.NET Framework Assistant Blocked to Disarm Security Vulnerability

Johnathan Nightingale

82

Mike Shaver, Mozilla’s Vice President of Engineering writes:

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Update (Sunday Oct 18, 6:30pm PDT): Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist. We are also working on a mechanism to allow Firefox users to re-enable the WPF plugin ahead of its eventual removal from the blocklist. For more information, see Mike Shaver’s latest blog post.

82 responses

  1. Alan Baxter wrote on :

    I don’t see it listed on the Add-ons Blocklist page at https://www.mozilla.com/en-US/blocklist/. Should it be?

  2. Gavin Sharp wrote on :

    Alan: that page was just updated – look again!

  3. Angry Firefox User wrote on :

    You better leave both Microcrap addons/plugins disabled PERMANENTLY, even when this fiasco subsides.

  4. Da Scritch wrote on ::

    No ?
    Microsoft agreed ?
    No ???

    Aow yes, they said plugins are dangerous about Google Chrome… So do I

  5. fowl wrote on :

    The more info link is borken: https://en-gb.www.mozilla.com/en-GB/blocklist/

    (also, isn’t the WPF plugin and the clickonce extension completely separate other than they are both by Microsoft)

  6. Ottmar Freudenberger wrote on ::

    According to http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx Firefox users are “safe” from beeing exploited via the security issue, after having KB974455 (the Cumulative Security Update for Internet Explorer(!)) installed.

    @Alan
    The Add-On Blocklist has been updated and does indeed list “Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: remote code execution vulnerability (see bug 522777)” in the meantime.

  7. Jules wrote on :

    When I click on the ‘more information’ link on the plugin list to try to find out why the plugin is blocked, I get a certificate error:

    “en-gb.www.mozilla.com:443 uses an invalid security certificate.

    The certificate is only valid for *.mozilla.com

    (Error code: ssl_error_bad_cert_domain)”

    There’s no option to view the page anyway, so I’ve been searching for the last 20 minutes to figure out _why_ this block has been put in place. This is hardly good user support.

  8. Hanspeter wrote on :

    How will this affect Seamonkey? In Firefox, I can go to Tools > Addons and manually disable it there or wait for the block list to propagate, but I can’t find a way to do this in Seamonkey (about:plugins still shows it).

  9. Jipe wrote on :

    Hi,

    It prevented my firefox 3.5.3 to run on Vista (no window appears anymore, no error message…).

    I had to run FF in safe mode and uninstall the plugin to be able to run it again.

  10. James Hedges wrote on :

    haha it won’t uninstall unless it is enabled. I will be using Opera now.

  11. fred wrote on :

    How can I edit the blocklist myself to disable addons inserted into my computer without my knowledge like the .net assistant? I have tried everything I can think of to remove the .net assistant from my computer but every time .net updates its placed back in. I just want to permablock the unwanted app by choice and have the ability to remove the block as I desire.

  12. MOM2006 wrote on :

    thank you for doing that.

    there was an update released by microsoft which fixes the .NET security issues. not the plugin is the problem. a .NET system component was the problem.

    so how to I get the plugin unblocked?

    In my eyes the automatically block of add-ons is bullshit.

    another bullshit:

    it’s not possible to read in firefox why the add-on currently is blocked because the websever of the more information link has no valid ssl cert.

    error message:

    de.www.mozilla.com:443 verwendet ein ung├╝ltiges sicherheitszertifikat.

    Das Zertifikat gilt nur fur *.mozilla.com.

    So create job. Maybe it’s a better solution to use software which will no act as guardian for the pc user.

  13. Eric wrote on :

    The handling of this is rubbish.

    1. Why force block of a component when a fix is already distributed by Microsoft?

    2. It is beyond parody that I cannot follow your link on the popup and read the blocklist because Mozilla Firefox tells me that Mozilla’s security certificate is not valid for that page… WTF?

    How do I un-block these unnecessarily blocked components?

  14. Daniel Veditz wrote on :

    Drop the initial locale subdomain and the link will work. We used those in Firefox 3.0 when our SSL library let wildcard certs match multiple domain levels. We changed that behavior after this past summer’s BlackHat to the more industry-standard wildcard behavior but apparently forgot these links were in the older version of the product.

