.NET Framework Assistant Blocked to Disarm Security Vulnerability

I don’t see it listed on the Add-ons Blocklist page at https://www.mozilla.com/en-US/blocklist/. Should it be?

You better leave both Microcrap addons/plugins disabled PERMANENTLY, even when this fiasco subsides.

The more info link is borken: https://en-gb.www.mozilla.com/en-GB/blocklist/

(also, isn’t the WPF plugin and the clickonce extension completely separate other than they are both by Microsoft)

When I click on the ‘more information’ link on the plugin list to try to find out why the plugin is blocked, I get a certificate error:

“en-gb.www.mozilla.com:443 uses an invalid security certificate.

The certificate is only valid for *.mozilla.com

(Error code: ssl_error_bad_cert_domain)”

There’s no option to view the page anyway, so I’ve been searching for the last 20 minutes to figure out _why_ this block has been put in place. This is hardly good user support.

Hi,

It prevented my firefox 3.5.3 to run on Vista (no window appears anymore, no error message…).

I had to run FF in safe mode and uninstall the plugin to be able to run it again.

How can I edit the blocklist myself to disable addons inserted into my computer without my knowledge like the .net assistant? I have tried everything I can think of to remove the .net assistant from my computer but every time .net updates its placed back in. I just want to permablock the unwanted app by choice and have the ability to remove the block as I desire.

The handling of this is rubbish.

1. Why force block of a component when a fix is already distributed by Microsoft?

2. It is beyond parody that I cannot follow your link on the popup and read the blocklist because Mozilla Firefox tells me that Mozilla’s security certificate is not valid for that page… WTF?

How do I un-block these unnecessarily blocked components?

I uninstalled the frame work add-on. I hope that didn’t cause any problems. Everything seems to running ok. Please advise if my uninstallation is ok

I can’t drop the initial locale subdomain – as soon as I try it redirects BACK to having the subdomain.

https://en-gb.www.mozilla.com/en-GB/blocklist/

gives the ssl_error_bad_cert_domain

https://www.mozilla.com/en-GB/blocklist/

immediately redirects to the original domain.

I dislike that MS sneak insalled the .NET add-on and provided no way to uninstall it. However, it’s functionality provided a way for us to use FF for our ClickOnce apps, allowing us to fully switch from IE to FF in our business. Today our computers starting reporting the message that this add-on is blocked with no way to unblock it. As a result we have to touch all our computers and switch back to IE – on a weekend no less. Did you even bother to think about how you would affect people by taking this heavy handed action?

Mozilla has just proved they are no better than MS. When will companies stop it with the “we know what’s best for everyone so deal with it” mentality? FF is getting uninstalled from hundreds of computers this weekend and FF will no longer be my browser of choice after this incident.

what happens when you uninstall the addon from addons when you open FF?

My comment critical of this decision appears to have been removed. Is Mozilla unwilling to take responsibility for it’s actions and must stifle any contrary views?

A little over-aggresive on the Mozilla side — blocking the .Net extension and WPF plugin for millions of users when the patch was released by Microsoft this week. Watching the decision making process was kind of scary:

https://bugzilla.mozilla.org/show_bug.cgi?id=522777

BTW, you can circumvent this heavy-handed approach by disabling the blocklist in Firefox: about:config -> extensions.blocklist.enabled -> false

@Larry Seltzer

Speak for yourself. I think it made no sense for Microsoft to forcefully install the plugin in the first place. I’m glad Mozilla is using the blocklist to tell me something might be wrong. I’d rather do a little more work to enable the plugin then have it done for me and cause this mess without me knowing it.

Microsoft has no rights or reason to stealth install plugins and extensions.

ClickOnce deployers should be ashamed of themselves for depending on this crap to deploy apps.

MS did not forcefully install the plugin. You probably installed a Click-Once applications and it had to install it to run the application. When prompted about the add-in being installed you said yes (w/o knowing what you installed). Don’t go about accusing MS of forcefully installing something without your knowledge. As far as I know you cannot install an extension in Firefox without the users approval or it being manually installed. If that is not the case the Firefox is not more secure that IE with ActiveX controls.

