Mozilla unblocks one sneaky Microsoft add-on
Second component to be unblocked within 48 hours, Mozilla's top engineer says
October 19, 2009 02:57 PM ETComputerworld - Mozilla has unblocked one of the two Microsoft-made add-ons that put Firefox users at risk from attack and will probably unblock the second in the next 48 hours, the company's head of engineering said today.
"We've unblocked the .NET Framework Assistant," said Mike Shaver, Mozilla's vice president of engineering, on Monday morning. Shaver was referring to one of the two Microsoft components that Mozilla automatically disabled late Friday after deciding it needed to protect Firefox users from a critical vulnerability Microsoft disclosed, and patched, last week. "We got confirmation from Microsoft over the weekend that the add-on wasn't a[n attack] vector for the vulnerability in question," said Shaver.
Late on Friday, Mozilla added .Net Framework Assistant and the accompanying Windows Presentation Foundation plug-in to its rarely-used blocking list, which then threw up a warning to users notifying them that the pair was being barred from Firefox.
Mozilla has also pushed out a change that will let users running Firefox 3.5 override the block, added Shaver. That change came out of discussions with enterprise Firefox users who said that they needed the two components to run their .NET-based software within the browser.
The block of Windows Presentation Foundation will likely be lifted in the next two days. "Microsoft is watching the patch deployment numbers, and sharing them with us," said Shaver. "At some point, we'll take the [Windows Presentation Foundation] plug-in off the blocker. I expect that to happen in the next 48 hours."
Last week, Microsoft's security team acknowledged that its software -- which had been silently installed in Firefox as far back as February 2009 -- contained a critical vulnerability that could be used by hackers to hijack Windows PCs through Firefox. The vulnerability also affected all versions of Internet Explorer (IE), including IE8.
However, the MS09-054 bulletin, which provided details on the vulnerability, said nothing about Firefox. Later last Tuesday, Microsoft expanded on MS09-054 in a blog post, and confirmed that Firefox users were in danger.
Microsoft maintained that Firefox users who applied the patches would be safe from attack, but Mozilla felt that was not enough. Friday, Shaver cited the severity of the vulnerability and the difficulty some users have had in removing Microsoft's software as Mozilla's reasons for engaging the blocking list.
Removing the Microsoft add-on and plug-in have been a contentious issue since Microsoft first slipped them into Firefox without users' permission last February as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update.
Users were also furious that the software was impossible to uninstall without editing the Windows registry. Later, Microsoft issued a follow-on update that made it possible to uninstall the components without a registry edit.
Firefox
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

