Slashdot Mirror
Firefox Disables Microsoft .NET Addon
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:
Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.
Avantslash - View Slashdot cleanly on your mobile phone.
From the TFA, it is clear that Microsoft approves of this particular move. I quote
It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.
I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article and implement it themselves. At least, not my mom.
Quidquid latine dictum sit, altum videtur
For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Sigs. We don't need no steenking sigs.
Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific. And Microsoft had _no business_ shoving their plug-in silently into Firefox. And most of all. .NET is now a security nightmare: Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it. (LaMacchia's career is fascinating: if you'd like to follow a trail of an expert engineer getting involved in projects that are doomed for mishandling security, perhaps in spite of his best efforts, check out his career.)
There's actually a whole Firefox setting namespace devoted to bits of useragent to append, you don't even need a whole addon.
MS09-054 is labelled as an Internet Explorer update, so it's not obvious that Firefox users need to apply it. We're working with Microsoft on getting that fixed. Microsoft did definitely agree to it; I'm the one they told, on the telephone, before I requested the block be pushed out. I don't know why you think I was lying -- I didn't "imply" it, I flat out said that they agreed, which is the case. Do I have a history of lying about such things?
You better check again, as the plugin tries to re-install itself silently when a .NET service is called from a website in Firefox, and also via the recent batch of patches from Microsoft. The only way to be sure is to double-check and not only nuke the appropriate registry entry, but the entire sub-folder of your .NET installation the plugin is installed to, as well as resetting the ID string in About:Config. Then you should proceed to disable that update from being downloaded or displayed via Automatic Updates.
The really disturbing thing I found, is that after sneakily re-installing itself via the latest patch from MS, the plugin is not displayed at all in the Addons/Extensions portion of the Firefox configuration screen. The only reason I even found it reinstalled, was that warning from Firefox when the nasa.gov site attempted to load the plugin while viewing their photo galleries.
Yes, it was my fault to have updates set on Automatic/Automatic, which has since been remedied on this system. I was irresponsibly lazy on the matter.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
There's no cat and mouse -- they agreed to this blocking. I have in fact encouraged them to use a different extension ID if and when they make a fixed ClickOnce/WPF add-on that can be installed by active user choice rather than by default!
Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.
It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.
If you go to about:config in firefox and toggle the value of extensions.blocklist.enabled from true to false and restart firefox then the plugins will work.
Power does not corrupt - power attracts the corrupt.
The plugin in question was installed via a Windows Update _security_ update, it wasn't something that people really chose to install. I agree, though, that this really, really isn't malware. That's a ridiculous misuse of the term.
It's not just a useragent string, but it allows remote code execution. https://bugzilla.mozilla.org/show_bug.cgi?id=522777
Yes, sorry, I should have said that we can't distinguish it without custom code pushed through a patch, because it doesn't affect any files that we load or touch.
Not exactly. It also allows you to run .Net and WPF apps inline in the browser, hosting a CLR instance. Not to mention mapping the ClickOnce file type.
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
For anyone curious as to the real state of affairs behind this MS plugin issue, you might be interested in a few things. For everyone else just enjoying a good anti-Microsoft circle-jerk, ignore this post.
The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications to run in Firefox and ClickOnce program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?
This is the bug in question. There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here? One poster is very insightful:
But perhaps the best thing about this entire issue, is that Mozilla didn't block the plugins until AFTER they were patched and the mechanism of the block is retarded. Mozilla is claiming that Microsoft agreed to issuing the block of the affected plugins, and that might be true, but only to an extent. Mozilla is currently blocking the plugins based on the name of the plugin, not the version, which means users who have installed the patched version of the plugs (at this point almost everyone using Windows Update) are still unable to use the plugins and have no way to re-enable them.
So essentially, by issuing this patch, Mozilla is doing nothing but hurting its business customers. Slashdotters can scratch their heads trying to figure out who uses these technologies, but the answer is a lot of businesses do. This absolute, non-scriptable and non-changeable block of these plugins will just remind corporations that open source isn't ready for the big leagues and they should just stick with Microsoft and IE. The sad thing is that if this kind of knee-jerk, carte-blanche blocking behavior becomes the norm for Mozilla, they will probably be right! Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.
If you're wondering what MS says about this, you might take a look at this:
So there it is -- pretty much everyone
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.
(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)
There is no version difference for the plugin or add-on between patched and unpatched systems. That's one reason that this is so messy right now; if we had known about the Firefox aspect of the vulnerability before the SRD blog post, we would have suggested just that sort of version bump.
Java is installed at the choice of the user where the .NET plugin is installed by a Windows update without informing the user.
Whoa, whoa, whoa... There's an imbalance in your equation here. You're comparing Java itself to the .NET Framework plugin.
Yes, Java itself requires that the user explicitly install it, but the Java Quick Starter extension for Firefox is also silently injected. Now, with the exception of Windows Vista and Windows 7, the .NET Framework must also be explicitly installed by the user.
Also, the Java Quick Starter extension can not be removed through Firefox's UI; it can only be disabled. This may actually be the better option, though, because even if you remove it through the Java Control Panel applet, it's reinstalled with the next Java update (which is pretty heinous, in my opinion). Disabling it may leave it disabled across updates, but I haven't tested that.
To me this looks like an attempt to drag Firefox down to the level of IE by silently adding .NET holes into Firefox and then they can say, "It's not us because Firefox has the same problems we do".
Not to defend Microsoft, but that is unbelievably paranoid. In fact, I'd say it qualifies as an outright conspiracy theory.
People will pass up steak once a week, for crap every day.