I wish Mozilla would block ALL add-ons that are known to install themselves without permission. Many of these parasitic add-ons are unnecessary and unwanted by users, yet ALL large programs that are connected to a Web browser carry security risks. The risk is not just theoretical, either. I think virtually all Microsoft programs have had critical security vulnerabilities. In the case of the .NET plugin, it’s difficult to avoid and difficult to remove.

I’m not suggesting that you try to block malware or that you block all possible programs that can install plugins without permission–which may not even be possible. I’m suggesting that you block common KNOWN, plugins that install themselves without permission. Most of us don’t have malware as plugins. We have plugins from MS, Google, and the like, and those are the ones that have turned out to be (1) installed without permission and (2) vulnerable. I betcha most people have at least one of those and don’t know it. Flash is often vulnerable, but at least (1) I put it there and (2) I KNOW it’s there and can take precautions.

Sneaking such programs into Web browsers is unacceptable. Block them all until they ask permission for installation.

Can’t Mozilla block a specific version range of the plug-in? Basically, MS should bump the version number of the WPF plug-in when the IE update is installed, so that the fixed version automatically is not blocked, and the unfixed version will never run again.

Susan, I could be wrong, but I don’t believe there was a way to allow Mozilla to not allow the block on these plugins.

Why make people search when they may not know what exactly it is they are searching for? The way to turn off blocklists is easy and is outlined here:

https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c78

So Windows Presentation Foundation is blocked even though the computer is patched? I would call that a blocking fail.

The smart thing for Firefox to do would be, when it starts, to check for any plugins that have added themselves (added themself, note, not added via the Firefox UI) since you last used Firefox. “It looks like the ‘Microsoft .Net 3.5 Assistant’ plugin has been added since you last used Firefox. What do you want Firefox to do with this plugin? [Enable] [Disable] [Remove]“

I agree with VanillaMozilla. I feel very strongly that no add-ons should be allowed to install themselves in this way.

If this behavior is allowed to continue, I still have to object on the grounds that .net framework assistant is broken. We now have an uninstall button, but it’s not fully functional. It doesn’t undo changes to the user agent, for one. Secondly, it leaves behind an installer stub as a hidden extension. This hidden extension previously broke adblock and no-script. We have nothing but the appearance of a working uninstaller. That’s a broken extension in my book.

Escaping this sort of thing is the reason I moved from IE to (Mozilla Suite to) Firefox in the first place. I want Firefox to be a lightweight browser out of the box again. Minimalism should be the default, not something that can be achieved with extensive effort.

All this aside, I oppose the proliferation of any new plugins. These add-ons will undermine the cross-platform nature of Firefox, and stifle innovation on the Web. I wish Mozilla would fight this.

I disabled the .Net Framework Assistant & Windows Presentation Foundation, I had to re-disable them after the latest firefox update. They are not safe.

Having just learned about this affair, I’m extremely displeased with both Microsoft and Mozilla’s conduct.

It is not acceptable to install anything without user permission, period. That is characteristic of malware.

Having blocked said malware, it is also not acceptable to *unblock* it without asking user permission. It doesn’t matter whether there are no longer any *known* vulnerabilities in the malware.

This is pretty much the final straw for me; I’ll be moving away from both Windows and Firefox.