Forgot your password?
typodupeerror
Mozilla Microsoft

Firefox Disables Microsoft .NET Addon 448

Posted by kdawson
from the with-their-consent-of-course dept.
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
This discussion has been archived. No new comments can be posted.

Firefox Disables Microsoft .NET Addon

Comments Filter:
  • Great (Score:3, Interesting)

    by sopssa (1498795) * <sopssa@email.com> on Sunday October 18, 2009 @07:06AM (#29783349) Journal

    All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?

    • Re:Great (Score:5, Funny)

      by setagllib (753300) on Sunday October 18, 2009 @07:09AM (#29783357)

      Microsoft has put billions of dollars into developing the most effective and efficient security vulnerabilities to date. I can only watch in awe and wonder.

      • That issue is nothing (they asked for it in fact).

        The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".

        While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with o

      • by Anonymous Coward on Sunday October 18, 2009 @09:21AM (#29784043)
        Vulnerability to malware is very profitable for Microsoft and its main customers, computer manufacturers. When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has security risks. See the New York Times article Corrupted PC's Find New Home in the Dumpster [nytimes.com].

        Vulnerability is a business model for Microsoft, in my opinion and that of many people.

        But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers [channelregister.co.uk]. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.

        But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.

        Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.

        So, maybe just being evil is another part of Microsoft's business model.
    • by Ilgaz (86384) on Sunday October 18, 2009 @07:23AM (#29783417) Homepage

      While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.

      So, they haxor the user agent to show that clueless CTO that their 90% of users have .NET so they should use it instead of massively multi platform Java.

      Anyway, as you see, karma is a real bitch and if Sun had a real management, they could milk this issue but... Lucky for MS, Sun is under auto pilot, even under Larry Ellison's Oracle.

    • Re:Great (Score:5, Informative)

      by The MAZZTer (911996) <.megazzt. .at. .gmail.com.> on Sunday October 18, 2009 @07:54AM (#29783555) Homepage
      There's actually a whole Firefox setting namespace devoted to bits of useragent to append, you don't even need a whole addon.
    • Re:Great (Score:5, Informative)

      by piripiri (1476949) on Sunday October 18, 2009 @09:09AM (#29783965) Journal
      It's not just a useragent string, but it allows remote code execution. https://bugzilla.mozilla.org/show_bug.cgi?id=522777 [mozilla.org]
    • Re:Great (Score:5, Informative)

      by wasabii (693236) on Sunday October 18, 2009 @09:49AM (#29784237)

      Not exactly. It also allows you to run .Net and WPF apps inline in the browser, hosting a CLR instance. Not to mention mapping the ClickOnce file type.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      because it lets you bring in the same .net vulnerabilities that IE has? Nobody asked for these to be brought into firefox. The issue is that they were installed without any confirmation. It was "installed for you".

      duh. Go home you fucking shill.

    • Re:Great (Score:5, Informative)

      by nmb3000 (741169) <nmb3000@that-google-mail-site.com> on Sunday October 18, 2009 @01:50PM (#29785821) Homepage Journal

      All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?

      For anyone curious as to the real state of affairs behind this MS plugin issue, you might be interested in a few things. For everyone else just enjoying a good anti-Microsoft circle-jerk, ignore this post.

      The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications [wikipedia.org] to run in Firefox and ClickOnce [wikipedia.org] program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?

      This is the bug [mozilla.org] in question. There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here? One poster [mozilla.org] is very insightful:

      Many corporations have begun implementing Firefox and telling their users that it is an equally if not more capable but more secure browser. For a subset of those corporations, the action of removing necessary tech without consent or a secure method for re-enabling it will result in the removal of the browser from the system completely. It will be called a failed experiment. The following day, sys-admins around the world will be left explaining to the non-enthusiast employees that the reversal came because certain business apps would not function in FF. Those users will only hear that FF is not as capable.

      But perhaps the best thing about this entire issue, is that Mozilla didn't block the plugins until AFTER they were patched and the mechanism of the block is retarded. Mozilla is claiming [mozilla.com] that Microsoft agreed to issuing the block of the affected plugins, and that might be true, but only to an extent. Mozilla is currently blocking the plugins based on the name of the plugin, not the version, which means users who have installed the patched version of the plugs (at this point almost everyone using Windows Update) are still unable to use the plugins and have no way to re-enable them.

