.NET Framework Assistant Blocked to Disarm Security Vulnerability

Mike Shaver, Mozilla’s Vice President of Engineering writes:

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Update (Sunday Oct 18, 6:30pm PDT): Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist. We are also working on a mechanism to allow Firefox users to re-enable the WPF plugin ahead of its eventual removal from the blocklist. For more information, see Mike Shaver’s latest blog post.

82 comments on “.NET Framework Assistant Blocked to Disarm Security Vulnerability”

  1. Alan Baxter wrote on

    I don’t see it listed on the Add-ons Blocklist page at https://www.mozilla.com/en-US/blocklist/. Should it be?

  2. Gavin Sharp wrote on

    Alan: that page was just updated – look again!

  3. Angry Firefox User wrote on

    You better leave both Microcrap addons/plugins disabled PERMANENTLY, even when this fiasco subsides.

  4. Da Scritch wrote on

    No ?
    Microsoft agreed ?
    No ???

    Aow yes, they said plugins are dangerous about Google Chrome… So do I

  5. fowl wrote on

    The more info link is borken: https://en-gb.www.mozilla.com/en-GB/blocklist/

    (also, isn’t the WPF plugin and the clickonce extension completely separate other than they are both by Microsoft)

  6. Ottmar Freudenberger wrote on

    According to http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx Firefox users are “safe” from beeing exploited via the security issue, after having KB974455 (the Cumulative Security Update for Internet Explorer(!)) installed.

    @Alan
    The Add-On Blocklist has been updated and does indeed list “Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: remote code execution vulnerability (see bug 522777)” in the meantime.

  7. Jules wrote on

    When I click on the ‘more information’ link on the plugin list to try to find out why the plugin is blocked, I get a certificate error:

    “en-gb.www.mozilla.com:443 uses an invalid security certificate.

    The certificate is only valid for *.mozilla.com

    (Error code: ssl_error_bad_cert_domain)”

    There’s no option to view the page anyway, so I’ve been searching for the last 20 minutes to figure out _why_ this block has been put in place. This is hardly good user support.

  8. Hanspeter wrote on

    How will this affect Seamonkey? In Firefox, I can go to Tools > Addons and manually disable it there or wait for the block list to propagate, but I can’t find a way to do this in Seamonkey (about:plugins still shows it).

  9. Jipe wrote on

    Hi,

    It prevented my firefox 3.5.3 to run on Vista (no window appears anymore, no error message…).

    I had to run FF in safe mode and uninstall the plugin to be able to run it again.

  10. James Hedges wrote on

    haha it won’t uninstall unless it is enabled. I will be using Opera now.

  11. fred wrote on

    How can I edit the blocklist myself to disable addons inserted into my computer without my knowledge like the .net assistant? I have tried everything I can think of to remove the .net assistant from my computer but every time .net updates its placed back in. I just want to permablock the unwanted app by choice and have the ability to remove the block as I desire.

  12. MOM2006 wrote on

    thank you for doing that.

    there was an update released by microsoft which fixes the .NET security issues. not the plugin is the problem. a .NET system component was the problem.

    so how to I get the plugin unblocked?

    In my eyes the automatically block of add-ons is bullshit.

    another bullshit:

    it’s not possible to read in firefox why the add-on currently is blocked because the websever of the more information link has no valid ssl cert.

    error message:

    de.www.mozilla.com:443 verwendet ein ungültiges sicherheitszertifikat.

    Das Zertifikat gilt nur fur *.mozilla.com.

    So create job. Maybe it’s a better solution to use software which will no act as guardian for the pc user.

  13. Eric wrote on

    The handling of this is rubbish.

    1. Why force block of a component when a fix is already distributed by Microsoft?

    2. It is beyond parody that I cannot follow your link on the popup and read the blocklist because Mozilla Firefox tells me that Mozilla’s security certificate is not valid for that page… WTF?

    How do I un-block these unnecessarily blocked components?

  14. Daniel Veditz wrote on

    Drop the initial locale subdomain and the link will work. We used those in Firefox 3.0 when our SSL library let wildcard certs match multiple domain levels. We changed that behavior after this past summer’s BlackHat to the more industry-standard wildcard behavior but apparently forgot these links were in the older version of the product.