Firefox should not have blocked this, at the most they should have given the user an option to disable these add-in after letting users no the risk. As stated in previous comments, this will cause many companies to switch back to MS because they rely on click-once. So Firefox shot themselves with this decision that was not theirs to make.

I just got the blocking dialog except I’ve already installed all the relevant security patches from Microsoft so these components are not presently vulnerable on my system. Your blocklist information page seems to indicate you block all versions of the plug-in, but not all systems with the plug-in installed are vulnerable; systems can be patched.

My point being:
Your blocklist is disabling add-ons that do not actually have a security/stability risk in all cases (ie. it ignores patch level).

This can’t possibly be a good thing, and it’s somewhat irritating to be told that Firefox just automatically disabled certain add-ons (and wants me to restart it) over a security/stability risk that I know no longer exists.

I really appreciate Mozilla blocking this. I switched away from IE for many reasons one of which was security issues.

When it comes to security Microsoft has no idea what their doing. I really believe they try to fix bugs but their fixes arrive as updates almost daily, in the hundreds of MB which slows down the computer like crazy and is a giant inconvenence. Sure Microsoft releases a patch, horray, it will work for a week until another whole is exploited. The fundamental underlying structure of their software has to be the reason for all of the security problems their software has. They have 100 times more issues than most companys.

I have TRIED several times to remove this .NET framework before to no avail. Had this not been blocked by Mozilla, I GUARANTEE you the problems with stability and security would be forthcoming and exponential.

Not to mention Microsoft has just added another reason to be on my $hit list. Stealth installs, and pain in the a** 2 page long list of how to uninstall something you never asked for in the first place. Thanks again. I LOVE FIREFOX. For all those having issues with .NET framework, I am sure there is an extension by someone other than Microsoft, that offers the same functionality with less BS.

@justin

it’s not the task from mozilla to decide which software a user has to use.

if microsoft’s software is so terrible in your eyes, why don’t you use a different software?

@MOM2006: The problem is that most users won’t even know about this Addon. It’s installed automatically when installing the .NET Framework, which is needed for many modern applications.

Besides that, Blocklists with version numbers are definately a good idea.

I disabled these plugins the moment I noticed them due to the fear of security flaws and it seems that fear was entirely justified.

Anyone who is using non-genuine microsoft windows with firefox and who has installed “.net 3.5” will have these plugins and will not receive the microsoft security update, so mozilla is entirely right to block these plugins as they are dangerous and degrade the security of firefox.

Even though people should not be using non-genuine windows, the fact is that millions are and for the general benefit of all of us, (eg not getting spam from botnets), mozilla should do everything it can to ensure the overall security of the web which is what it has done here by blocking these plugins.

Keep up the great work guys!

I agree with Mozilla disabling add-ins that contain critical security flaws. Why does Mozilla not block Adobe, or Sun plugins? The security updates for Adobe, Sun and Microsoft are distributed in the same way, so why aren’t they treated equally?

This is dumb. If I get into work tomorrow and none of our ClickOnce apps run, I’m going to have to walk around to over hundred computers and remove Firefox. Yeah. Thanks, folks.

You shouldn’t block it, you should rip it out completely. I know Firefox is a browser and not an antivirus but you need to take a harder line against malware like this that infects the browser behind your back and has no uninstall button. I’ll be redirecting the infected UAs from my website to removal pages from now on.

Thank you! I’ve stopped using Firefox lately because it was constantly freezing for ~20s or so, and I couldn’t find the root cause.
After you disabled the WPF addon, all seems to have gone back to normal.
I’m not even sure how/when I got it installed :(, but I’ll surely pay lots of attention to any MS addon in the future.

Please implement a way to easily turn back on disabled add-ons. Kudos to you for determining something that wasn’t safe, and blocking it automatically. If I was testing this add-on, or another, I’d be pretty pissed right now.

Don’t be the big brother you all are pretending to fight right now.

This is a sad state of affairs. Microsoft (The home of bad code) sneak installs a plug-in. Now fanboys are complaining its disabled?
If you love M$ so much, why not keep running IE? O thats right, its a disaster waiting to happen.

Good going Mozilla!!!! Block all the M$ crap that self installs!

Why bother with asking Microsoft, they didn’t ask me before installing this Firefox security hole on my system?

Justin wrote: “When it comes to security Microsoft has no idea what their doing.”