      So essentially, by issuing this patch, Mozilla is doing nothing but hurting its business customers. Slashdotters can scratch their heads trying to figure out who uses these technologies, but the answer is a lot of businesses do. This absolute, non-scriptable and non-changeable block of these plugins will just remind corporations that open source isn't ready for the big leagues and they should just stick with Microsoft and IE. The sad thing is that if this kind of knee-jerk, carte-blanche blocking behavior becomes the norm for Mozilla, they will probably be right! Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.

      If you're wondering what MS says about this, you might take a look at this [technet.com]:

      First we'd like to make it clear that any customers that have applied the update associated with MS09-054 are protected, regardless of the attack vector. And most customers need not take any action as they'll receive this update automatically through Automatic Updates.

      So there it is -- pretty much everyone

      • Re:Great (Score:5, Insightful)

        by shentino (1139071) on Sunday October 18, 2009 @03:18PM (#29786511)

        I consider any plugin installed without my consent to be malicious, especially if it's a plugin FOR SOMEONE ELSE'S SOFTWARE.

      • Re:Great (Score:5, Informative)

        by Mike Shaver (7985) on Sunday October 18, 2009 @03:40PM (#29786719) Homepage

        There is no version difference for the plugin or add-on between patched and unpatched systems. That's one reason that this is so messy right now; if we had known about the Firefox aspect of the vulnerability before the SRD blog post, we would have suggested just that sort of version bump.

      • Re:Great (Score:4, Insightful)

        by Arker (91948) on Sunday October 18, 2009 @06:54PM (#29788119) Homepage

        The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications to run in Firefox and ClickOnce program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?

        No, actually, it is not. Not at all a good thing, quite the opposite. If you are using firefox to run "content" via a closed, windows-only system like .net, you might as well be using IE. In fact that would be better - at least no one would be fooled into thinking they were writing something that would work on firefox when in fact it would only work on Windows/Firefox.

        There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here?

        Because MS forced the plugin out without user consent and without even a disable option to begin with. Either of which is sufficient in and of itself to classify this bug as malware and remove it whenever encountered without further fuss.

        Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.

        Oh, indeed it is. MS nonetheless has been doing it regularly for decades, and usually get away with it.

        Good to see Mozilla give them what they deserve, even if I do suspect astroturfers like you will wind up sadly blunting the impact as usual.

  • Oops (Score:4, Informative)

    by Mr_Silver (213637) on Sunday October 18, 2009 @07:13AM (#29783373)

    I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:

    en-gb.www.mozilla.com uses an invalid security certificate.

    The certificate is only valid for *.mozilla.com.

    (Error code: ssl_error_bad_cert_domain)

    Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.

    • Re: (Score:3, Insightful)

      by mwvdlee (775178)

      It's open source; you did the testing for them just then!

      Now if only reporting these types of issues could be done from within Firefox without having to jump through hoops.

  • Plugin-checker (Score:3, Interesting)

    by Norsefire (1494323) * on Sunday October 18, 2009 @07:14AM (#29783377) Journal
    The TFA makes a reference to Mozilla's new Plugin checker [mozilla.com]. I just went there with JavaScript disabled and ...

    You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the awesome power of JavaScript. Please enable this Content Preference and reload the page. Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls [lwn.net].

  • by cyclocommuter (762131) on Sunday October 18, 2009 @07:19AM (#29783399)
    I might be mistaken but don't these add-ons/plugins from Microsoft specifically allow certain web pages to render properly under Firefox which otherwise would have required users to run IE? If so Microsoft centric IT Enterprise users who have started using Firefox at work might revert back to IE. This might reduce the gains that Firefox has been achieving in Microsoft centric IT Enterprise shops.
    • by Antique Geekmeister (740220) on Sunday October 18, 2009 @07:38AM (#29783491)

      Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific. And Microsoft had _no business_ shoving their plug-in silently into Firefox. And most of all. .NET is now a security nightmare: Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it. (LaMacchia's career is fascinating: if you'd like to follow a trail of an expert engineer getting involved in projects that are doomed for mishandling security, perhaps in spite of his best efforts, check out his career.)

