.NET Framework Assistant Blocked to Disarm Security Vulnerability

Johnathan Nightingale

82

Mike Shaver, Mozilla’s Vice President of Engineering writes:

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Update (Sunday Oct 18, 6:30pm PDT): Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist. We are also working on a mechanism to allow Firefox users to re-enable the WPF plugin ahead of its eventual removal from the blocklist. For more information, see Mike Shaver’s latest blog post.

82 responses

  1. Fred wrote on :

    Please implement a way to easily turn back on disabled add-ons. Kudos to you for determining something that wasn’t safe, and blocking it automatically. If I was testing this add-on, or another, I’d be pretty pissed right now.

    Don’t be the big brother you all are pretending to fight right now.

  2. hippiejake wrote on ::

    Oh, the irony. Just after Microsoft was bitching at Google for creating Chrome Frame, this hits.

    Now Mozilla just needs to create some BS plugin for Chrome and the circle will be complete. Really, why can’t they just stop fscking with each others’ products? [Particularly when it tends to break things.]

  3. Sammy wrote on :

    This is a sad state of affairs. Microsoft (The home of bad code) sneak installs a plug-in. Now fanboys are complaining its disabled?
    If you love M$ so much, why not keep running IE? O thats right, its a disaster waiting to happen.

    Good going Mozilla!!!! Block all the M$ crap that self installs!

  4. Sammy wrote on :

    @MOM2006

    it’s not the task from Microsoft to decide which software a user has to use, and sneak install plugins in other companies software.

    if mozilla’s software is so terrible in your eyes, why don’t you use a different software? Why not use IE, and get loads of malware and viruses self installing. O wait, thats a feature of M$.

  5. Dan wrote on :

    Why bother with asking Microsoft, they didn’t ask me before installing this Firefox security hole on my system?

  6. blah wrote on :

    Please permanently disable ALL plugins and addons from Microsoft. [edited to remove profanity -dveditz]

  7. Nik B. wrote on :

    Justin wrote: “When it comes to security Microsoft has no idea what their doing.”

    Do the Debian guys know what they’re doing? Do the Mozilla guys know? What about Adobe? The Linux kernel team? All of them have had their share of critical vulnerabilities.

    And while we’re on the subject, do *YOU* have any idea when it comes to security? How many bugs do you get per 1M LOC, if you even write code? How many people are using your software and how much scrutiny has it undergone for security issues?

    Justin wrote: “The fundamental underlying structure of their software has to be the reason for all of the security problems their software has. They have 100 times more issues than most companys.”

    Even if it’s true that they have 100 times more issues than most “companys” (sic) you’re leaving out the very pertinent fact that they probably have about 100 times more code out there as well. That kind of puts things in a different perspective doesn’t it?

    Justin: “I have TRIED several times to remove this .NET framework before to no avail.”

    It took me all of 10 minutes. If you can’t uninstall it, you must either be computer illiterate or simply incompetent.

    Justin wrote: “Had this not been blocked by Mozilla, I GUARANTEE you the problems with stability and security would be forthcoming and exponential.”

    You GUARANTEE it? In all capital letters? Wow… You sold me. I’ll take 5 or whatever you’re selling. After all, if some guy named Justin who can’t uninstall the .NET framework from his computer GUARANTEES it, what else could I ask for?

    Justin wrote: “Not to mention Microsoft has just added another reason to be on my $hit list.”

    I’m sure Microsoft will send you a fruit-basket to make amends. After all, who wants to be on the ****-list of Justin, a guy who can’t uninstall the .NET framework from his computer.

    Justin wrote: “For all those having issues with .NET framework, I am sure there is an extension by someone other than Microsoft, that offers the same functionality with less BS.”

    But do you GUARANTEE it?

  8. InvadedPrivacy wrote on :

    Since when is installing plugins to third party software something MS is allowed to do without permission?

    What other apps are MS allowed to convertly modify?

    Will MS bork my OpenOffice next by adding a great new .NET plugin?

    Is it only competing products that require a good .NET rogering?

    Hands off my computer MS. You are not welcome.

  9. Johnny Wishbone wrote on :

    “Companies rely on clickonce”.

    How is the risk of using clickonce mitigated in these “many” companies?

    Surely they wouldn’t use a kludgy hammer like clickonce and have 12 year old kids on less than McDonald payrates installing it? So if clickonce fails you have an army of children and no apps? LOL, sucked in for being cheap sweatshop operators.

    No pity for companies that hang their hat on clickonce.

  10. Paul wrote on :

    Please, for the love of god, NEVER allow Microsoft to install silent plugins into Firefox. Tell them that unless there is a massive, flashing bold warning saying nothing short of “Do you want to let microsoft install IE into Firefox”, put them on a permaban list. Dont bother asking them if you would let us ban your software, just dont allow them to introduce massive security holes into your trusted software.

  11. Pete wrote on :

    You did the right thing. Almost nobody needs this add-on, the few that do can probably turn it back on with the add-on Nightly Tester Tools on a fully patched windoz system. Complain to Microsoft about the vulnerability and not here. For the .0001% that need it turning it off to protect the 99.999% that most don’t even know that it was installed was the right thing to do.

    The bottom line is its BROKEN and has no business on Mozilla code. Even Microsoft agreed.

  12. dbmuse wrote on :

    I was able to delete it… oh happy day.

