.NET Framework Assistant Blocked to Disarm Security Vulnerability

Mike Shaver, Mozilla’s Vice President of Engineering writes:

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Update (Sunday Oct 18, 6:30pm PDT): Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist. We are also working on a mechanism to allow Firefox users to re-enable the WPF plugin ahead of its eventual removal from the blocklist. For more information, see Mike Shaver’s latest blog post.

82 responses

  1. Pete wrote on :

    You did the right thing. Almost nobody needs this add-on, the few that do can probably turn it back on with the add-on Nightly Tester Tools on a fully patched windoz system. Complain to Microsoft about the vulnerability and not here. For the .0001% that need it turning it off to protect the 99.999% that most don’t even know that it was installed was the right thing to do.

    The bottom line is its BROKEN and has no business on Mozilla code. Even Microsoft agreed.

  2. dbmuse wrote on :

    I was able to delete it… oh happy day.

  3. Eric Stafford wrote on :

    To Mike Shaver:

    What happened to your collective ethics? Microsoft has become, in my constitutionally protected opinion, exactly like the over-reactive, paranoid and unscrupulous corporations of the past that become so big and oppressive that their missions became the destruction of competition rather than excellence.

  4. Vivek T. Mahadik wrote on :

    Thanks,

    Well done, Mozilla!!!
    after long Diwali holiday.. My computer started reporting the message that Microsoft add-on is blocked.

    I permanently disable ALL plugins and addons from Microsoft…till the problem is solve…

    Enjoy …. Happy Diwali!!!

  5. Insano wrote on :

    How about adding a functionality that allows the user to uninstall the plugin completely? I should be able to chose what plugins are installed.

  6. anonymous coward wrote on :

    I think this case just shows there is a weakness in firefox plugin installation system – MS shouldn’t be able to silently install their plugins in the first place.
    I think some startup check for new plugins, and a warning if they are found would help, with default state disabled. Then there would be no need to ban plugins at all.

  7. Chris wrote on :

    And this is why companies with a known reputation for writing buggy exploitable software shouldn’t force users to install buggy exploitable software.

  8. Tim wrote on :

    I didn’t know this feature existed until now. Also, “for your protection” sounds very draconian (especially as this was forced).

    The list was downloaded and the plugins were blocked before I knew about the configuration option mentioned in comment #25. Toggling it doesn’t make a difference to the plugins that are already disabled. I had to open the pluginreg.dat in the profile folder and edit the line that looks like:

    (large number)|1|20|$

    to

    |1|1|$

    to make it go back to normal.

  9. PC.Tech wrote on :

    This really smells rotten to the core.

    We choose Firefox to get the evil M$ crapola OUT of the browser experience, and now this collusion with them questions the security issues we expected to avoid – you are digging your own grave.

    .

  10. chase wrote on :

    Great, ie is trying to infect ff

  11. Dewi Morgan wrote on :

    Critically, please make it so that MS and other malicious-but-trusted parties cannot easily-and-by-design install addons without user consent.

    If I’ve got java and javascript and flash turned off, that means I want *no scripting kthx*, not “no scripting unless MS decides to silently add in a new scripting javalike mechanism”.

    When I want good anonymity and security, I choose FF inside a virtual machine inside an encrypted container, because it does not have IE-style gaping MS-security-fissures. Letting them silently install a security-goatse of this scale entirely violates that.

  12. Dewi Morgan wrote on :

    When I went with Firefox, it was a vote against MS’ ability to make secure browsing apps.

    Allowing them to silently install insecure scripting engines into Firefox is… well, a real slap in the face for the people who thought they’d moved away from that.

  13. Chevy wrote on :

    WOW!
    That’s why I use linux….

  14. luminositee wrote on :

    Thanks for figuring this out–I noticed it in my add-ons awhile ago and couldn’t figure out how it had gotten there. After spending a bit of time trying to uninstall/disable it, I gave up (I love firefox, but I don’t know much more about computers than this: http://xkcd.com/627/). So, I’m really glad to finally know what’s going on with this app and how to uninstall it!

  15. freedom defence wrote on :

    I’m dispointed to have found out that mozilla allowed these MS plugins to be installed in the first place, as this makes me question firefox security which I always trusted. I was happy with the action they took, but now I’m even more disapointed to find out they have taken the .Net Framework Assistant off the blocklist, because Microsoft say it is safe.
    Well sorry I don’t believe this, I don’t trust Microsoft and their so called experts, I believe it is a security risk and it should not be allowed to be automatically installed like that.
    What happened to freedom of choice?????????????
    The very browser I trusted for my security, turns out to be just as vunerable as any other browser.

  16. windoz wrote on :

    It is your system and it xas part of a service pack. Funny how long it takes since the first install.

  17. komba wrote on :

    like .net but its coding too cmplicated not user friend

  18. Chainsaw wrote on :

    It crashes every computer here at the university that runs Firefox. Continually. No special action, just use Firefox, browse some web pages, but don’t forget to save bookmarks regularly, because when it crashes, Firefox can’t recover anything. Thankfully, after a couple of these, Firefox figures it out and disables the damned thing. But only for that user, on that machine, and not permanently…

    When there’s functional Noscript and RemoveItPermanently addons for IE, I’ll consider switching.

    At this date, it BEHAVES like malware. So it should be blocked until it no longer does this.

    And the function it performs, is to make it easier to accidentally run untrusted apps off webpages by just clicking on them. Didn’t we just spend ten years trying to STOP browsers from doing this??? So the only way to REALLY make it not behave like malware is to disable the larger function that it is trying to assist…

  19. Daniel Veditz wrote on :

    Chainsaw: are you sure the crashes are due to this? WPF usage should be rare on the web, and a plugin isn’t even loaded unless we encounter content that requires it.

  20. sikiş wrote on :

    When I went with Firefox, it was a vote against MS’ ability to make secure browsing apps.

    Allowing them to silently install insecure scripting engines into Firefox is… well, a real slap in the face for the people who thought they’d moved away from that.

More comments: 1 2 3 4 5