      • by gbjbaanb (229885) on Sunday October 18, 2009 @08:06AM (#29783615)

        Do you have a link for that? I'd be very interested to show more flaws in the design of .NET.

        I know Chris Brumme's excellent weblog [msdn.com] about the CLR has quite a few interesting things to say, and even more if you read between the lines in places, you know he wants to say "we screwed this up big time" and he does say that occasionally. With hindsight, they did make some technical mistakes - throwing objects instead of just exceptions, allowing .Net apps to run in IIS [msdn.com] at all, thinking GC would remove the need for reference counting [msdn.com], and several marketing mistakes - telling everyone exceptions were very inexpensive (I recall one particularly misinformed MS drone telling me exceptions were free because it was all handled by the CLR... d'oh)(read the blog)

        If ever there was an example of keeping it simple, .NET is it - as an example of what not to do. Hats off to Chris who I think is very intelligent and talented, but the scope and spec of what they asked of him was too awkward to make a perfect job of.

        • Re: (Score:3, Interesting)

          by ralphbecket (225429)

          The modern CLR seems fairly sensible to me; definitely several steps ahead of the JVM (e.g., compare how parametric polymorphism is handled).

          The article you link to on GC is an in-depth discussion on the cost of implementing finalisation in the GC. These problems are well known and, more to the point, are only some of the reasons why implicit (nondeterministic) finalisation is a Bad Thing. Reference counting memory allocators are much slower than mark-and-sweep memory management for most programs, mainly

        • Re: (Score:3, Interesting)

          If ever there was an example of keeping it simple, .NET is it - as an example of what not to do.

          I don't think the design goal of .NET was ever to "keep it single". It could be a lot simple if its design goals were like JVM - a VM specifically designed to run a single language that is very restrictive in terms of what one can do with it. .NET, however, was originally designed as VM for which you could write a full-featured ISO C++ compiler producing strictly bytecode (not necessarily verifiable - can't really do it with C++ - but 100% "managed"). Because of that, it's far more feature-rich than JVM fro

      • Re: (Score:3, Insightful)

        by EMN13 (11493)

        So your argument against the fact that a plugin replicating IE-specific tech for firefox doesn't matter in intranet environments is... ... that it's windows specific?

        Are you kidding?

      • Re: (Score:3, Interesting)

        by spikenerd (642677)
        I worked under Brian (bal) when he left .NET. He accepted a position as an architect in another division. I left a couple of years later (but that's another story--I'd love to tell it). It seemed to me at the time that he was just moving upward, not really taking a stand against Microsoft's bad practices. ...or maybe they were just really good at keeping those kind of things quiet. He was always too clear-headed to fully drink the MS kool-aid. Hmm. I suppose I could believe that they gagged him as part of t
    • by wasabii (693236)

      Yup. Basically. I'm going to be super pissed if I have to walk around to 100+ machines tomorrow morning and uninstall Firefox. Seriously. That'll be the end of that.

  • by Anonymous Coward on Sunday October 18, 2009 @07:20AM (#29783409)

    Microsoft has deservedly taken a LOT of sh*t for forcing this addon into Firefox unannounced - AND preventing you from disabling or uninstalling it - unless you yank it out of the registry. It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"

    • by sopssa (1498795) * <sopssa@email.com> on Sunday October 18, 2009 @07:38AM (#29783489) Journal

      It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"

      You seem quite lost. They're not blocking it for that reason, but because it had a security vulnerability.

      • Re: (Score:3, Insightful)

        Furthermore, Microsoft agreed with the plan of disabling it. (RTFA)
        So it's more like

        It's nice to see the Mozilla folks say
        Mozilla> "NOPE, you...'re NOT doing this to our browser, now get lost!".
        Mozilla> that is, if it is OK with you, Microsoft, we would like to temporarily disable the addon until you come up with a fix
        Microsoft> we see we get some bad press, so yeah, its OK
        Mozilla> Ooh thank you for talking with me
        FOSS people> Yeah, Mozilla, take them! M$ is buggy and insecure!

