.NET Framework Assistant & Windows Presentation Foundation Plugin Blocking Update

Johnathan Nightingale

20

Mike Shaver has posted an update on the situation surrounding our blocking of the .Net Framework Assistant and WPF plugin.

In it, he discusses the current state of affairs, the series of events that got us to this point, as well as the steps we, and Microsoft, are taking to get the situation resolved.

20 responses

  1. VanillaMozilla wrote on :

    I wish Mozilla would block ALL add-ons that are known to install themselves without permission. Many of these parasitic add-ons are unnecessary and unwanted by users, yet ALL large programs that are connected to a Web browser carry security risks. The risk is not just theoretical, either. I think virtually all Microsoft programs have had critical security vulnerabilities. In the case of the .NET plugin, it’s difficult to avoid and difficult to remove.

    I’m not suggesting that you try to block malware or that you block all possible programs that can install plugins without permission–which may not even be possible. I’m suggesting that you block common KNOWN, plugins that install themselves without permission. Most of us don’t have malware as plugins. We have plugins from MS, Google, and the like, and those are the ones that have turned out to be (1) installed without permission and (2) vulnerable. I betcha most people have at least one of those and don’t know it. Flash is often vulnerable, but at least (1) I put it there and (2) I KNOW it’s there and can take precautions.

    Sneaking such programs into Web browsers is unacceptable. Block them all until they ask permission for installation.

  2. Ferdinand wrote on :

    “Users of Windows 7 RTM are not affected, as the add-on and plugin are not distributed as part of Windows 7.”
    But a lot of programs and games install .NET.

  3. Sebastian Redl wrote on :

    Can’t Mozilla block a specific version range of the plug-in? Basically, MS should bump the version number of the WPF plug-in when the IE update is installed, so that the fixed version automatically is not blocked, and the unfixed version will never run again.

  4. Daniel Veditz wrote on :

    Sebastian: we can block by version if the plugin announces one through the plugin interface, but in this case the WPF plugin itself was not updated, only the core WPF was patched. The current blocking mechanism can’t tell the difference between vulnerable and not.

  5. Daniel Veditz wrote on :

    Sebatian: we can block by version if the plugin announces one through the plugin interface, but in this case the WPF plugin itself was not updated, only the core WPF was patched. The current blocking mechanism can’t tell the difference between vulnerable and not in this case.

  6. Susan.H wrote on :

    Sorry, I’m not a technical person, so I’m not familiar with the assumptions here.

    I didn’t allow Mozilla to block this program because I thought it was a hoax, such as I’ve received before, asking me to delete MS programs. What does the plugin do? Do I need it? Was it fixed by the MS automatic update of October 15, called “Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows 2000, Windows Server 2003, and Windows XP (KB974417)”.

    If not, what do I need to do now?

  7. Chris H. wrote on :

    Susan, I could be wrong, but I don’t believe there was a way to allow Mozilla to not allow the block on these plugins.

  8. Daniel Veditz wrote on :

    Chris is right that the dialog you saw is informational only — the plugin was blocked. We want to make sure people know what steps we’ve taken so there are no surprises, no mysterious failures, so that users can judge for themselves whether we’ve done the right thing and correct us if not.

    You can reenable this plugin from the Add-ons dialog if you need it and know you’ve applied the patch from Microsoft.

    There is a more buried way to turn off the blocking feature entirely. We don’t recommend it, but it’s your browser and if you want to do it you can get help from http://support.mozilla.com/

  9. Roman Berry wrote on :

    Why make people search when they may not know what exactly it is they are searching for? The way to turn off blocklists is easy and is outlined here:

    https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c78

  10. VanillaMozilla wrote on :

    Right. It’s my browser. So how about blocking all plugins that are known to install themselves without permission, so I can actually retain some control on what’s installed? Is there any reason not to do that?

  11. Tama wrote on :

    So Windows Presentation Foundation is blocked even though the computer is patched? I would call that a blocking fail.

  12. Ron Osborne wrote on :

    I am having problems at the moment regarding pop ups when I go into certain websites like bulletin boards to do with stocks and shares.
    I never had this problem since using Mozilla but since the latest update They seem to come very regular and without the normal menu bar and I do not seem to be allowed to block the sites which leads me to believe it is something that has got into my computer.

    Has anyone else got the same problem since the last update of Mozilla Firefox.

    Ron Osborne

    [This is quite a bit off topic, please visit our support site –dveditz]

  13. jinlye wrote on :

    The smart thing for Firefox to do would be, when it starts, to check for any plugins that have added themselves (added themself, note, not added via the Firefox UI) since you last used Firefox. “It looks like the ‘Microsoft .Net 3.5 Assistant’ plugin has been added since you last used Firefox. What do you want Firefox to do with this plugin? [Enable] [Disable] [Remove]”

  14. Kushal wrote on :

    jinlye, that would be good except I would suggest a slide down like the “Do you want to remember the password?” dialog or the ActiveX Control Bar on IE. (Oh, and please no more pop ups. I dont think anyone NEEDS one more pop up (which is also why default settings are so important). Please keep it disabled by default. :)

  15. Chris Splinter wrote on :

    I agree with VanillaMozilla. I feel very strongly that no add-ons should be allowed to install themselves in this way.

    If this behavior is allowed to continue, I still have to object on the grounds that .net framework assistant is broken. We now have an uninstall button, but it’s not fully functional. It doesn’t undo changes to the user agent, for one. Secondly, it leaves behind an installer stub as a hidden extension. This hidden extension previously broke adblock and no-script. We have nothing but the appearance of a working uninstaller. That’s a broken extension in my book.

    Escaping this sort of thing is the reason I moved from IE to (Mozilla Suite to) Firefox in the first place. I want Firefox to be a lightweight browser out of the box again. Minimalism should be the default, not something that can be achieved with extensive effort.

    All this aside, I oppose the proliferation of any new plugins. These add-ons will undermine the cross-platform nature of Firefox, and stifle innovation on the Web. I wish Mozilla would fight this.

  16. sikiş wrote on ::

    Sorry, I’m not a technical person, so I’m not familiar with the assumptions here.

    I didn’t allow Mozilla to block this program because I thought it was a hoax, such as I’ve received before, asking me to delete MS programs. What does the plugin do? Do I need it? Was it fixed by the MS automatic update of October 15, called “Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows 2000, Windows Server 2003, and Windows XP (KB974417)”.

    If not, what do I need to do now?

  17. cedo wrote on :

    I disabled the .Net Framework Assistant & Windows Presentation Foundation, I had to re-disable them after the latest firefox update. They are not safe.

  18. Betty wrote on :

    Around Oct 15 My computer got a Vundo virus that McAfee can not fix. We went to the Microsoft page to try to get instructions to try to fix it. We are having no luck getting rid of it. Any ideas on what we can do or does this new update isolate it.

    I am not too tech savvy. Thanks for any help on this.

  19. David-Sarah Hopwood wrote on :

    Having just learned about this affair, I’m extremely displeased with both Microsoft and Mozilla’s conduct.

    It is not acceptable to install anything without user permission, period. That is characteristic of malware.

    Having blocked said malware, it is also not acceptable to *unblock* it without asking user permission. It doesn’t matter whether there are no longer any *known* vulnerabilities in the malware.

    This is pretty much the final straw for me; I’ll be moving away from both Windows and Firefox.

  20. muhammad khaider wrote on :

    I agree with Mozilla. I feel very strongly that no add-on should be allowed to install themselves in this way.