Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Disables Microsoft .NET Addon

Posted by kdawson on from the with-their-consent-of-course dept.

ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.

1 of 448 comments (clear)

  1. Re:Great by TropicalCoder · · Score: 1, Flamebait

    Please mod parent down! He is not a real person anyhow, but a member of Microsoft's psy-op team, spreading disinformation. It is outrageous to see shills modded up to +5. You gotta wonder about the motivation of someone who is defending something that was installed by stealth instead of a normal opt-in procedure. Who of those fictitious users of One-Click he is referring to actually installed this plugin on Firefox? None of them! ...because it wasn't offered or advertized, and there was no opportunity to deliberately download this plugin, and therefore nobody asked for it.

    The real story can be found on the Mozila discussion board.

    Fundamentally, Microsoft introduced a security risk into Firefox with these add-ons. That risk came to fruition and thus Mozilla closed the risk entirely. Both have agreed to this, at least for the time being.

    Mozilla is only blocking the unpatched vulnerability. It's just that there's no appreciable difference between the patched and unpatched versions so it's all blocked at once. Firefox users are by no means guaranteed to have both the update that caused this and the update that fixed this. Updates are not magic. Some people have them now; some don't. If it's not 100% then it's vulnerable and hence the block.

    It's important to note that the vast majority of users with this add-on installed did not know that it was installed, or ask for it to be installed, and it's very difficult to uninstall cleanly due to the hidden extension that is left behind, as well as the "9.*.*" maxversion. This means that users who don't normally care about IE updates, because they are Firefox users, will be vulnerable until it is available to them and installed.

    Mozila suggests that if you are one of the very small minority that need this software that was by and large installed into users' browsers without their permission or knowledge then you request Microsoft to write a clean version completely free of this and Mozilla can allow that through.

    Neither the plugin nor the extension are updated by the hotfix, only an OS component that they depend upon is changed. All versions of the extension or plugin are affected if the old version of the system component is installed, none are affected if the new version is installed. Firefox doesn't contain a mechanism for checking system library versions, so there's no way to automatically block the plugin only on affected systems. It's all or nothing: disable this functionality completely, or allow even on systems with the vulnerability.