{"id":201,"date":"2009-10-16T21:00:38","date_gmt":"2009-10-17T04:00:38","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=201"},"modified":"2009-10-18T18:39:46","modified_gmt":"2009-10-19T01:39:46","slug":"net-framework-assistant-blocked-to-disarm-security-vulnerability","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/","title":{"rendered":".NET Framework Assistant Blocked to Disarm Security Vulnerability"},"content":{"rendered":"<p>Mike Shaver, Mozilla&#8217;s Vice President of Engineering <a href=\"http:\/\/shaver.off.net\/diary\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/\">writes<\/a>:<\/p>\n<blockquote><p>I&#8217;ve previously posted about the <a href=\"http:\/\/shaver.off.net\/diary\/2009\/06\/02\/dealing-with-the-net-clickonce-add-on\/\">.NET Framework Assistant<\/a> add-on that was delivered via Windows Update earlier this year.  It&#8217;s recently surfaced that it has a <a href=\"http:\/\/shaver.off.net\/diary\/2009\/06\/02\/dealing-with-the-net-clickonce-add-on\/\">serious security vulnerability<\/a>, and Microsoft is recommending that all users disable the add-on.<\/p>\n<p>Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our <a href=\"https:\/\/support.mozilla.com\/en-US\/kb\/Add-ons+Blocklist\">blocklisting mechanism<\/a>.  Microsoft agreed with the plan, and we put the blocklist entry live immediately.  (Some users are already seeing it disabled, less than an hour after we added it!)<\/p><\/blockquote>\n<p><strong>Update (Sunday Oct 18, 6:30pm PDT):<\/strong> Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist. We are also working on a mechanism to allow Firefox users to re-enable the WPF plugin ahead of its eventual removal from the blocklist. For more information, see Mike Shaver&#8217;s <a href=\"http:\/\/shaver.off.net\/diary\/2009\/10\/18\/update-net-framework-assistant-clickonce-support-unblocked\/\">latest blog post<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mike Shaver, Mozilla&#8217;s Vice President of Engineering writes: I&#8217;ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It&#8217;s recently surfaced that &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/\">Read more<\/a><\/p>\n","protected":false},"author":107,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,73],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>.NET Framework Assistant Blocked to Disarm Security Vulnerability - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Johnathan Nightingale\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/\",\"name\":\".NET Framework Assistant Blocked to Disarm Security Vulnerability - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2009-10-17T04:00:38+00:00\",\"dateModified\":\"2009-10-19T01:39:46+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\".NET Framework Assistant Blocked to Disarm Security Vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d\",\"name\":\"Johnathan Nightingale\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a7045d6e4465774d94d0755aad2e257f\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g\",\"caption\":\"Johnathan Nightingale\"},\"description\":\"Vice President of Firefox\",\"sameAs\":[\"http:\/\/blog.johnath.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":".NET Framework Assistant Blocked to Disarm Security Vulnerability - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/","twitter_misc":{"Written by":"Johnathan Nightingale","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/","url":"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/","name":".NET Framework Assistant Blocked to Disarm Security Vulnerability - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2009-10-17T04:00:38+00:00","dateModified":"2009-10-19T01:39:46+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2009\/10\/16\/net-framework-assistant-blocked-to-disarm-security-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":".NET Framework Assistant Blocked to Disarm Security Vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d","name":"Johnathan Nightingale","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a7045d6e4465774d94d0755aad2e257f","url":"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g","caption":"Johnathan Nightingale"},"description":"Vice President of Firefox","sameAs":["http:\/\/blog.johnath.com"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/201"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/107"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=201"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/201\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=201"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}