    Sorry about that — we’ll get it fixed as fast as we can!
    https://bugzilla.mozilla.org/show_bug.cgi?id=522877

  15. arejfour wrote on

    I uninstalled the frame work add-on. I hope that didn’t cause any problems. Everything seems to running ok. Please advise if my uninstallation is ok

  16. Robert Kaiser wrote on

    Hanspeter:
    In SeaMonkey 2.0 (which is in release candidate stage right now), those things work the same as in Firefox – and the Mozilla guys also did put this on the SeaMonkey blocklist, not just the Firefox one, thanks for that!

  17. Sean wrote on

    I can’t drop the initial locale subdomain – as soon as I try it redirects BACK to having the subdomain.

    https://en-gb.www.mozilla.com/en-GB/blocklist/

    gives the ssl_error_bad_cert_domain

    https://www.mozilla.com/en-GB/blocklist/

    immediately redirects to the original domain.

  18. Sean wrote on

    Actually dropping the HTTPS to HTTP allowed me to view the page – and ironically:

    http://en-gb.www.mozilla.com/en-GB/blocklist/

    redirects to

    http://www.mozilla.com/en-US/blocklist/

    which, if the HTTPS connection had done the same, we wouldn’t have this problem 😉

  19. Rajah Donalt wrote on

    I dislike that MS sneak insalled the .NET add-on and provided no way to uninstall it. However, it’s functionality provided a way for us to use FF for our ClickOnce apps, allowing us to fully switch from IE to FF in our business. Today our computers starting reporting the message that this add-on is blocked with no way to unblock it. As a result we have to touch all our computers and switch back to IE – on a weekend no less. Did you even bother to think about how you would affect people by taking this heavy handed action?

    Mozilla has just proved they are no better than MS. When will companies stop it with the “we know what’s best for everyone so deal with it” mentality? FF is getting uninstalled from hundreds of computers this weekend and FF will no longer be my browser of choice after this incident.

  20. Drew wrote on

    Yah. I saw this when I was on youtube at like 5am today and then I just clicked the uninstall button. However, I;m sure that didnt really do anything since the extension is still int he registry I think.

    also, what does this addon/extension even do and do you even need it?

  21. ff poster wrote on

    what happens when you uninstall the addon from addons when you open FF?

  22. Brian wrote on

    the blocklist told me to restart firefox to remove the .net assistant and windows presentation foundation plugin, but only removed the .net assistant, how do i remove the windows presentation foundation plugin?

  23. Rajah Donalt wrote on

    My comment critical of this decision appears to have been removed. Is Mozilla unwilling to take responsibility for it’s actions and must stifle any contrary views?

  24. DannyStaple wrote on

    Hmm – shame about some of the knee jerk comments here. It is good the MS and Mozilla worked together to block this, and now MS have released a patch to fix the hole, then it should be unblocked too.

    I saw the broken SSL cert too – worried me for a moment that it was something with less than honourable intentions.

  25. BRoper wrote on

    A little over-aggresive on the Mozilla side — blocking the .Net extension and WPF plugin for millions of users when the patch was released by Microsoft this week. Watching the decision making process was kind of scary:

    https://bugzilla.mozilla.org/show_bug.cgi?id=522777

    BTW, you can circumvent this heavy-handed approach by disabling the blocklist in Firefox: about:config -> extensions.blocklist.enabled -> false

  26. Larry Seltzer wrote on

    According to Microsoft (http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx) the vulnerability is fixed if you apply the update, which I did on Tuesday. And yet Firefox just blocked it anyway.

    It makes no sense to block it just because some people might be unpatched. By that logic you should block Flash and Acrobat too.

  27. BTS wrote on

    @Larry Seltzer

    Speak for yourself. I think it made no sense for Microsoft to forcefully install the plugin in the first place. I’m glad Mozilla is using the blocklist to tell me something might be wrong. I’d rather do a little more work to enable the plugin then have it done for me and cause this mess without me knowing it.

  28. confused wrote on

    I uninstalled the addon, was this okay to do?
    what does the addon even do and is it needed?
    why is the microsoft presentation foundation still in the extensions.

    Im really paranoid when it comes to things like this it would be awesome if someone could provide some answers

    also, I patched last week but still uninstalled the addon.

  29. SayNoToStealthInstalls wrote on

    Microsoft has no rights or reason to stealth install plugins and extensions.

    ClickOnce deployers should be ashamed of themselves for depending on this crap to deploy apps.

