Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Unblocks Microsoft's .NET Addon

Posted by CmdrTaco on from the tag-yer-it dept.

bonch writes "Mozilla previously blocked the Firefox addons Microsoft included with .NET, citing security concerns. After talking with Microsoft, they have now unblocked the .NET Framework Assistant addon and are working on a way for enterprise users to unblock the Windows Presentation Foundation addon as well."

14 of 275 comments (clear)

  1. Microsoft's updated advisory by lseltzer · · Score: 5, Informative

    MS09-054

    FAQ for HTML Component Handling Vulnerability - CVE-2009-2529

    If I use Firefox, which Internet Explorer update do I need to
    install?
    If a computer system is configured for Automatic Update, the
    correct update will be downloaded and made available for installation depending
    on the Automatic Update configuration. In the event that a computer system is
    not configured for Automatic Update, users should verify which version of the
    Windows operating system and Internet Explorer is on their system and download
    the appropriate update.

    If I install this security update, do I need to disable the Windows
    Presentation Foundation Plug-in in Firefox to be protected from this
    vulnerability?
    No. Customers who have installed the security updates
    associated with this security bulletin are protected from this
    vulnerability.

    If I have not yet applied this security update, how do I disable the
    Windows Presentation Foundation plug-in in Firefox?
    If you have not yet
    applied this update, you can disable the Windows Presentation Foundation plug-in
    in Firefox to block this vulnerability. To do this, launch the Firefox browser,
    select the Tools pull-down menu, and then click Add-ons. Select
    the Plugins icon at the top of the Add-ons window. In the list of
    Plugins, select Windows Presentation Foundation 3.5.30729.1 and click
    Disable.

    If I uninstall the .NET Framework Assistant extension, does it disable or
    remove the Windows Presentation Foundation plug-in?
    If the .NET
    Framework Assistant extension is uninstalled it does not disable or remove the
    Windows Presentation Foundation plug-in. The .NET Framework Assistant and
    Windows Presentation Foundation plug-in are controlled through different screens
    in the Firefox Add-ons management window.

  2. Isn't this a good thing? by BarMonger · · Score: 5, Insightful

    Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get.
    Isn't this a good thing?

    Microsoft releases a couple of Firefox plug-ins.
    A security vulnerability was discovered in the plug-ins.
    Mozilla disables the plug-ins.
    Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable.
    The plug-in is re-enabled.

    As far as I can tell, this is the system working properly.

    1. Re:Isn't this a good thing? by lunatic1969 · · Score: 4, Insightful

      The system isn't working perfectly. Mozilla is taking Microsoft's word that these plugins, which install in their software without notice, don't have any vulnerabilities and are working just fine. Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall.

    2. Re:Isn't this a good thing? by BarMonger · · Score: 4, Interesting

      Mozilla is taking Microsoft's word that these plugins, which install in their software without notice, don't have any vulnerabilities and are working just fine.

      Just like every other plugin on the market. Apparently the .Net plug-in isn't vulnerable, the WPF one is.
      I know we like to bash Microsoft here, but the plug-in safety process (in FF) seems to work fine.
      How do you know that there aren't unknown vulnerabilities in another plug-in somewhere?

      Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall.

      You disable it by going to Tools > Add-ons > .Net plugin -> click either 'Disable' or 'Uninstall'
      I works fine for me, I just uninstalled the plugin.

      And Microsoft aren't the only ones who install by stealth. I don't remember installing Nokias 'PC Sync2 synchronisation' extension. It just installed itself with some other software.

    3. Re:Isn't this a good thing? by Rary · · Score: 4, Informative

      Microsoft forcibly installed said plug-in, and prevented its removal.

      The first statement is debatable, since the plugin is a part of the .NET Framework, and people can choose not to install the .NET Framework — although I realize newer versions of Windows have it preinstalled, so there's less of a choice there, which is why I say it's debatable.

      However, the second statement is just wrong. It's not Microsoft who prevented removal of the plugin, it's Mozilla. Firefox does not provide a mechanism for removing any plugins.

      --

      "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

  3. MS hand wave by kaaposc · · Score: 5, Funny

    Mozilla: Do you have any identification?
    Microsoft: *waving hand* We do not need any identification.
    Mozilla: You do not need any identification.

