Mozilla blocks (then unblocks) dangerous MS .NET Firefox add-on

Mozilla blocks (then unblocks) dangerous MS .NET Firefox add-on

Summary: The move comes in the wake of an admission from Microsoft that the add-on was exposing users to drive-by malware downloads via a remote code execution vulnerability.

SHARE:
64

FINAL UPDATE: In the Threatpost podcast above, Mozilla's Mike Shaver explains what happened (.mp3)

[ UPDATE: Mozilla has now removed the extension from the blocklist after Microsoft clarified some information in its bulletin on how Firefox users were affected.  I'll attempt to get to the bottom of what appears to be a case of miscommunication ]

Mozilla has added the Microsoft .NET Framework Assistant add-on to its blacklist, a move that effectively disables the dangerous extension and plug-in for all Firefox users.

The move comes in the wake of an admission from Microsoft that the add-on was exposing users to drive-by malware downloads via a remote code execution vulnerability.

[ SEE: Microsoft exposes Firefox users to drive-by malware downloads ]

Mozilla's Mike Shaver explains:

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

This Firefox add-on, which was added by Microsoft without the permission of end users, has been a source of controversy for months.  It triggered a debate about whether vendors should add code to a rival browser without explicit disclosure -- and permission -- and prompted warnings about the security implications.

Those warnings became reality last week when Microsoft shipped a "critical" security bulletin with fixes for security problems in its own Internet Explorer browser -- a flaw that presented an attack vector on Firefox because of the controversial .NET Framework extension.

This is not the first time Mozilla has used its blocklist mechanism to kill problematic extensions.

In addition to Microsoft, the blocklist also includes add-ons from anti-virus vendor AVG, Yahoo and Apple.

[ UPDATE: Mozilla has now removed the extension from the blocklist after Microsoft clarified some information in its bulletin on how Firefox users were affected.  I'll attempt to get to the bottom of what appears to be a case of miscommunication ]

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

64 comments
Log in or register to join the discussion
  • Way to go!

    Mozilla foundation does not want its secure
    browser being exploited with the infamous
    IE welded in Windows.
    Linux distro's are given more focus and companies
    are looking to these for replacing the aging
    lethargic Windows quagmire.
    Christian_<><
    • .net, not IE.

      This had nothing at all to do with Internet Explorer.
      rtk
      • Facts are meaningless to the OP

        Don't even bother.
        ejhonda
        • What is meaningless

          is the opinions, when the facts are obvious.

          Thankew!
          Ole Man
    • RE: Mozilla blocks dangerous MS .NET Firefox add-on

      @Christian_<>< <a href="http://cupu.web.id/pulauweb-web-hosting-murah-indonesia/">Pulauweb Web Hosting Murah Indonesia</a>
      <a href="http://cupu.web.id/blogger-nusantara-blogpreneur-indonesia/">Blogger Nusantara Blogpreneur Indonesia</a>
      upinson
  • RE: Mozilla blocks dangerous MS .NET Firefox add-on

    If it had to be blacklisted or not I really don't care now. Implementing code without end user permission is enough reason. We all know MS ways so I am glad Mozilla people used this way and hope they keep doing it in the future. I wouldn't add MS stuff to my FF, at least not being sober.
    carloslorenzo
  • Mozilla blocked even though vunerability had been patched

    Actually the add-on itself has no vunerability. However it calls part of the .NET Framework that had a vunerability. This vunerability was fixed in last tuesdays patchday.

    So since last tuesday there was no longer a vunerability for either IE or Firefox or any other plugin using this .NET framework element.

    But then a few days later Mozilla decides to go block the plugin. A useless move as updated windows installations were already patched.
    And now Mozilla has finally grasped what actually happenned on patchday and unblocked the plugin.

    Stupid.
    Poor communication and poor execution.

    It is
    IE11
    • However

      Like all plug-ins and add-ons, (yea even no-script) annything can ether have a security flaw or vulnerability, specially in the case of those addons that can read and execute stuff from the internet. But this is true of every apps from every vendor on every platform(yes including the mac and linux), for as long as there's an input from outside, then there's the possibility of a flaw.

      PS: I still am convinced that there is no OS that is immune to viruses/flaws/buffer overruns/trojans ...etc because I know better then to say: Oh that hudge blob of code is actually secure.
      Ceridan
    • Actually...

      Mozilla had informed MS about what they were going to do and MS agreed with their strategy.

      Just because a patch has been issued doesn't mean that the issue has been resolved. The reason why Mozilla blocked WPF in the first place was to [i]protect those whose PCs had not yet been patched[/i]. There's nothing stupid about that.
      eMJayy
    • RPN for posts?

      "And now Mozilla has finally grasped what actually happenned on patchday and unblocked the plugin.

      Stupid.
      Poor communication and poor execution.

      It is "

      Is this an INTENTIONAL use of Reverse Polish Notation?
      loupgarous
  • WPF still blocked here.

    WPF still blocked here. Maybe I need to restart Firefox or something.
    CobraA1
  • RE: Mozilla blocks dangerous MS .NET Firefox add-on

    I also got the message from FF.
    I think this is correct because why should I want an add-on from which I don't know what it does and is installed in a sneaky manner.
    I think Microsoft has to explain this before and than ask me if I want to install these add-ons.
    m@...
  • I just deleted this whole thing from my system

    Nothing I use uses it.... period. I also looked to see
    if other programs used it..... none that I could find,
    and I spent about 2 hours searching the internet for
    programs that used this plugin.

    Microsoft needs to stop with the installation of
    unnecessary plugins into non-Microsoft browsers,
    especially things like this that no one really uses.

    Oh, and Silverlight........ fine in IE, DON'T WANT IT
    IN FIREFOX!
    Lerianis10
    • that's pretty smart, actually

      And thank you for letting us know your check
      that nothing uses it.

      I think the real point is that besides a
      dunderhead factor, what MS have proved over the
      years is that they simply can't be trusted with
      anything that has any kind of external activity
      or programming access.

      nv
      Narr vi
  • How dare they (MS)

    If I want my FF install changed, I certainly don't want it done by MS, especially without them even telling me.

    I thought this kind of thing was supposed to be illegal.
    TranMan
    • Where is the class-action lawsuit?

      What they did is [i]very[/i] illegal, and they did it to millions of Firefox users. Why haven't they been taken to court over it yet?
      masonwheeler
      • What law

        I am curious about your statement that this is "very illegal." Under what law are third-party, non-disclosed (and potentially unwanted) software add-ons or integrations illegal? I was not aware that there is a body of law on this.
        emcauley
        • Re: what law

          It's a pretty clear-cut case of Computer Trespass, which is a crime in several states, including the one I live in.
          masonwheeler
          • Yeah, good luck with that.

            There's not a hint of "computer trespass" here.
            rtk
  • One of my machines was just blocked Mon AM

    My home machine blocked the MS addon on Friday, but my work PC blocked it Mon AM after being powered on. Maybe Mozilla hasn't unblocked it after all?
    ken@...