| |
Mozilla has disabled a Microsoft add-on for Firefox called the .Net Framework Assistant stating the security problems. Instead, it states to give an override option to carry out the same task.
Mike Shaver, Mozilla's vice president of engineering announced this step in his blog recently.
Shaver also said, "It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on."
"Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately," he added.
The .Net Framework Assistant add-on is useful to install .Net applications automatically through Firefox using Microsoft's ClickOnce technology. The application was installed automatically using Windows Update with the .Net Framework 3.5 Service Pack 1 without asking the user. So it posed a security threat to the users. Again, the new version of Firefox, Firefox 3.5 was not compatible with the add-on.
Shaver also said that the add-on was difficult for most of the users as removing it initially required people to edit their Windows Registry, which is an arduous activity. So they took this step to protect the users.
Justin Angel, a program manager at Microsoft said, "When business users can't use their core business functionality--they uninstall stuff."
"We can't distinguish patched from unpatched, so we're blocking it while we sort that out," Shaver said previously in his blog.
About the patch work, Shaver said, "Pushing a change to our blocklist software that will let Firefox 3.5 users override the blocking of .NET FA/WPF plugin if they're patched."
He added, "We're still working on the blocklist tweaks to help enterprises override the blocking of the WPF plugin, stay tuned!"
Then Shaver clarified, "MSFT confirmed that the .NET Framework Assistant is not exploitable, so we've removed it from the blocklist; one down!"
"We're hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist," Shaver said in his blog post.
