// Home / News

Mozilla blocks Microsoft Firefox plugin

1 of 2

By Stuart Turton

Posted on 19 Oct 2009 at 08:14

Mozilla's has reversed its decision to block a Microsoft .Net plugin for Firefox, as a weekend security scare ends in confusion.

PC Pro staff noted over the weekend how Firefox was returning a message that the Microsoft.Net Framework Assistant add-on was "unstable or insecure."

The add-on is already a bone-of-contention among Firefox users, who found it had been installed automatically via Windows Update back in June. To make matters worse it could only be uninstalled by editing the registry, a tricky proposition for many.

Last week, Microsoft announced the software contained a critical vulnerability that could allow users to hijack a PC. In reaction, Mozilla took the decision to add the software to its block list - used to prevent high-risk software being installed in Firefox.

The Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we’ve removed it from the blocklist

"Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism," says Mozilla's head of engineering, Mike Shaver.

However, come Sunday Mozilla had yanked the add-on from the block list, after Microsoft confirmed that it couldn't be exploited.

"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we’ve removed it from the blocklist," notes Shaver. "As the blocklist update propagates to clients, the add-on should be re-enabled for users who had it previously enabled."

Unfortunately, Framework Assistant is only one part of the update, and the Windows Presentation Foundation plug-in remains blocked, with Shaver tweeting "this one is much more critical".

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here

From around the web

User comments

Ahh, that's what that was...

Thought it might have been just me. Glad to see it disabled though, unbelievable how MS install software/plugins without my explicit consent.

By mviracca on 19 Oct 2009

@mviracca
MS are far from the worst in this respect. Install Java runtime and it installs the Java Quick Starter Add-on. Do a default install of AVG, and it installs the Google toolbar. And these are just two examples that come to mind, there are more.

By rjp2000 on 19 Oct 2009

Why can't I make the decision?

Surely there should have been an option for me to decide whether I wanted the .NET Framework Assistant and the Presentation plug-in to be disabled or not?
I would have thought that the whole ethos of open-source was about being, ahem, open and not forcing people to do things. I've already got security software and Secunia Personal Software Inspector running to _hopefully_ check this sort of stuff and consider it bad practice to have several things trying to do the same job - not least because of the possible confusion. I've no issues with Mozilla warning me but not unilaterally disabling stuff. (NB to mviracca - Mozilla installed this and disabled the plugin without _my_ explicit consent either!)
ADDED TO WHICH... When I do Tools/Add-Ons/Plugins and try to get "More Information" about the disabled WPF PlugIn, it says "en-gb.www.mozilla.com:443 uses an invalid security certificate - this certificate is only valid for *.mozilla.com"
Physician - heal thyself!

By AdrianB on 19 Oct 2009

Leave a comment

You need to Login or Register to comment.