Do the Debian guys know what they’re doing? Do the Mozilla guys know? What about Adobe? The Linux kernel team? All of them have had their share of critical vulnerabilities.

And while we’re on the subject, do *YOU* have any idea when it comes to security? How many bugs do you get per 1M LOC, if you even write code? How many people are using your software and how much scrutiny has it undergone for security issues?

Justin wrote: “The fundamental underlying structure of their software has to be the reason for all of the security problems their software has. They have 100 times more issues than most companys.”

Even if it’s true that they have 100 times more issues than most “companys” (sic) you’re leaving out the very pertinent fact that they probably have about 100 times more code out there as well. That kind of puts things in a different perspective doesn’t it?

Justin: “I have TRIED several times to remove this .NET framework before to no avail.”

It took me all of 10 minutes. If you can’t uninstall it, you must either be computer illiterate or simply incompetent.

Justin wrote: “Had this not been blocked by Mozilla, I GUARANTEE you the problems with stability and security would be forthcoming and exponential.”

You GUARANTEE it? In all capital letters? Wow… You sold me. I’ll take 5 or whatever you’re selling. After all, if some guy named Justin who can’t uninstall the .NET framework from his computer GUARANTEES it, what else could I ask for?

Justin wrote: “Not to mention Microsoft has just added another reason to be on my $hit list.”

I’m sure Microsoft will send you a fruit-basket to make amends. After all, who wants to be on the ****-list of Justin, a guy who can’t uninstall the .NET framework from his computer.

Justin wrote: “For all those having issues with .NET framework, I am sure there is an extension by someone other than Microsoft, that offers the same functionality with less BS.”

But do you GUARANTEE it?

“Companies rely on clickonce”.

How is the risk of using clickonce mitigated in these “many” companies?

Surely they wouldn’t use a kludgy hammer like clickonce and have 12 year old kids on less than McDonald payrates installing it? So if clickonce fails you have an army of children and no apps? LOL, sucked in for being cheap sweatshop operators.

No pity for companies that hang their hat on clickonce.

You did the right thing. Almost nobody needs this add-on, the few that do can probably turn it back on with the add-on Nightly Tester Tools on a fully patched windoz system. Complain to Microsoft about the vulnerability and not here. For the .0001% that need it turning it off to protect the 99.999% that most don’t even know that it was installed was the right thing to do.

The bottom line is its BROKEN and has no business on Mozilla code. Even Microsoft agreed.

To Mike Shaver:

What happened to your collective ethics? Microsoft has become, in my constitutionally protected opinion, exactly like the over-reactive, paranoid and unscrupulous corporations of the past that become so big and oppressive that their missions became the destruction of competition rather than excellence.

How about adding a functionality that allows the user to uninstall the plugin completely? I should be able to chose what plugins are installed.

And this is why companies with a known reputation for writing buggy exploitable software shouldn’t force users to install buggy exploitable software.

This really smells rotten to the core.

We choose Firefox to get the evil M$ crapola OUT of the browser experience, and now this collusion with them questions the security issues we expected to avoid – you are digging your own grave.

.

Critically, please make it so that MS and other malicious-but-trusted parties cannot easily-and-by-design install addons without user consent.

If I’ve got java and javascript and flash turned off, that means I want *no scripting kthx*, not “no scripting unless MS decides to silently add in a new scripting javalike mechanism”.

When I want good anonymity and security, I choose FF inside a virtual machine inside an encrypted container, because it does not have IE-style gaping MS-security-fissures. Letting them silently install a security-goatse of this scale entirely violates that.

WOW!
That’s why I use linux….

I’m dispointed to have found out that mozilla allowed these MS plugins to be installed in the first place, as this makes me question firefox security which I always trusted. I was happy with the action they took, but now I’m even more disapointed to find out they have taken the .Net Framework Assistant off the blocklist, because Microsoft say it is safe.
Well sorry I don’t believe this, I don’t trust Microsoft and their so called experts, I believe it is a security risk and it should not be allowed to be automatically installed like that.
What happened to freedom of choice?????????????
The very browser I trusted for my security, turns out to be just as vunerable as any other browser.

like .net but its coding too cmplicated not user friend

I love the fact that Mozilla has to step up and protect Microsoft clients from Microsoft.