  30. Mark wrote on

    So any estimates on how long we’re going to be without this? As Rajah pointed out, some of us need this if we’re going to be working in Firefox. (Especially us .Net developers!) I can switch back to IE8 for now, but hopefully we’ll be alerted when the add-on is fixed. Though I thought it already was…

  31. 80s Rocker wrote on

    MS did not forcefully install the plugin. You probably installed a Click-Once applications and it had to install it to run the application. When prompted about the add-in being installed you said yes (w/o knowing what you installed). Don’t go about accusing MS of forcefully installing something without your knowledge. As far as I know you cannot install an extension in Firefox without the users approval or it being manually installed. If that is not the case the Firefox is not more secure that IE with ActiveX controls.

    Firefox should not have blocked this, at the most they should have given the user an option to disable these add-in after letting users no the risk. As stated in previous comments, this will cause many companies to switch back to MS because they rely on click-once. So Firefox shot themselves with this decision that was not theirs to make.

  32. James wrote on

    Mike, and I’ve now disabled your security update mechanism, since I had a properly patched system before you blocked. You also seem to have the tense wrong in your post: it’s not “has a security vulnerability, it’s “had a fixed at the time we blocked it security vulnerability”. It also seems doubtful that Microsoft really does recommend blocking the patched product so the tense in that is probably also needs to be past rather than present.

    You might also want to consider the market incentives of blocking even patched plugin versions, removing a significant incentive for less careful vendors to patch their plugin quickly to avoid being blocked. I do appreciate that it’s a limitation of your own product that means you’re currently unable to do this.

    Assuming I remember, I’ll turn the functionality on again once it’s been refined a bit more thoroughly.

  33. SDL wrote on

    I just got the blocking dialog except I’ve already installed all the relevant security patches from Microsoft so these components are not presently vulnerable on my system. Your blocklist information page seems to indicate you block all versions of the plug-in, but not all systems with the plug-in installed are vulnerable; systems can be patched.

    My point being:
    Your blocklist is disabling add-ons that do not actually have a security/stability risk in all cases (ie. it ignores patch level).

    This can’t possibly be a good thing, and it’s somewhat irritating to be told that Firefox just automatically disabled certain add-ons (and wants me to restart it) over a security/stability risk that I know no longer exists.

  34. execoot wrote on

    Well done, Mozilla.

  35. Justin wrote on

    I really appreciate Mozilla blocking this. I switched away from IE for many reasons one of which was security issues.

    When it comes to security Microsoft has no idea what their doing. I really believe they try to fix bugs but their fixes arrive as updates almost daily, in the hundreds of MB which slows down the computer like crazy and is a giant inconvenence. Sure Microsoft releases a patch, horray, it will work for a week until another whole is exploited. The fundamental underlying structure of their software has to be the reason for all of the security problems their software has. They have 100 times more issues than most companys.

    I have TRIED several times to remove this .NET framework before to no avail. Had this not been blocked by Mozilla, I GUARANTEE you the problems with stability and security would be forthcoming and exponential.

    Not to mention Microsoft has just added another reason to be on my $hit list. Stealth installs, and pain in the a** 2 page long list of how to uninstall something you never asked for in the first place. Thanks again. I LOVE FIREFOX. For all those having issues with .NET framework, I am sure there is an extension by someone other than Microsoft, that offers the same functionality with less BS.

  36. Kevin wrote on

    If you REALLY want to re-enabled forcefully disabled addons, type “about:config” in Firefox, and set “extensions.blocklist.enabled” to false. and restart. You can now re-enable them.

    It’s unfortunate by my entire IT staff depends on ClickOnce deployment. We patched out the vulnerability and will re-enable the blocklist once these are removed.

  37. MOM2006 wrote on

    @justin

    it’s not the task from mozilla to decide which software a user has to use.

    if microsoft’s software is so terrible in your eyes, why don’t you use a different software?

  38. Clubs wrote on

    @MOM2006:

    It is also “not the task” [sic] of Microsoft to decide what software a user has to use, but they took it upon themselves to stealth-install the add-on in the first place and, to add insult to injury, a security vulnerability was found in the software.

    Not that I care, I use Linux and OpenSolaris and I can’t help but feel a smug sense of satisfaction every time a problem with Microsoft software arises.

  39. naranha wrote on

    @MOM2006: The problem is that most users won’t even know about this Addon. It’s installed automatically when installing the .NET Framework, which is needed for many modern applications.

    Besides that, Blocklists with version numbers are definately a good idea.