  13. Eric Stafford wrote on :

    To Mike Shaver:

    What happened to your collective ethics? Microsoft has become, in my constitutionally protected opinion, exactly like the over-reactive, paranoid and unscrupulous corporations of the past that become so big and oppressive that their missions became the destruction of competition rather than excellence.

  14. Vivek T. Mahadik wrote on ::

    Thanks,

    Well done, Mozilla!!!
    after long Diwali holiday.. My computer started reporting the message that Microsoft add-on is blocked.

    I permanently disable ALL plugins and addons from Microsoft…till the problem is solve…

    Enjoy …. Happy Diwali!!!

  15. Insano wrote on :

    How about adding a functionality that allows the user to uninstall the plugin completely? I should be able to chose what plugins are installed.

  16. anonymous coward wrote on :

    I think this case just shows there is a weakness in firefox plugin installation system – MS shouldn’t be able to silently install their plugins in the first place.
    I think some startup check for new plugins, and a warning if they are found would help, with default state disabled. Then there would be no need to ban plugins at all.

  17. Chris wrote on :

    And this is why companies with a known reputation for writing buggy exploitable software shouldn’t force users to install buggy exploitable software.

  18. Tim wrote on :

    I didn’t know this feature existed until now. Also, “for your protection” sounds very draconian (especially as this was forced).

    The list was downloaded and the plugins were blocked before I knew about the configuration option mentioned in comment #25. Toggling it doesn’t make a difference to the plugins that are already disabled. I had to open the pluginreg.dat in the profile folder and edit the line that looks like:

    (large number)|1|20|$

    to

    |1|1|$

    to make it go back to normal.

  19. PC.Tech wrote on :

    This really smells rotten to the core.

    We choose Firefox to get the evil M$ crapola OUT of the browser experience, and now this collusion with them questions the security issues we expected to avoid – you are digging your own grave.

    .

  20. chase wrote on :

    Great, ie is trying to infect ff

  21. Dewi Morgan wrote on ::

    Critically, please make it so that MS and other malicious-but-trusted parties cannot easily-and-by-design install addons without user consent.

    If I’ve got java and javascript and flash turned off, that means I want *no scripting kthx*, not “no scripting unless MS decides to silently add in a new scripting javalike mechanism”.

    When I want good anonymity and security, I choose FF inside a virtual machine inside an encrypted container, because it does not have IE-style gaping MS-security-fissures. Letting them silently install a security-goatse of this scale entirely violates that.

  22. Dewi Morgan wrote on ::

    When I went with Firefox, it was a vote against MS’ ability to make secure browsing apps.

    Allowing them to silently install insecure scripting engines into Firefox is… well, a real slap in the face for the people who thought they’d moved away from that.

  23. Chevy wrote on :

    WOW!
    That’s why I use linux….

  24. luminositee wrote on :

    Thanks for figuring this out–I noticed it in my add-ons awhile ago and couldn’t figure out how it had gotten there. After spending a bit of time trying to uninstall/disable it, I gave up (I love firefox, but I don’t know much more about computers than this: http://xkcd.com/627/). So, I’m really glad to finally know what’s going on with this app and how to uninstall it!

  25. freedom defence wrote on :

    I’m dispointed to have found out that mozilla allowed these MS plugins to be installed in the first place, as this makes me question firefox security which I always trusted. I was happy with the action they took, but now I’m even more disapointed to find out they have taken the .Net Framework Assistant off the blocklist, because Microsoft say it is safe.
    Well sorry I don’t believe this, I don’t trust Microsoft and their so called experts, I believe it is a security risk and it should not be allowed to be automatically installed like that.
    What happened to freedom of choice?????????????
    The very browser I trusted for my security, turns out to be just as vunerable as any other browser.

  26. windoz wrote on :

    It is your system and it xas part of a service pack. Funny how long it takes since the first install.

  27. komba wrote on ::

    like .net but its coding too cmplicated not user friend

  28. Chainsaw wrote on :

    It crashes every computer here at the university that runs Firefox. Continually. No special action, just use Firefox, browse some web pages, but don’t forget to save bookmarks regularly, because when it crashes, Firefox can’t recover anything. Thankfully, after a couple of these, Firefox figures it out and disables the damned thing. But only for that user, on that machine, and not permanently…

    When there’s functional Noscript and RemoveItPermanently addons for IE, I’ll consider switching.

    At this date, it BEHAVES like malware. So it should be blocked until it no longer does this.

    And the function it performs, is to make it easier to accidentally run untrusted apps off webpages by just clicking on them. Didn’t we just spend ten years trying to STOP browsers from doing this??? So the only way to REALLY make it not behave like malware is to disable the larger function that it is trying to assist…

  29. Daniel Veditz wrote on :

    Chainsaw: are you sure the crashes are due to this? WPF usage should be rare on the web, and a plugin isn’t even loaded unless we encounter content that requires it.

  30. sikiş wrote on ::

    When I went with Firefox, it was a vote against MS’ ability to make secure browsing apps.

    Allowing them to silently install insecure scripting engines into Firefox is… well, a real slap in the face for the people who thought they’d moved away from that.

  31. Ahmad Barirani wrote on ::

    I love the fact that Mozilla has to step up and protect Microsoft clients from Microsoft.

  32. Greg wrote on ::

    There should be a default setting to prevent any change to Firefox without your permission – one that you have to deliberately change manually if you want it otherwise.

More comments: 1 2