      • Re: (Score:3, Informative)

        by wasabii (693236)

        A vulnerability which has already been patched. I use this functionality on over 100+ machines at the office. I've already deployed the patch. As far as I can tell, there's no easy way for me to disable the block list. I'm going to get into work tomorrow and switch 100+ boxes back to IE, if they don't reverse it. And I won't be switching them back to FF.

  • by Gopal.V (532678) on Sunday October 18, 2009 @07:23AM (#29783415) Homepage Journal

    From the TFA, it is clear that Microsoft approves of this particular move. I quote

    It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

    I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article [microsoft.com] and implement it themselves. At least, not my mom.

  • by cheros (223479) on Sunday October 18, 2009 @07:34AM (#29783467)

    Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).

    Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.

    I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..

    Anyone else an explanation why that plugin avoided legal consequences?

    • by Nuskrad (740518) on Sunday October 18, 2009 @08:06AM (#29783611)
      Was it without consent though? I'm sure it would have been buried in the small print somewhere when installing/updating the .Net framework.
      • by gbjbaanb (229885) on Sunday October 18, 2009 @08:13AM (#29783653)

        I'm sure whatever it was you installed from Sony that snuck the rootkit in had similar wording in its smallprint too.

        I guess its ok if MS does it, but not Sony?

  • by phozz bare (720522) on Sunday October 18, 2009 @07:34AM (#29783469)
    Last night I was browsing through the headlines on Slashdot's front page. At one point I came across the headline "Sneaky Microsoft Add-On Put Firefox Users At Risk" (story here [slashdot.org]). While I was reading the text underneath that headline, Firefox's prompt (indicating that it had detected the relevant plugin) popped up. It was so startling that I started wondering whether the browser was reading my mind! Weird stuff.
  • by Dark$ide (732508) on Sunday October 18, 2009 @07:37AM (#29783485) Journal
    For x86 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Mozilla > Firefox > Extensions

    For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions

    Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'

    • by Norsefire (1494323) * on Sunday October 18, 2009 @07:52AM (#29783545) Journal
      A friend had a problem with a CD burner app (Nero I think?) and asked me to take a look at it (they weren't too tech savvy). So I took a look and Googled the error and found that it was a problem with a registry key that would screw randomly. The fix was to delete it and if the error came back the fix was to change it to a specific value (which would cause nagging warnings but not make the program fail outright, so deleting it first was the better solution). So when I had fixed it I told him offhandedly, not expecting him to understand, that it was a problem with the registry and if it happens again to give me a call. So a week later he calls and says it had the same problem but I didn't need to come round because he had found a registry cleaner, for cheap, only $39.95... I never mention the word "registry" to non-tech people now.
    • by The MAZZTer (911996) <.megazzt. .at. .gmail.com.> on Sunday October 18, 2009 @07:59AM (#29783575) Homepage

      Only nukes the addon, the plugin is hiding in C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (and C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll if you have the .NET 4.0 beta).

      Remove HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5

      And HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF, version=4.0 if you have the 4.0 beta

    • by Sponge Bath (413667) on Sunday October 18, 2009 @09:41AM (#29784185)

      Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'

      Be careful. If you accidentally delete key {20a82645-c095-46ed-80e3-08855760534b}, your machine explodes.

  • by moosesocks (264553) on Sunday October 18, 2009 @08:11AM (#29783651) Homepage

    Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."

    Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

    That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...

    • Re: (Score:3, Insightful)

      by tokul (682258)

      Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

      Bigger shitstorm than the one which happened when MS installed browser extensions without consent from end user?

      Company abused its position and put malware on users' machines. Good thing that Mozilla has some options to handle such behavior.

      • Re: (Score:3, Insightful)

        by arth1 (260657)

        Two wrongs doesn't make a right.

        Microsoft installing the plugin without the user's explicit concent, and no (easy) way to uninstall was, indeed, wrong.
        But Mozilla unilaterally disabling it on the users' machines without an option not to is wrong too.