  40. Larry Seltzer wrote on

    I don’t like the stealth installation that Microsoft did either, but the impact of it is being grossly exaggerated here and elsewhere. I mean you’re running Windows for chrissake! It’s not like avoiding these plugins will protect you from running Microsoft code.

  41. Anon wrote on

    I disabled these plugins the moment I noticed them due to the fear of security flaws and it seems that fear was entirely justified.

    Anyone who is using non-genuine microsoft windows with firefox and who has installed “.net 3.5” will have these plugins and will not receive the microsoft security update, so mozilla is entirely right to block these plugins as they are dangerous and degrade the security of firefox.

    Even though people should not be using non-genuine windows, the fact is that millions are and for the general benefit of all of us, (eg not getting spam from botnets), mozilla should do everything it can to ensure the overall security of the web which is what it has done here by blocking these plugins.

    Keep up the great work guys!

  42. Tomas wrote on

    @MOM2006

    It is not Microsoft’s task either. I have never asked to install .NET assistant on my machine and I don’t use ClickOnce apps in Firefox. I’ve installed .NET runtime because some software required it. That software is standalone application and does not run in browser.

    Microsoft installed browser’s extensions without warning and consent. They abused browser’s features and tried to hide installed extension from end user. .NET plugins are malware. If you depend on them, shame on you.

  43. Casper Andersen wrote on

    I agree with Mozilla disabling add-ins that contain critical security flaws. Why does Mozilla not block Adobe, or Sun plugins? The security updates for Adobe, Sun and Microsoft are distributed in the same way, so why aren’t they treated equally?

  44. Tang YingRong wrote on

    Is there anyway to enable it? Do I have rights to enable it?

  45. Jerome Haltom wrote on

    This is dumb. If I get into work tomorrow and none of our ClickOnce apps run, I’m going to have to walk around to over hundred computers and remove Firefox. Yeah. Thanks, folks.

  46. Larry Seltzer wrote on

    Mike Shaver and I have been discussing this on Slashdot.

    http://tech.slashdot.org/comments.pl?sid=1408445&cid=29783553

  47. ant wrote on

    You shouldn’t block it, you should rip it out completely. I know Firefox is a browser and not an antivirus but you need to take a harder line against malware like this that infects the browser behind your back and has no uninstall button. I’ll be redirecting the infected UAs from my website to removal pages from now on.

  48. Mike wrote on

    MOM2006:

    It’s not Microsoft’s responsibility to install plugins into my browser that I didn’t ask for.

  49. virgil wrote on

    Thank you! I’ve stopped using Firefox lately because it was constantly freezing for ~20s or so, and I couldn’t find the root cause.
    After you disabled the WPF addon, all seems to have gone back to normal.
    I’m not even sure how/when I got it installed :(, but I’ll surely pay lots of attention to any MS addon in the future.

  50. Bob wrote on

    For those complaining they can’t use the M$ plug-in, read the comments, you’ll see post #25 from BRoper saying you can disable the blocking list in about:config. This block list is a feature, just like most things in FF one that can be disabled.

  51. Fred wrote on

    Please implement a way to easily turn back on disabled add-ons. Kudos to you for determining something that wasn’t safe, and blocking it automatically. If I was testing this add-on, or another, I’d be pretty pissed right now.

    Don’t be the big brother you all are pretending to fight right now.

  52. hippiejake wrote on

    Oh, the irony. Just after Microsoft was bitching at Google for creating Chrome Frame, this hits.

    Now Mozilla just needs to create some BS plugin for Chrome and the circle will be complete. Really, why can’t they just stop fscking with each others’ products? [Particularly when it tends to break things.]

  53. Sammy wrote on

    This is a sad state of affairs. Microsoft (The home of bad code) sneak installs a plug-in. Now fanboys are complaining its disabled?
    If you love M$ so much, why not keep running IE? O thats right, its a disaster waiting to happen.

    Good going Mozilla!!!! Block all the M$ crap that self installs!

  54. Sammy wrote on

    @MOM2006

    it’s not the task from Microsoft to decide which software a user has to use, and sneak install plugins in other companies software.

    if mozilla’s software is so terrible in your eyes, why don’t you use a different software? Why not use IE, and get loads of malware and viruses self installing. O wait, thats a feature of M$.

  55. Dan wrote on

    Why bother with asking Microsoft, they didn’t ask me before installing this Firefox security hole on my system?