    Sorry about that — we’ll get it fixed as fast as we can!
    https://bugzilla.mozilla.org/show_bug.cgi?id=522877

  15. arejfour wrote on :

    I uninstalled the frame work add-on. I hope that didn’t cause any problems. Everything seems to running ok. Please advise if my uninstallation is ok

  16. Robert Kaiser wrote on ::

    Hanspeter:
    In SeaMonkey 2.0 (which is in release candidate stage right now), those things work the same as in Firefox – and the Mozilla guys also did put this on the SeaMonkey blocklist, not just the Firefox one, thanks for that!

  17. Sean wrote on :

    I can’t drop the initial locale subdomain – as soon as I try it redirects BACK to having the subdomain.

    https://en-gb.www.mozilla.com/en-GB/blocklist/

    gives the ssl_error_bad_cert_domain

    https://www.mozilla.com/en-GB/blocklist/

    immediately redirects to the original domain.

  18. Sean wrote on :

    Actually dropping the HTTPS to HTTP allowed me to view the page – and ironically:

    http://en-gb.www.mozilla.com/en-GB/blocklist/

    redirects to

    http://www.mozilla.com/en-US/blocklist/

    which, if the HTTPS connection had done the same, we wouldn’t have this problem ;)

  19. Rajah Donalt wrote on :

    I dislike that MS sneak insalled the .NET add-on and provided no way to uninstall it. However, it’s functionality provided a way for us to use FF for our ClickOnce apps, allowing us to fully switch from IE to FF in our business. Today our computers starting reporting the message that this add-on is blocked with no way to unblock it. As a result we have to touch all our computers and switch back to IE – on a weekend no less. Did you even bother to think about how you would affect people by taking this heavy handed action?

    Mozilla has just proved they are no better than MS. When will companies stop it with the “we know what’s best for everyone so deal with it” mentality? FF is getting uninstalled from hundreds of computers this weekend and FF will no longer be my browser of choice after this incident.

  20. Drew wrote on :

    Yah. I saw this when I was on youtube at like 5am today and then I just clicked the uninstall button. However, I;m sure that didnt really do anything since the extension is still int he registry I think.

    also, what does this addon/extension even do and do you even need it?

  21. ff poster wrote on :

    what happens when you uninstall the addon from addons when you open FF?

  22. Brian wrote on :

    the blocklist told me to restart firefox to remove the .net assistant and windows presentation foundation plugin, but only removed the .net assistant, how do i remove the windows presentation foundation plugin?

  23. Rajah Donalt wrote on :

    My comment critical of this decision appears to have been removed. Is Mozilla unwilling to take responsibility for it’s actions and must stifle any contrary views?

  24. DannyStaple wrote on ::

    Hmm – shame about some of the knee jerk comments here. It is good the MS and Mozilla worked together to block this, and now MS have released a patch to fix the hole, then it should be unblocked too.

    I saw the broken SSL cert too – worried me for a moment that it was something with less than honourable intentions.

  25. BRoper wrote on :

    A little over-aggresive on the Mozilla side — blocking the .Net extension and WPF plugin for millions of users when the patch was released by Microsoft this week. Watching the decision making process was kind of scary:

    https://bugzilla.mozilla.org/show_bug.cgi?id=522777

    BTW, you can circumvent this heavy-handed approach by disabling the blocklist in Firefox: about:config -> extensions.blocklist.enabled -> false

  26. Larry Seltzer wrote on ::

    According to Microsoft (http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx) the vulnerability is fixed if you apply the update, which I did on Tuesday. And yet Firefox just blocked it anyway.

    It makes no sense to block it just because some people might be unpatched. By that logic you should block Flash and Acrobat too.

  27. BTS wrote on :

    @Larry Seltzer

    Speak for yourself. I think it made no sense for Microsoft to forcefully install the plugin in the first place. I’m glad Mozilla is using the blocklist to tell me something might be wrong. I’d rather do a little more work to enable the plugin then have it done for me and cause this mess without me knowing it.

