/>
X
Innovation

Mozilla blocks (then unblocks) dangerous MS .NET Firefox add-on

The move comes in the wake of an admission from Microsoft that the add-on was exposing users to drive-by malware downloads via a remote code execution vulnerability.
Written by Ryan Naraine, Contributor on

FINAL UPDATE: In the Threatpost podcast above, Mozilla's Mike Shaver explains what happened (.mp3)

[ UPDATE: Mozilla has now removed the extension from the blocklist after Microsoft clarified some information in its bulletin on how Firefox users were affected.  I'll attempt to get to the bottom of what appears to be a case of miscommunication ]

Mozilla has added the Microsoft .NET Framework Assistant add-on to its blacklist, a move that effectively disables the dangerous extension and plug-in for all Firefox users.

The move comes in the wake of an admission from Microsoft that the add-on was exposing users to drive-by malware downloads via a remote code execution vulnerability.

[ SEE: Microsoft exposes Firefox users to drive-by malware downloads ]

Mozilla's Mike Shaver explains:

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

This Firefox add-on, which was added by Microsoft without the permission of end users, has been a source of controversy for months.  It triggered a debate about whether vendors should add code to a rival browser without explicit disclosure -- and permission -- and prompted warnings about the security implications.

Those warnings became reality last week when Microsoft shipped a "critical" security bulletin with fixes for security problems in its own Internet Explorer browser -- a flaw that presented an attack vector on Firefox because of the controversial .NET Framework extension.

This is not the first time Mozilla has used its blocklist mechanism to kill problematic extensions.

In addition to Microsoft, the blocklist also includes add-ons from anti-virus vendor AVG, Yahoo and Apple.

[ UPDATE: Mozilla has now removed the extension from the blocklist after Microsoft clarified some information in its bulletin on how Firefox users were affected.  I'll attempt to get to the bottom of what appears to be a case of miscommunication ]

Editorial standards

Related

The 16 best Cyber Monday deals under $30 still available
Amazon Fire TV Stick 4K

The 16 best Cyber Monday deals under $30 still available

Epson is going to stop selling laser printers. Here's why
piles-of-paper.jpg

Epson is going to stop selling laser printers. Here's why

Don't waste your money on these Apple products: December 2022 edition
Waiting in line for the Apple Store

Don't waste your money on these Apple products: December 2022 edition