14 DAY TRIAL // A Windows update marked as important and delivered to users earlier this week installed a Firefox extension without asking for consent. Microsoft claims the incident was caused by a bug and has since fixed the faulty update.
After Microsoft's latest Patch Tuesday, reports of a mysterious “Search Helper Extension” add-on suddenly popping up in people's Firefox installations, coming in from all over the Internet. The silent install was eventually traced back to an item called “Update for Microsoft Search Enhancement Pack,” which, according to Microsoft, is an update for Windows Live Toolbar, MSN Toolbar, and Bing Bar.
“In an Internet browser, you specify a homepage that is not a fully qualified URL. However, Windows Live Toolbar, MSN Toolbar, or Bing Bar may not categorize your homepage correctly. Therefore, the homepage reporting may be generated incorrectly for users who select the Help improve our services option when they install these toolbars,” the corresponding Microsoft knowledge base article explains.
Some people have questioned the necessity of pushing this update as “important” in the first place, since it is neither a security fix nor a core functionality enhancement, and only affects users who accepted an optional setting. However, the more dubious behavior remains the clandestine installation of a component into a third-party application, even for users who do not need it.
A lot of people in the Mozilla community have expressed their anger over this incident, especially since this is the second time when a Microsoft-developed extension is forced onto Firefox users in a similar manner. Last year, a security update for .NET Framework 3.5 SP1, marked as important, installed a Firefox add-on called .NET Framework Assistant without any notification.
However, according to Microsoft, unlike the .NET Framework Assistant installation, which was intentional, the new situation was an accident generated by a bug in the update. “Unfortunately, we discovered a bug in the latest update that was installing the Firefox extension for users with the Windows Live Toolbar and MSN Toolbar (specifically people who have not upgraded to the latest version of the Bing Bar). We fixed the update so that going forward folks who still have only the older Windows Live Toolbar or MSN Toolbar will not see this behavior anymore,” a Microsoft spokesperson told Ars Technica.
Unfortunately, this means that Firefox users with the Bing Bar or MSN Toolbar 4.0 installed will continue to receive the extension this way, which violates Mozilla's policy of pushing extensions through the official Add-Ons repository, where they are subjected to various checks. Additionally, extensions installed from outside the browser will have a grayed-out uninstall button in the Firefox Add-ons Manager, which can be problematic for people who want them removed.
“Firefox doesn't know which files must be removed to really uninstall it and that means that an uninstall is not possible [from inside Firefox] but you can disable it,” a Firefox developer explains in response to the bug report on the issue. To uninstall this extension, Microsoft recommends deleting the "SearchHelperExtension" folder from the "C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension" directory.
You can follow the editor on Twitter @lconstantin