  56. blah wrote on

    Please permanently disable ALL plugins and addons from Microsoft. [edited to remove profanity -dveditz]

  57. Nik B. wrote on

    Justin wrote: “When it comes to security Microsoft has no idea what their doing.”

    Do the Debian guys know what they’re doing? Do the Mozilla guys know? What about Adobe? The Linux kernel team? All of them have had their share of critical vulnerabilities.

    And while we’re on the subject, do *YOU* have any idea when it comes to security? How many bugs do you get per 1M LOC, if you even write code? How many people are using your software and how much scrutiny has it undergone for security issues?

    Justin wrote: “The fundamental underlying structure of their software has to be the reason for all of the security problems their software has. They have 100 times more issues than most companys.”

    Even if it’s true that they have 100 times more issues than most “companys” (sic) you’re leaving out the very pertinent fact that they probably have about 100 times more code out there as well. That kind of puts things in a different perspective doesn’t it?

    Justin: “I have TRIED several times to remove this .NET framework before to no avail.”

    It took me all of 10 minutes. If you can’t uninstall it, you must either be computer illiterate or simply incompetent.

    Justin wrote: “Had this not been blocked by Mozilla, I GUARANTEE you the problems with stability and security would be forthcoming and exponential.”

    You GUARANTEE it? In all capital letters? Wow… You sold me. I’ll take 5 or whatever you’re selling. After all, if some guy named Justin who can’t uninstall the .NET framework from his computer GUARANTEES it, what else could I ask for?

    Justin wrote: “Not to mention Microsoft has just added another reason to be on my $hit list.”

    I’m sure Microsoft will send you a fruit-basket to make amends. After all, who wants to be on the ****-list of Justin, a guy who can’t uninstall the .NET framework from his computer.

    Justin wrote: “For all those having issues with .NET framework, I am sure there is an extension by someone other than Microsoft, that offers the same functionality with less BS.”

    But do you GUARANTEE it?

  58. InvadedPrivacy wrote on

    Since when is installing plugins to third party software something MS is allowed to do without permission?

    What other apps are MS allowed to convertly modify?

    Will MS bork my OpenOffice next by adding a great new .NET plugin?

    Is it only competing products that require a good .NET rogering?

    Hands off my computer MS. You are not welcome.

  59. Johnny Wishbone wrote on

    “Companies rely on clickonce”.

    How is the risk of using clickonce mitigated in these “many” companies?

    Surely they wouldn’t use a kludgy hammer like clickonce and have 12 year old kids on less than McDonald payrates installing it? So if clickonce fails you have an army of children and no apps? LOL, sucked in for being cheap sweatshop operators.

    No pity for companies that hang their hat on clickonce.

  60. Paul wrote on

    Please, for the love of god, NEVER allow Microsoft to install silent plugins into Firefox. Tell them that unless there is a massive, flashing bold warning saying nothing short of “Do you want to let microsoft install IE into Firefox”, put them on a permaban list. Dont bother asking them if you would let us ban your software, just dont allow them to introduce massive security holes into your trusted software.

  61. Pete wrote on

    You did the right thing. Almost nobody needs this add-on, the few that do can probably turn it back on with the add-on Nightly Tester Tools on a fully patched windoz system. Complain to Microsoft about the vulnerability and not here. For the .0001% that need it turning it off to protect the 99.999% that most don’t even know that it was installed was the right thing to do.

    The bottom line is its BROKEN and has no business on Mozilla code. Even Microsoft agreed.

  62. dbmuse wrote on

    I was able to delete it… oh happy day.

  63. Eric Stafford wrote on

    To Mike Shaver:

    What happened to your collective ethics? Microsoft has become, in my constitutionally protected opinion, exactly like the over-reactive, paranoid and unscrupulous corporations of the past that become so big and oppressive that their missions became the destruction of competition rather than excellence.

  64. Vivek T. Mahadik wrote on

    Thanks,

    Well done, Mozilla!!!
    after long Diwali holiday.. My computer started reporting the message that Microsoft add-on is blocked.

    I permanently disable ALL plugins and addons from Microsoft…till the problem is solve…

    Enjoy …. Happy Diwali!!!

  65. Insano wrote on

    How about adding a functionality that allows the user to uninstall the plugin completely? I should be able to chose what plugins are installed.

  66. anonymous coward wrote on

    I think this case just shows there is a weakness in firefox plugin installation system – MS shouldn’t be able to silently install their plugins in the first place.
    I think some startup check for new plugins, and a warning if they are found would help, with default state disabled. Then there would be no need to ban plugins at all.

