Firefox/3.0.1 (.NET CLR 2.0.50727; .NET CLR 3.0.30618; .NET CLR 3.5.21022; .NET CLR 3.5.30729)
An amazing amount of information to be dumping across the wire to every single website I visit. This isn’t even fucking Silverlight related, and I that’s the only reason I can think of why a web server would ever need to know what versions of .NET I have installed. Ever. These values are coming out of the registry at “HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform”.
I can only assume it has something to do with this ClickOnce.aspx) stuff that Microsoft is pushing with the Windows Presentation Foundation.aspx). So, what is ClickOnce? In a nutshell, Microsoft is trying to change the way that software is installed on windows. Currently it relies on ‘setup.exe’ files, or .msi files. While those will never really go away (particularly .msi, which is great in the Enterprise), Microsoft has apparently decided that the better way to go is to tap into all that web hosting that everyone has access to these days.
Basically, a ClickOnce file is a special XML file with the ‘application’ extension, and Mime-Type: application/x-ms-application. Oh, and the Firefox Extension will ignore the Mime type is the file has the ‘application’ extension. Wouldn’t want to make people configure their web servers correctly, now would we? The application file contains basic information about the application, including a cryptographic signature to ensure…something. The keys aren’t required to be registered with anyone, so the key really just proves the app was built with ‘approved’ tools. .NET does this a lot actually. All assemblies must be signed, but that signature just means someone had the ability to sign something. It provides very little in additional security. I suppose you could probably opt to blacklist certain keys, but keys are easy to generate, so really it’s kind of a waste of time. My guess is that it’s the first step to cryptographic software registration, but that might just be the foil hat I’m wearing.
Once the file is downloaded, it’s immediately run through the PresentationHost application, which will likely download the necessary assemblies and immediately start to run the application. It’s pretty simple.
But what are the security implication? Absolutely anytime you download an application, it’s a potential security risk. Only download software from sites and developers you can trust. Ultimately, this doesn’t bother me too much for the idea of ClickOnce. It’s a more convenient way to download software, and frankly, Java has been doing this for years with Java Web Start. What does bother me is the fact that Microsoft will send anything to PresentationHost which has a .application extension. This makes it pretty easy to build faulty .application files and upload them, though that was never impossible, as the MIME-type could have been changed anyway.
So, ClickOnce is a security risk, but it’s not much more of a security risk than downloading anything off the Internet. If it’s riskier at all, it’s because the easier something is, the less people think about it. Though you can make people think too hard, making something easier should be balanced with security concerns. Ultimately, my biggest problem was that I didn’t sign up for a new Firefox extension to be installed. I was installing .NET. Plus, I don’t particularly want ClickOnce. For one thing, the only WPF app I am at all aware of is BabySmash, Scott Hanselman’s “Learning WPF Project”. For another, I would far prefer taking a few more steps to be sure of what I’m getting and from where, before I install it.