        What about those who have:

        1. Started depending on the functionality of the plugin, and
        2. Patched the vulnerability

        What they see is that Mozilla goes in and deletes functionality on their machines. From a logical point of view, it's no better than, say, Amazon going i

        • by Dreadneck (982170) on Sunday October 18, 2009 @12:02PM (#29785045)

          Forget about the names involved and examine the situation more closely. A company took it upon itself to introduce an unknown security risk into a competitor's product by way of a stealth install. Said company further complicated the matter by making it next to impossible for average users to uninstall - provided they even became aware of the issue - and compounded it even further by having subsequent updates reinstall the software by stealth again.

          I think that given this situation Mozilla did the right thing. Until Microsoft learns to work above board where Firefox plugins are concerned, Mozilla can and should disable them. It would be nice in the future if Mozilla offered users the option - and I think they will - to retain use of a plugin after being told it poses a security risk, but the only action I see in need of correction at the moment is for Microsoft to ask users explicitly for permission to install an add-on to non-Microsoft software on a system.

    • by Mike Shaver (7985) on Sunday October 18, 2009 @08:42AM (#29783813) Homepage
      If Microsoft or Apple asked us about such a kill-switch for a version of Firefox that we put onto their users' systems via a security update, and we agreed that it was the right thing to do, I would hope there wouldn't be a shitstorm at all.
    • by jmv (93421) on Sunday October 18, 2009 @08:50AM (#29783857) Homepage

      If Mozilla had been installing Firefox without the users' consent and prevented the same users from uninstalling it, then yes, Microsoft would have been justified to hit the kill switch. The same way, if it was just a regular Firefox Addon that MS distributed (that the user explicitly installs and can uninstall at any time), I doubt Mozilla would have made a fuss about it.

    • Re: (Score:3, Informative)

      by noundi (1044080)

      Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."

      Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

      That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...

      Well, since you asked I'll describe the order of priorities of what we are against:

      1. Installing software without our consent, that includes sneaking in software in methods that classify as "gray zones". The ask.com bar is a good example of this, and also the .NET framework.
      2. Kill-switches

      So you see, as described above, the installation of such applications is far more dangerous than the kill-switch. Also since this kill-switch can be turned off. If you don't think MS did anything wrong, th

  • by Winckle (870180) <mark@[ ]ckle.co.uk ['win' in gap]> on Sunday October 18, 2009 @08:30AM (#29783729) Homepage

    I like to play games through http://2dfighter.com/default.aspx [2dfighter.com] and this extension let me do so through firefox, now I can't reactivate it at all, and I can't install a new version because it's been removed from the website. Thanks Mozilla, now I have to go back to IE to use 2df.

    • Re: (Score:3, Insightful)

      by Fantastic Lad (198284)

      Lessee. . . By default a secure browser for a few hundred thousand users who didn't want an invasive add-on in the first place or. . , your ability to play video games.

      You know, there are some other fun websites out there which will also try to trick you into installing malware. You might enjoy visiting those as well. --Hey, they even have boobies!

      -FL

      • Re: (Score:3, Interesting)

        by Winckle (870180)

        Hey I agree with it not being installed by default, but I can't install it at all.

    • by Dreadneck (982170) on Sunday October 18, 2009 @09:02AM (#29783921)
      If you go to about:config in firefox and toggle the value of extensions.blocklist.enabled from true to false and restart firefox then the plugins will work.
  • by Mad Hamster (870092) on Sunday October 18, 2009 @08:32AM (#29783743)
    After last Patch Tuesday (yes, this is a confession I do have some Windows boxes), Firefox on my systems developed an issue with pages displaying in sort of a text-only mode when using the Refresh button(1). Page load times were also longer than usual. Those issues disappeared immediately once Mozilla's block of the .NET addon & the WPF plugin arrived.

    This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.

    After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.

    (1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.
  • Outrage (Score:3, Insightful)

    by windex82 (696915) on Sunday October 18, 2009 @08:38AM (#29783779) Homepage

    Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?

  • by wigle (676212) on Sunday October 18, 2009 @08:39AM (#29783793)
    They should also disable the Adobe Download Manager (Adobe DLM). For any of you that have downloaded Adobe Reader 9 (with Firefox) recently, you would have noticed that they make you install a Firefox add-on instead of just linking you to the binary.