  67. Chris wrote on

    And this is why companies with a known reputation for writing buggy exploitable software shouldn’t force users to install buggy exploitable software.

  68. Tim wrote on

    I didn’t know this feature existed until now. Also, “for your protection” sounds very draconian (especially as this was forced).

    The list was downloaded and the plugins were blocked before I knew about the configuration option mentioned in comment #25. Toggling it doesn’t make a difference to the plugins that are already disabled. I had to open the pluginreg.dat in the profile folder and edit the line that looks like:

    (large number)|1|20|$

    to

    |1|1|$

    to make it go back to normal.

  69. PC.Tech wrote on

    This really smells rotten to the core.

    We choose Firefox to get the evil M$ crapola OUT of the browser experience, and now this collusion with them questions the security issues we expected to avoid – you are digging your own grave.

    .

  70. chase wrote on

    Great, ie is trying to infect ff

  71. Dewi Morgan wrote on

    Critically, please make it so that MS and other malicious-but-trusted parties cannot easily-and-by-design install addons without user consent.

    If I’ve got java and javascript and flash turned off, that means I want *no scripting kthx*, not “no scripting unless MS decides to silently add in a new scripting javalike mechanism”.

    When I want good anonymity and security, I choose FF inside a virtual machine inside an encrypted container, because it does not have IE-style gaping MS-security-fissures. Letting them silently install a security-goatse of this scale entirely violates that.

  72. Dewi Morgan wrote on

    When I went with Firefox, it was a vote against MS’ ability to make secure browsing apps.

    Allowing them to silently install insecure scripting engines into Firefox is… well, a real slap in the face for the people who thought they’d moved away from that.

  73. Chevy wrote on

    WOW!
    That’s why I use linux….

  74. luminositee wrote on

    Thanks for figuring this out–I noticed it in my add-ons awhile ago and couldn’t figure out how it had gotten there. After spending a bit of time trying to uninstall/disable it, I gave up (I love firefox, but I don’t know much more about computers than this: http://xkcd.com/627/). So, I’m really glad to finally know what’s going on with this app and how to uninstall it!

  75. freedom defence wrote on

    I’m dispointed to have found out that mozilla allowed these MS plugins to be installed in the first place, as this makes me question firefox security which I always trusted. I was happy with the action they took, but now I’m even more disapointed to find out they have taken the .Net Framework Assistant off the blocklist, because Microsoft say it is safe.
    Well sorry I don’t believe this, I don’t trust Microsoft and their so called experts, I believe it is a security risk and it should not be allowed to be automatically installed like that.
    What happened to freedom of choice?????????????
    The very browser I trusted for my security, turns out to be just as vunerable as any other browser.

  76. windoz wrote on

    It is your system and it xas part of a service pack. Funny how long it takes since the first install.

  77. komba wrote on

    like .net but its coding too cmplicated not user friend

  78. Chainsaw wrote on

    It crashes every computer here at the university that runs Firefox. Continually. No special action, just use Firefox, browse some web pages, but don’t forget to save bookmarks regularly, because when it crashes, Firefox can’t recover anything. Thankfully, after a couple of these, Firefox figures it out and disables the damned thing. But only for that user, on that machine, and not permanently…

    When there’s functional Noscript and RemoveItPermanently addons for IE, I’ll consider switching.

    At this date, it BEHAVES like malware. So it should be blocked until it no longer does this.

    And the function it performs, is to make it easier to accidentally run untrusted apps off webpages by just clicking on them. Didn’t we just spend ten years trying to STOP browsers from doing this??? So the only way to REALLY make it not behave like malware is to disable the larger function that it is trying to assist…

  79. Daniel Veditz wrote on

    Chainsaw: are you sure the crashes are due to this? WPF usage should be rare on the web, and a plugin isn’t even loaded unless we encounter content that requires it.

  80. sikiş wrote on

    When I went with Firefox, it was a vote against MS’ ability to make secure browsing apps.

    Allowing them to silently install insecure scripting engines into Firefox is… well, a real slap in the face for the people who thought they’d moved away from that.

  81. Ahmad Barirani wrote on

    I love the fact that Mozilla has to step up and protect Microsoft clients from Microsoft.

  82. Greg wrote on

    There should be a default setting to prevent any change to Firefox without your permission – one that you have to deliberately change manually if you want it otherwise.