.NET Framework Assistant Blocked to Disarm Security Vulnerability

Mike Shaver, Mozilla’s Vice President of Engineering writes:

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Update (Sunday Oct 18, 6:30pm PDT): Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist. We are also working on a mechanism to allow Firefox users to re-enable the WPF plugin ahead of its eventual removal from the blocklist. For more information, see Mike Shaver’s latest blog post.

82 comments on “.NET Framework Assistant Blocked to Disarm Security Vulnerability”

  1. Anon wrote on

    I disabled these plugins the moment I noticed them due to the fear of security flaws and it seems that fear was entirely justified.

    Anyone who is using non-genuine microsoft windows with firefox and who has installed “.net 3.5” will have these plugins and will not receive the microsoft security update, so mozilla is entirely right to block these plugins as they are dangerous and degrade the security of firefox.

    Even though people should not be using non-genuine windows, the fact is that millions are and for the general benefit of all of us, (eg not getting spam from botnets), mozilla should do everything it can to ensure the overall security of the web which is what it has done here by blocking these plugins.

    Keep up the great work guys!

  2. Tomas wrote on

    @MOM2006

    It is not Microsoft’s task either. I have never asked to install .NET assistant on my machine and I don’t use ClickOnce apps in Firefox. I’ve installed .NET runtime because some software required it. That software is standalone application and does not run in browser.

    Microsoft installed browser’s extensions without warning and consent. They abused browser’s features and tried to hide installed extension from end user. .NET plugins are malware. If you depend on them, shame on you.

  3. Casper Andersen wrote on

    I agree with Mozilla disabling add-ins that contain critical security flaws. Why does Mozilla not block Adobe, or Sun plugins? The security updates for Adobe, Sun and Microsoft are distributed in the same way, so why aren’t they treated equally?

  4. Tang YingRong wrote on

    Is there anyway to enable it? Do I have rights to enable it?

  5. Jerome Haltom wrote on

    This is dumb. If I get into work tomorrow and none of our ClickOnce apps run, I’m going to have to walk around to over hundred computers and remove Firefox. Yeah. Thanks, folks.

  6. Larry Seltzer wrote on

    Mike Shaver and I have been discussing this on Slashdot.

    http://tech.slashdot.org/comments.pl?sid=1408445&cid=29783553

  7. ant wrote on

    You shouldn’t block it, you should rip it out completely. I know Firefox is a browser and not an antivirus but you need to take a harder line against malware like this that infects the browser behind your back and has no uninstall button. I’ll be redirecting the infected UAs from my website to removal pages from now on.

  8. Mike wrote on

    MOM2006:

    It’s not Microsoft’s responsibility to install plugins into my browser that I didn’t ask for.

  9. virgil wrote on

    Thank you! I’ve stopped using Firefox lately because it was constantly freezing for ~20s or so, and I couldn’t find the root cause.
    After you disabled the WPF addon, all seems to have gone back to normal.
    I’m not even sure how/when I got it installed :(, but I’ll surely pay lots of attention to any MS addon in the future.

  10. Bob wrote on

    For those complaining they can’t use the M$ plug-in, read the comments, you’ll see post #25 from BRoper saying you can disable the blocking list in about:config. This block list is a feature, just like most things in FF one that can be disabled.

  11. Fred wrote on

    Please implement a way to easily turn back on disabled add-ons. Kudos to you for determining something that wasn’t safe, and blocking it automatically. If I was testing this add-on, or another, I’d be pretty pissed right now.

    Don’t be the big brother you all are pretending to fight right now.

  12. hippiejake wrote on

    Oh, the irony. Just after Microsoft was bitching at Google for creating Chrome Frame, this hits.

    Now Mozilla just needs to create some BS plugin for Chrome and the circle will be complete. Really, why can’t they just stop fscking with each others’ products? [Particularly when it tends to break things.]

  13. Sammy wrote on

    This is a sad state of affairs. Microsoft (The home of bad code) sneak installs a plug-in. Now fanboys are complaining its disabled?
    If you love M$ so much, why not keep running IE? O thats right, its a disaster waiting to happen.

    Good going Mozilla!!!! Block all the M$ crap that self installs!

  14. Sammy wrote on

    @MOM2006

    it’s not the task from Microsoft to decide which software a user has to use, and sneak install plugins in other companies software.

    if mozilla’s software is so terrible in your eyes, why don’t you use a different software? Why not use IE, and get loads of malware and viruses self installing. O wait, thats a feature of M$.

  15. Dan wrote on

    Why bother with asking Microsoft, they didn’t ask me before installing this Firefox security hole on my system?

  16. blah wrote on

    Please permanently disable ALL plugins and addons from Microsoft. [edited to remove profanity -dveditz]

  17. Nik B. wrote on

    Justin wrote: “When it comes to security Microsoft has no idea what their doing.”

    Do the Debian guys know what they’re doing? Do the Mozilla guys know? What about Adobe? The Linux kernel team? All of them have had their share of critical vulnerabilities.

    And while we’re on the subject, do *YOU* have any idea when it comes to security? How many bugs do you get per 1M LOC, if you even write code? How many people are using your software and how much scrutiny has it undergone for security issues?

    Justin wrote: “The fundamental underlying structure of their software has to be the reason for all of the security problems their software has. They have 100 times more issues than most companys.”

    Even if it’s true that they have 100 times more issues than most “companys” (sic) you’re leaving out the very pertinent fact that they probably have about 100 times more code out there as well. That kind of puts things in a different perspective doesn’t it?

    Justin: “I have TRIED several times to remove this .NET framework before to no avail.”

    It took me all of 10 minutes. If you can’t uninstall it, you must either be computer illiterate or simply incompetent.

    Justin wrote: “Had this not been blocked by Mozilla, I GUARANTEE you the problems with stability and security would be forthcoming and exponential.”

    You GUARANTEE it? In all capital letters? Wow… You sold me. I’ll take 5 or whatever you’re selling. After all, if some guy named Justin who can’t uninstall the .NET framework from his computer GUARANTEES it, what else could I ask for?

    Justin wrote: “Not to mention Microsoft has just added another reason to be on my $hit list.”

    I’m sure Microsoft will send you a fruit-basket to make amends. After all, who wants to be on the ****-list of Justin, a guy who can’t uninstall the .NET framework from his computer.

    Justin wrote: “For all those having issues with .NET framework, I am sure there is an extension by someone other than Microsoft, that offers the same functionality with less BS.”

    But do you GUARANTEE it?

  18. InvadedPrivacy wrote on

    Since when is installing plugins to third party software something MS is allowed to do without permission?

    What other apps are MS allowed to convertly modify?

    Will MS bork my OpenOffice next by adding a great new .NET plugin?

    Is it only competing products that require a good .NET rogering?

    Hands off my computer MS. You are not welcome.

  19. Johnny Wishbone wrote on

    “Companies rely on clickonce”.

    How is the risk of using clickonce mitigated in these “many” companies?

    Surely they wouldn’t use a kludgy hammer like clickonce and have 12 year old kids on less than McDonald payrates installing it? So if clickonce fails you have an army of children and no apps? LOL, sucked in for being cheap sweatshop operators.

    No pity for companies that hang their hat on clickonce.

  20. Paul wrote on

    Please, for the love of god, NEVER allow Microsoft to install silent plugins into Firefox. Tell them that unless there is a massive, flashing bold warning saying nothing short of “Do you want to let microsoft install IE into Firefox”, put them on a permaban list. Dont bother asking them if you would let us ban your software, just dont allow them to introduce massive security holes into your trusted software.

More comments: 1 2 3 4 5