.NET Framework Assistant Blocked to Disarm Security Vulnerability

Johnathan Nightingale


Mike Shaver, Mozilla’s Vice President of Engineering writes:

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Update (Sunday Oct 18, 6:30pm PDT): Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist. We are also working on a mechanism to allow Firefox users to re-enable the WPF plugin ahead of its eventual removal from the blocklist. For more information, see Mike Shaver’s latest blog post.

82 responses

  1. Alan Baxter wrote on :

    I don’t see it listed on the Add-ons Blocklist page at https://www.mozilla.com/en-US/blocklist/. Should it be?

  2. Gavin Sharp wrote on :

    Alan: that page was just updated – look again!

  3. Angry Firefox User wrote on :

    You better leave both Microcrap addons/plugins disabled PERMANENTLY, even when this fiasco subsides.

  4. Da Scritch wrote on :

    No ?
    Microsoft agreed ?
    No ???

    Aow yes, they said plugins are dangerous about Google Chrome… So do I

  5. fowl wrote on :

    The more info link is borken: https://en-gb.www.mozilla.com/en-GB/blocklist/

    (also, isn’t the WPF plugin and the clickonce extension completely separate other than they are both by Microsoft)

  6. Ottmar Freudenberger wrote on :

    According to http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx Firefox users are “safe” from beeing exploited via the security issue, after having KB974455 (the Cumulative Security Update for Internet Explorer(!)) installed.

    The Add-On Blocklist has been updated and does indeed list “Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: remote code execution vulnerability (see bug 522777)” in the meantime.

  7. Jules wrote on :

    When I click on the ‘more information’ link on the plugin list to try to find out why the plugin is blocked, I get a certificate error:

    “en-gb.www.mozilla.com:443 uses an invalid security certificate.

    The certificate is only valid for *.mozilla.com

    (Error code: ssl_error_bad_cert_domain)”

    There’s no option to view the page anyway, so I’ve been searching for the last 20 minutes to figure out _why_ this block has been put in place. This is hardly good user support.

  8. Hanspeter wrote on :

    How will this affect Seamonkey? In Firefox, I can go to Tools > Addons and manually disable it there or wait for the block list to propagate, but I can’t find a way to do this in Seamonkey (about:plugins still shows it).

  9. Jipe wrote on :


    It prevented my firefox 3.5.3 to run on Vista (no window appears anymore, no error message…).

    I had to run FF in safe mode and uninstall the plugin to be able to run it again.

  10. James Hedges wrote on :

    haha it won’t uninstall unless it is enabled. I will be using Opera now.

  11. fred wrote on :

    How can I edit the blocklist myself to disable addons inserted into my computer without my knowledge like the .net assistant? I have tried everything I can think of to remove the .net assistant from my computer but every time .net updates its placed back in. I just want to permablock the unwanted app by choice and have the ability to remove the block as I desire.

  12. MOM2006 wrote on :

    thank you for doing that.

    there was an update released by microsoft which fixes the .NET security issues. not the plugin is the problem. a .NET system component was the problem.

    so how to I get the plugin unblocked?

    In my eyes the automatically block of add-ons is bullshit.

    another bullshit:

    it’s not possible to read in firefox why the add-on currently is blocked because the websever of the more information link has no valid ssl cert.

    error message:

    de.www.mozilla.com:443 verwendet ein ungültiges sicherheitszertifikat.

    Das Zertifikat gilt nur fur *.mozilla.com.

    So create job. Maybe it’s a better solution to use software which will no act as guardian for the pc user.

  13. Eric wrote on :

    The handling of this is rubbish.

    1. Why force block of a component when a fix is already distributed by Microsoft?

    2. It is beyond parody that I cannot follow your link on the popup and read the blocklist because Mozilla Firefox tells me that Mozilla’s security certificate is not valid for that page… WTF?

    How do I un-block these unnecessarily blocked components?

  14. Daniel Veditz wrote on :

    Drop the initial locale subdomain and the link will work. We used those in Firefox 3.0 when our SSL library let wildcard certs match multiple domain levels. We changed that behavior after this past summer’s BlackHat to the more industry-standard wildcard behavior but apparently forgot these links were in the older version of the product.

    Sorry about that — we’ll get it fixed as fast as we can!

  15. arejfour wrote on :

    I uninstalled the frame work add-on. I hope that didn’t cause any problems. Everything seems to running ok. Please advise if my uninstallation is ok

  16. Robert Kaiser wrote on :

    In SeaMonkey 2.0 (which is in release candidate stage right now), those things work the same as in Firefox – and the Mozilla guys also did put this on the SeaMonkey blocklist, not just the Firefox one, thanks for that!

  17. Sean wrote on :

    I can’t drop the initial locale subdomain – as soon as I try it redirects BACK to having the subdomain.


    gives the ssl_error_bad_cert_domain


    immediately redirects to the original domain.

  18. Sean wrote on :

    Actually dropping the HTTPS to HTTP allowed me to view the page – and ironically:


    redirects to


    which, if the HTTPS connection had done the same, we wouldn’t have this problem 😉

  19. Rajah Donalt wrote on :

    I dislike that MS sneak insalled the .NET add-on and provided no way to uninstall it. However, it’s functionality provided a way for us to use FF for our ClickOnce apps, allowing us to fully switch from IE to FF in our business. Today our computers starting reporting the message that this add-on is blocked with no way to unblock it. As a result we have to touch all our computers and switch back to IE – on a weekend no less. Did you even bother to think about how you would affect people by taking this heavy handed action?

    Mozilla has just proved they are no better than MS. When will companies stop it with the “we know what’s best for everyone so deal with it” mentality? FF is getting uninstalled from hundreds of computers this weekend and FF will no longer be my browser of choice after this incident.

  20. Drew wrote on :

    Yah. I saw this when I was on youtube at like 5am today and then I just clicked the uninstall button. However, I;m sure that didnt really do anything since the extension is still int he registry I think.

    also, what does this addon/extension even do and do you even need it?

More comments:1 2 3 5