  4. Re:Imagine if the situation were reversed by Shadow+of+Eternity · · Score: 5, Insightful

    Because of course blocking a program the user chose to install is completely comparable to a program the user chose to install blocking a plugin they didn't choose to install or even knew had installed and was just as difficult to get rid of as most malware.

    --
    A bullet may have your name on it but splash damage is addressed "To whom it may concern."
  5. Re:Still can't uninstall? by sakdoctor · · Score: 5, Insightful

    'Ubuntu firefox modifications' plugin also can't be deleted from within firefox.
    I'm not arguing for or against your proposal, just that it would need to be consistently applied.

  6. Re:Still can't uninstall? by xigxag · · Score: 4, Informative

    Oh come on. As anyone who's following this story is aware, Mozilla has an "approved" method of installing plugins without using the add-ons panel. So pick your bone with them.

    --
    There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
  7. Why is not Microsoft playing by the same rules? by 140Mandak262Jamuna · · Score: 4, Insightful
    Why would Microsoft submit its extension to Mozilla and follow the standard operating procedures as far as the dot net thingie is concerned? The user base and use cases for Mozilla/Firefox has always been, you get extensions from one authorized source. That is mozilla.org. If Microsoft wants an enabler they should just submit it to mozilla.org. Installing it in stealth mode is not expected from mozilla user base.

    Further, why is Mozilla.org is allowing a mode where any Tom Dick or Harry can drop in a bunch of files in the install directory and suddenly all the users get the extension on by default? Since it is in the instal dir, individual users cant even disable them or uninstall them. The existence of such a mode itself is a big security hole. If IE has a hole and allows a drive by download of a file into Firefox install dir, boom, you get a vulnerability in Firefox. Already there are reports that installing an HP printer gives and unwanted, unasked for and unpermitted extension added to Firefox. Now every software you install is going to want to add a tool bar or an extension to Firefox.

    I wish Firefox will just disallow such a way of installing extensions. The cardinal rule, as for as Firefox is concerned, is that the users rule. They control their browser, they decide which extensions are allowed, which scripts are allowed to run, which user agent string is sent out, whether or not to allow java, applet, or javascript or flash or silverlight or whatever. For corporate deployment, the Mozilla team might allow a script based instal on all machines in a corporate network using proper authentication procedures, like Corportate IT dept has local sysadmin privilege, so they come in and install an extension, and even disable its uninstall option, but that is all done outside the browser using the standard corporate deployment procedures. Allowing anyone to dump cruft in a particular folder and suddenly everybody gets the cruft is totally against the expectations of the standard mozilla firefox user.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  8. Re:Still can't uninstall? by aetherworld · · Score: 5, Informative

    Is this a failed attempt at trolling?

    It's a PLUGIN, not an ADD-ON. There is no way to uninstall ANY Plugins in Firefox. You can disable Add-Ons, you can uninstall Add-Ons and you can disable Plugins. But you cannot uninstall Plugins from within Firefox. Firefox simply loads all files in a specific Internet Plugins folder (not a Firefox-only plugin folder) and if it detects a plugin, it uses it.

    Delete the file and you're good to go.

  9. Why is everyone targeting MS on here? by tgd · · Score: 5, Insightful

    Seriously -- I have FAR more of an issue with Firefox disabling a plugin *that I want there* and not providing a way to re-enable it (or at least any obvious way).

    Microsoft may choose to say that Firefox integration is part of the .NET framework, and if I choose to have a problem with it, I can uninstall it. But where does the Mozilla organization get off disabling an extension I have, and may be using, without any ability to opt out?

    The double standard on this would be funny if people weren't so serious about it.

  10. Re:Still can't uninstall? by SanityInAnarchy · · Score: 4, Informative

    It can, however, be removed via the package manager.

    Can the .NET addon be removed at all, without hacking the registry?

    No, using the package manager is not even remotely comparable to hacking the registry.

    --
    Don't thank God, thank a doctor!
  11. Re:Shit! by Culture20 · · Score: 4, Informative

    Host your own blocklist and point extensions.blocklist.url to it. Or locally: http://kb.mozillazine.org/Blocklist.xml