    It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.

    • Re: (Score:3, Informative)

      by socsoc (1116769)
      Just click the "if your download doesn't start, click here" link. It's worked for me in both FF and IE
  • by Dwedit (232252) on Sunday October 18, 2009 @09:42AM (#29784199) Homepage

    Is there any software which actually uses these .NET Helper and Windows Presentation Foundation plugins? Do these expose an API to let javascript code interact with the .NET framework or something? Do they let people write Firefox extensions in a .NET language? Do they let specially crafted Microsoft websites run .NET code in Firefox?

    If users have nothing to gain from these plugins, then there is no reason they should exist.

  • by uuddlrlrab (1617237) on Sunday October 18, 2009 @11:58AM (#29785021)
    Though it has been exhaustively stated already, it bears repeating...so I'll repeat it: the .NET plugin or extension (whatever it is) does not allow users to disable or uninstall it via normal interfaces. Basically, without Mozilla's patch, you have to do some file system & registry spelunking to close this breach; like someone mentioned, that's not something the average user is going to look forward to, and for many is far beyond their scope of capabilities. To my knowledge, no other plugin or extension exhibits this bad behavior, nor are they foisted on the user via sleight-of-hand as a "security update." Furthermore, to those who balk that Mozilla can't differentiate between unpatched and patched versions, once again, this plugin came from MS. If it's their plugin for their .NET framework, that is exclusive to their OS, wouldn't that sort of make it their responsibility to have it include version info, or some way to check, via the filesystem or registry details, the .NET file version numbers/installed ver info and report it back to firefox? Hell, wouldn't it be on them to ask the user if they want to install it, along with making it fully removable in the first place? How, precisely, should Mozilla, an entirely separate org who I don't imagine ever anticipated having such a wonky problem be created for their browser's extensions, handle this, if not via the patch they released? Why is everyone defending Bill & Steve?

    I think this was a real fumble for MS, and Mozilla took steps to prevent critical problems--don't know about the best steps, but at least they were quick to action. Imagine if this had not been done, and exploits for the problem started popping up like wildfire, or widespread browser/OS crashes became common; how many users would firefox lose, due to a problem entirely of someone else's making? Let's not get confused over who's the bad guy. MS has the most to gain from any perceived flaws in a competing product, and their track record isn't exactly one that shows overwhelming care and concern for the end user. Even if not malicious, and chances are it's not, it still is another mark of incompetence on the overall company that they're releasing flawed software and forgetting courtesies like asking the user if they actually want the changes, not to mention not allowing them to revert it without 'popping the hood'.
  • by fluffy99 (870997) on Sunday October 18, 2009 @12:52PM (#29785397)

    Given all the past fuss about Amazon, Apple, and Microsoft to have the ability to remotely disable features, software or addons it's suddenly not an issue that Firefox has the capability of pushing changes? While I think the Firefox devs gave some serious thought before throwing this switch, I don't think this is a no-brainer. What about environments where they need the .net add-on? Are they forced to go back to using IE? Do you see Microsoft disabling the old versions of Firefox or Adobe Flash?

    If you want to read a mix of retarded, informative, and stupid comments have a look at the bug report https://bugzilla.mozilla.org/show_bug.cgi?id=522777 [mozilla.org]. For example - "Firefox shouldn't have to rely on IE patches for security" - this is not related to IE. It also seems to be political as they have no interest in determining if they have the .net update that negates the vulnerability (the vulnerability is not in the firefox add-on, its in .net which becomes accessible from within Firefox if the addon is enabled).

    • Re: (Score:3, Informative)

      by Mike Shaver (7985)

      We have interest in determining if the Firefox user in question has applied the IE patch in question, but we do not have the means.

      It is related to IE, because the patch in question is explicitly labelled as affecting Internet Explorer, and makes no mention of the fact that it can impact Firefox users who have not gone out of their way to disable part of .NET Framework 3.5 SP1. (That's one of the things we're working on getting fixed, as it happens.)

  • by Nom du Keyboard (633989) on Sunday October 18, 2009 @03:55PM (#29786853)
    The real question is: what took them so long?

In order to get a loan you must first prove you don't need it.

Working...