.NET Framework Assistant Blocked to Disarm Security Vulnerability

Mike Shaver, Mozilla’s Vice President of Engineering writes:

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Update (Sunday Oct 18, 6:30pm PDT): Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist. We are also working on a mechanism to allow Firefox users to re-enable the WPF plugin ahead of its eventual removal from the blocklist. For more information, see Mike Shaver’s latest blog post.

82 responses

  1. ff poster wrote on :

    what happens when you uninstall the addon from addons when you open FF?

  2. Brian wrote on :

    the blocklist told me to restart firefox to remove the .net assistant and windows presentation foundation plugin, but only removed the .net assistant, how do i remove the windows presentation foundation plugin?

  3. Rajah Donalt wrote on :

    My comment critical of this decision appears to have been removed. Is Mozilla unwilling to take responsibility for it’s actions and must stifle any contrary views?

  4. DannyStaple wrote on :

    Hmm – shame about some of the knee jerk comments here. It is good the MS and Mozilla worked together to block this, and now MS have released a patch to fix the hole, then it should be unblocked too.

    I saw the broken SSL cert too – worried me for a moment that it was something with less than honourable intentions.

  5. BRoper wrote on :

    A little over-aggresive on the Mozilla side — blocking the .Net extension and WPF plugin for millions of users when the patch was released by Microsoft this week. Watching the decision making process was kind of scary:


    BTW, you can circumvent this heavy-handed approach by disabling the blocklist in Firefox: about:config -> extensions.blocklist.enabled -> false

  6. Larry Seltzer wrote on :

    According to Microsoft (http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx) the vulnerability is fixed if you apply the update, which I did on Tuesday. And yet Firefox just blocked it anyway.

    It makes no sense to block it just because some people might be unpatched. By that logic you should block Flash and Acrobat too.

  7. BTS wrote on :

    @Larry Seltzer

    Speak for yourself. I think it made no sense for Microsoft to forcefully install the plugin in the first place. I’m glad Mozilla is using the blocklist to tell me something might be wrong. I’d rather do a little more work to enable the plugin then have it done for me and cause this mess without me knowing it.

  8. confused wrote on :

    I uninstalled the addon, was this okay to do?
    what does the addon even do and is it needed?
    why is the microsoft presentation foundation still in the extensions.

    Im really paranoid when it comes to things like this it would be awesome if someone could provide some answers

    also, I patched last week but still uninstalled the addon.

  9. SayNoToStealthInstalls wrote on :

    Microsoft has no rights or reason to stealth install plugins and extensions.

    ClickOnce deployers should be ashamed of themselves for depending on this crap to deploy apps.

  10. Mark wrote on :

    So any estimates on how long we’re going to be without this? As Rajah pointed out, some of us need this if we’re going to be working in Firefox. (Especially us .Net developers!) I can switch back to IE8 for now, but hopefully we’ll be alerted when the add-on is fixed. Though I thought it already was…

  11. 80s Rocker wrote on :

    MS did not forcefully install the plugin. You probably installed a Click-Once applications and it had to install it to run the application. When prompted about the add-in being installed you said yes (w/o knowing what you installed). Don’t go about accusing MS of forcefully installing something without your knowledge. As far as I know you cannot install an extension in Firefox without the users approval or it being manually installed. If that is not the case the Firefox is not more secure that IE with ActiveX controls.

    Firefox should not have blocked this, at the most they should have given the user an option to disable these add-in after letting users no the risk. As stated in previous comments, this will cause many companies to switch back to MS because they rely on click-once. So Firefox shot themselves with this decision that was not theirs to make.

  12. James wrote on :

    Mike, and I’ve now disabled your security update mechanism, since I had a properly patched system before you blocked. You also seem to have the tense wrong in your post: it’s not “has a security vulnerability, it’s “had a fixed at the time we blocked it security vulnerability”. It also seems doubtful that Microsoft really does recommend blocking the patched product so the tense in that is probably also needs to be past rather than present.

    You might also want to consider the market incentives of blocking even patched plugin versions, removing a significant incentive for less careful vendors to patch their plugin quickly to avoid being blocked. I do appreciate that it’s a limitation of your own product that means you’re currently unable to do this.

    Assuming I remember, I’ll turn the functionality on again once it’s been refined a bit more thoroughly.

  13. SDL wrote on :

    I just got the blocking dialog except I’ve already installed all the relevant security patches from Microsoft so these components are not presently vulnerable on my system. Your blocklist information page seems to indicate you block all versions of the plug-in, but not all systems with the plug-in installed are vulnerable; systems can be patched.

    My point being:
    Your blocklist is disabling add-ons that do not actually have a security/stability risk in all cases (ie. it ignores patch level).

    This can’t possibly be a good thing, and it’s somewhat irritating to be told that Firefox just automatically disabled certain add-ons (and wants me to restart it) over a security/stability risk that I know no longer exists.

  14. execoot wrote on :

    Well done, Mozilla.

  15. Justin wrote on :

    I really appreciate Mozilla blocking this. I switched away from IE for many reasons one of which was security issues.

    When it comes to security Microsoft has no idea what their doing. I really believe they try to fix bugs but their fixes arrive as updates almost daily, in the hundreds of MB which slows down the computer like crazy and is a giant inconvenence. Sure Microsoft releases a patch, horray, it will work for a week until another whole is exploited. The fundamental underlying structure of their software has to be the reason for all of the security problems their software has. They have 100 times more issues than most companys.

    I have TRIED several times to remove this .NET framework before to no avail. Had this not been blocked by Mozilla, I GUARANTEE you the problems with stability and security would be forthcoming and exponential.

    Not to mention Microsoft has just added another reason to be on my $hit list. Stealth installs, and pain in the a** 2 page long list of how to uninstall something you never asked for in the first place. Thanks again. I LOVE FIREFOX. For all those having issues with .NET framework, I am sure there is an extension by someone other than Microsoft, that offers the same functionality with less BS.

  16. Kevin wrote on :

    If you REALLY want to re-enabled forcefully disabled addons, type “about:config” in Firefox, and set “extensions.blocklist.enabled” to false. and restart. You can now re-enable them.

    It’s unfortunate by my entire IT staff depends on ClickOnce deployment. We patched out the vulnerability and will re-enable the blocklist once these are removed.

  17. MOM2006 wrote on :


    it’s not the task from mozilla to decide which software a user has to use.

    if microsoft’s software is so terrible in your eyes, why don’t you use a different software?

  18. Clubs wrote on :


    It is also “not the task” [sic] of Microsoft to decide what software a user has to use, but they took it upon themselves to stealth-install the add-on in the first place and, to add insult to injury, a security vulnerability was found in the software.

    Not that I care, I use Linux and OpenSolaris and I can’t help but feel a smug sense of satisfaction every time a problem with Microsoft software arises.

  19. naranha wrote on :

    @MOM2006: The problem is that most users won’t even know about this Addon. It’s installed automatically when installing the .NET Framework, which is needed for many modern applications.

    Besides that, Blocklists with version numbers are definately a good idea.

  20. Larry Seltzer wrote on :

    I don’t like the stealth installation that Microsoft did either, but the impact of it is being grossly exaggerated here and elsewhere. I mean you’re running Windows for chrissake! It’s not like avoiding these plugins will protect you from running Microsoft code.

More comments: 1 2 3 4 5