Mozilla blocks (then unblocks) dangerous MS .NET Firefox add-on

The move comes in the wake of an admission from Microsoft that the add-on was exposing users to drive-by malware downloads via a remote code execution vulnerability.

FINAL UPDATE: In the Threatpost podcast above, Mozilla's Mike Shaver explains what happened (.mp3)

[ UPDATE: Mozilla has now removed the extension from the blocklist after Microsoft clarified some information in its bulletin on how Firefox users were affected.  I'll attempt to get to the bottom of what appears to be a case of miscommunication ]

Mozilla has added the Microsoft .NET Framework Assistant add-on to its blacklist, a move that effectively disables the dangerous extension and plug-in for all Firefox users.

The move comes in the wake of an admission from Microsoft that the add-on was exposing users to drive-by malware downloads via a remote code execution vulnerability.

[ SEE: Microsoft exposes Firefox users to drive-by malware downloads ]

Mozilla's Mike Shaver explains:

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

This Firefox add-on, which was added by Microsoft without the permission of end users, has been a source of controversy for months.  It triggered a debate about whether vendors should add code to a rival browser without explicit disclosure -- and permission -- and prompted warnings about the security implications.

Those warnings became reality last week when Microsoft shipped a "critical" security bulletin with fixes for security problems in its own Internet Explorer browser -- a flaw that presented an attack vector on Firefox because of the controversial .NET Framework extension.

This is not the first time Mozilla has used its blocklist mechanism to kill problematic extensions.

In addition to Microsoft, the blocklist also includes add-ons from anti-virus vendor AVG, Yahoo and Apple.

[ UPDATE: Mozilla has now removed the extension from the blocklist after Microsoft clarified some information in its bulletin on how Firefox users were affected.  I'll attempt to get to the bottom of what appears to be a case of miscommunication ]