  28. confused wrote on :

    I uninstalled the addon, was this okay to do?
    what does the addon even do and is it needed?
    why is the microsoft presentation foundation still in the extensions.

    Im really paranoid when it comes to things like this it would be awesome if someone could provide some answers

    also, I patched last week but still uninstalled the addon.

  29. SayNoToStealthInstalls wrote on :

    Microsoft has no rights or reason to stealth install plugins and extensions.

    ClickOnce deployers should be ashamed of themselves for depending on this crap to deploy apps.

  30. Mark wrote on :

    So any estimates on how long we’re going to be without this? As Rajah pointed out, some of us need this if we’re going to be working in Firefox. (Especially us .Net developers!) I can switch back to IE8 for now, but hopefully we’ll be alerted when the add-on is fixed. Though I thought it already was…

  31. 80s Rocker wrote on :

    MS did not forcefully install the plugin. You probably installed a Click-Once applications and it had to install it to run the application. When prompted about the add-in being installed you said yes (w/o knowing what you installed). Don’t go about accusing MS of forcefully installing something without your knowledge. As far as I know you cannot install an extension in Firefox without the users approval or it being manually installed. If that is not the case the Firefox is not more secure that IE with ActiveX controls.

    Firefox should not have blocked this, at the most they should have given the user an option to disable these add-in after letting users no the risk. As stated in previous comments, this will cause many companies to switch back to MS because they rely on click-once. So Firefox shot themselves with this decision that was not theirs to make.

  32. James wrote on :

    Mike, and I’ve now disabled your security update mechanism, since I had a properly patched system before you blocked. You also seem to have the tense wrong in your post: it’s not “has a security vulnerability, it’s “had a fixed at the time we blocked it security vulnerability”. It also seems doubtful that Microsoft really does recommend blocking the patched product so the tense in that is probably also needs to be past rather than present.

    You might also want to consider the market incentives of blocking even patched plugin versions, removing a significant incentive for less careful vendors to patch their plugin quickly to avoid being blocked. I do appreciate that it’s a limitation of your own product that means you’re currently unable to do this.

    Assuming I remember, I’ll turn the functionality on again once it’s been refined a bit more thoroughly.

  33. SDL wrote on :

    I just got the blocking dialog except I’ve already installed all the relevant security patches from Microsoft so these components are not presently vulnerable on my system. Your blocklist information page seems to indicate you block all versions of the plug-in, but not all systems with the plug-in installed are vulnerable; systems can be patched.

    My point being:
    Your blocklist is disabling add-ons that do not actually have a security/stability risk in all cases (ie. it ignores patch level).

    This can’t possibly be a good thing, and it’s somewhat irritating to be told that Firefox just automatically disabled certain add-ons (and wants me to restart it) over a security/stability risk that I know no longer exists.

  34. execoot wrote on ::

    Well done, Mozilla.

  35. Justin wrote on :

    I really appreciate Mozilla blocking this. I switched away from IE for many reasons one of which was security issues.

    When it comes to security Microsoft has no idea what their doing. I really believe they try to fix bugs but their fixes arrive as updates almost daily, in the hundreds of MB which slows down the computer like crazy and is a giant inconvenence. Sure Microsoft releases a patch, horray, it will work for a week until another whole is exploited. The fundamental underlying structure of their software has to be the reason for all of the security problems their software has. They have 100 times more issues than most companys.

    I have TRIED several times to remove this .NET framework before to no avail. Had this not been blocked by Mozilla, I GUARANTEE you the problems with stability and security would be forthcoming and exponential.

    Not to mention Microsoft has just added another reason to be on my $hit list. Stealth installs, and pain in the a** 2 page long list of how to uninstall something you never asked for in the first place. Thanks again. I LOVE FIREFOX. For all those having issues with .NET framework, I am sure there is an extension by someone other than Microsoft, that offers the same functionality with less BS.

  36. Kevin wrote on :

    If you REALLY want to re-enabled forcefully disabled addons, type “about:config” in Firefox, and set “extensions.blocklist.enabled” to false. and restart. You can now re-enable them.

