Mozilla Unblocks Microsoft's .NET Addon
275
Posted
by
CmdrTaco
from the tag-yer-it dept.
from the tag-yer-it dept.
bonch writes "Mozilla previously blocked the Firefox addons Microsoft included with .NET, citing security concerns. After talking with Microsoft, they have now unblocked the .NET Framework Assistant addon and are working on a way for enterprise users to unblock the Windows Presentation Foundation addon as well."
Microsoft's updated advisory (Score:5, Informative)
MS09-054 [microsoft.com]
FAQ for HTML Component Handling Vulnerability - CVE-2009-2529
If I use Firefox, which Internet Explorer update do I need to
install?
If a computer system is configured for Automatic Update, the
correct update will be downloaded and made available for installation depending
on the Automatic Update configuration. In the event that a computer system is
not configured for Automatic Update, users should verify which version of the
Windows operating system and Internet Explorer is on their system and download
the appropriate update.
If I install this security update, do I need to disable the Windows
Presentation Foundation Plug-in in Firefox to be protected from this
vulnerability?
No. Customers who have installed the security updates
associated with this security bulletin are protected from this
vulnerability.
If I have not yet applied this security update, how do I disable the
Windows Presentation Foundation plug-in in Firefox?
If you have not yet
applied this update, you can disable the Windows Presentation Foundation plug-in
in Firefox to block this vulnerability. To do this, launch the Firefox browser,
select the Tools pull-down menu, and then click Add-ons. Select
the Plugins icon at the top of the Add-ons window. In the list of
Plugins, select Windows Presentation Foundation 3.5.30729.1 and click
Disable.
If I uninstall the .NET Framework Assistant extension, does it disable or .NET .NET Framework Assistant and
remove the Windows Presentation Foundation plug-in?
If the
Framework Assistant extension is uninstalled it does not disable or remove the
Windows Presentation Foundation plug-in. The
Windows Presentation Foundation plug-in are controlled through different screens
in the Firefox Add-ons management window.
Re:Still can't uninstall? (Score:5, Informative)
Oh come on. As anyone who's following this story is aware, Mozilla has an "approved" method of installing plugins without using the add-ons panel [mozilla.org]. So pick your bone with them.
Re:Still can't uninstall? (Score:5, Informative)
Is this a failed attempt at trolling?
It's a PLUGIN, not an ADD-ON. There is no way to uninstall ANY Plugins in Firefox. You can disable Add-Ons, you can uninstall Add-Ons and you can disable Plugins. But you cannot uninstall Plugins from within Firefox. Firefox simply loads all files in a specific Internet Plugins folder (not a Firefox-only plugin folder) and if it detects a plugin, it uses it.
Delete the file and you're good to go.
Re:Still can't uninstall? (Score:5, Informative)
It can, however, be removed via the package manager.
Can the .NET addon be removed at all, without hacking the registry?
No, using the package manager is not even remotely comparable to hacking the registry.
Re:Isn't this a good thing? (Score:5, Informative)
Microsoft forcibly installed said plug-in, and prevented its removal.
The first statement is debatable, since the plugin is a part of the .NET Framework, and people can choose not to install the .NET Framework — although I realize newer versions of Windows have it preinstalled, so there's less of a choice there, which is why I say it's debatable.
However, the second statement is just wrong. It's not Microsoft who prevented removal of the plugin, it's Mozilla. Firefox does not provide a mechanism for removing any plugins.
Re:Still can't uninstall? (Score:2, Informative)
I can't comment on MS's plugin because I don't know how it works, but Firefox does support extensions which are not displayed to the user. If they are installed in locations besides the profile directory (ie are not a normal extension a user chooses to install). I don't think Mozilla's policy is quite that clear cut about when you should or shouldn't make something viewable by the user.
https://developer.mozilla.org/en/Install_Manifests#hidden [mozilla.org]
"hidden
Firefox 1.0 - 3.5 A boolean value that when true makes the add-on not show up in the add-ons list, provided the add-on is installed in a restricted access area (so it does not work for add-ons installed in the profile). This is for bundling integration hooks to larger applications where having an entry in the Extensions list does not make sense."
The real FAQ (Frequently Asked Question... (Score:4, Informative)
Why did it take 7 long months for Microsoft to issue this patch? Fixes using Registry hacking were available on theweb immediately then...
Re:Shit! (Score:5, Informative)
Re:.NET comes preinstalled (Score:1, Informative)
It's not added in. It's part of Windows 7. It's a part of a service pack to stock Vista. It's part of a service pack to an add-on to XP.
Thus, it's now standard in Windows.
Re:Still can't uninstall? (Score:3, Informative)
Note that that one's bundled with the Launchpad package. I downloaded the binaries directly from Mozilla to get the Minefield trunk, and I see no Ubuntu addon listed in there.
In this case, MS added the plugin to the self-installed version of Firefox, not a version of Firefox they distributed (not that they'd likely be able to cut a branding agreement the way Ubuntu did, so MS would have to distribute it under a different name).
Re:Why is everyone targeting MS on here? (Score:4, Informative)
Simply enter the address 'about:config' and then do a search for blocklist.
There, you'll see a setting called 'extensions.blocklist.enabled'. Set it to False if you don't want Mozilla to decide what plugins/add-ons you shouldn't use. Restart Firefox after making changes to take effect.
Sure it isn't obvious for majority of users, but then again on Windows it isn't obvious what registry entries to hack in order resolve issues either. Firefox does have its own (evil?) registry too.
You don't know what you're talking about (Score:3, Informative)
"MS forced everybody to adopt it by simply dropping support for all other development technologies."
No. You can still use the Win32 API, MFC, ATL, WMI, vbscript, jscript etc.
Re:Question is... (Score:3, Informative)
Will they allow users to uninstall it normally at any point?
Uninstall has been enabled for several months now. There had been a /. story [slashdot.org] about that
Re:Isn't this a good thing? (Score:3, Informative)
Except Java and Acrobat ask me if I want to install Firefox plugins during install.
Except they do not.
In fact, Java, at least, also does a system-wide plugin install [mozillazine.org], meaning that it cannot be uninstalled from Firefox extension manager; not sure about Adobe Reader, but I think it does that too.
Re:Still can't uninstall? (Score:4, Informative)
Actually, the most recent version (not sure of the number) has the normal Uninstall button enabled, and overall it seems to be behaving pretty well.
Re:Still can't uninstall? (Score:3, Informative)
Plugins are add-ons in the Mozilla universe. The term "add-on" is used by Mozilla to mean extensions, themes, and plugins. Saying "plugin" instead is merely being more specific as to what type of add-on is being discussed.
Re:Microsoft's updated advisory (Score:3, Informative)
The was dome debate on Mozillazine and probably a bug or two submitted to create a proper UI for this stuff and have a way of blocking new plugins, but the devs seem to be ignoring it for now. The have made a schoolboy error here - trying to blacklist all "bad" plugins instead of just having a UI and allowing the user to whitelist plugins as they see fit.
According to the (very long!) discussion [mozilla.org] on the bug in question, Mozilla is working on such a UI.