    It’s unfortunate by my entire IT staff depends on ClickOnce deployment. We patched out the vulnerability and will re-enable the blocklist once these are removed.

  37. MOM2006 wrote on :

    @justin

    it’s not the task from mozilla to decide which software a user has to use.

    if microsoft’s software is so terrible in your eyes, why don’t you use a different software?

  38. Clubs wrote on :

    @MOM2006:

    It is also “not the task” [sic] of Microsoft to decide what software a user has to use, but they took it upon themselves to stealth-install the add-on in the first place and, to add insult to injury, a security vulnerability was found in the software.

    Not that I care, I use Linux and OpenSolaris and I can’t help but feel a smug sense of satisfaction every time a problem with Microsoft software arises.

  39. naranha wrote on :

    @MOM2006: The problem is that most users won’t even know about this Addon. It’s installed automatically when installing the .NET Framework, which is needed for many modern applications.

    Besides that, Blocklists with version numbers are definately a good idea.

  40. Larry Seltzer wrote on ::

    I don’t like the stealth installation that Microsoft did either, but the impact of it is being grossly exaggerated here and elsewhere. I mean you’re running Windows for chrissake! It’s not like avoiding these plugins will protect you from running Microsoft code.

  41. Anon wrote on :

    I disabled these plugins the moment I noticed them due to the fear of security flaws and it seems that fear was entirely justified.

    Anyone who is using non-genuine microsoft windows with firefox and who has installed “.net 3.5″ will have these plugins and will not receive the microsoft security update, so mozilla is entirely right to block these plugins as they are dangerous and degrade the security of firefox.

    Even though people should not be using non-genuine windows, the fact is that millions are and for the general benefit of all of us, (eg not getting spam from botnets), mozilla should do everything it can to ensure the overall security of the web which is what it has done here by blocking these plugins.

    Keep up the great work guys!

  42. Tomas wrote on :

    @MOM2006

    It is not Microsoft’s task either. I have never asked to install .NET assistant on my machine and I don’t use ClickOnce apps in Firefox. I’ve installed .NET runtime because some software required it. That software is standalone application and does not run in browser.

    Microsoft installed browser’s extensions without warning and consent. They abused browser’s features and tried to hide installed extension from end user. .NET plugins are malware. If you depend on them, shame on you.

  43. Casper Andersen wrote on ::

    I agree with Mozilla disabling add-ins that contain critical security flaws. Why does Mozilla not block Adobe, or Sun plugins? The security updates for Adobe, Sun and Microsoft are distributed in the same way, so why aren’t they treated equally?

  44. Tang YingRong wrote on ::

    Is there anyway to enable it? Do I have rights to enable it?

  45. Jerome Haltom wrote on :

    This is dumb. If I get into work tomorrow and none of our ClickOnce apps run, I’m going to have to walk around to over hundred computers and remove Firefox. Yeah. Thanks, folks.

  46. Larry Seltzer wrote on ::

    Mike Shaver and I have been discussing this on Slashdot.

    http://tech.slashdot.org/comments.pl?sid=1408445&cid=29783553

  47. ant wrote on :

    You shouldn’t block it, you should rip it out completely. I know Firefox is a browser and not an antivirus but you need to take a harder line against malware like this that infects the browser behind your back and has no uninstall button. I’ll be redirecting the infected UAs from my website to removal pages from now on.

  48. Mike wrote on :

    MOM2006:

    It’s not Microsoft’s responsibility to install plugins into my browser that I didn’t ask for.

  49. virgil wrote on :

    Thank you! I’ve stopped using Firefox lately because it was constantly freezing for ~20s or so, and I couldn’t find the root cause.
    After you disabled the WPF addon, all seems to have gone back to normal.
    I’m not even sure how/when I got it installed :(, but I’ll surely pay lots of attention to any MS addon in the future.

  50. Bob wrote on :

    For those complaining they can’t use the M$ plug-in, read the comments, you’ll see post #25 from BRoper saying you can disable the blocking list in about:config. This block list is a feature, just like most things in FF one that can be disabled.

More comments:1 2