Firefox team unnecessarily blocks add-ons, breaks ClickOnce
Saturday, October 17, 2009 2:49 pmOn 16 October 2009, the Mozilla Firefox team made a decision to issue a “block” for the Windows Presentation Foundation plugin and Microsoft .NET Framework Assistant extension for Firefox due to reports of a vulnerability in the Windows Presentation Foundation (WPF) hosting process. This is not a vulnerability in the two add-ons in question, but rather in an underlying library from .NET that the add-ons rely upon, thus opening Firefox to the vulnerability.
Where the story gets interesting is that the patch for this vulnerability (MS09-054) was issued via Windows Update by Microsoft on 14 October 2009. So, two days after the patch for this issue was delivered via automatic updates, Mozilla decided that it would be a good idea to disable these add-ons. Unfortunately, the block list technology Mozilla has put into place in Firefox does not give the user any option to override a block other than turning off blocking completely.
When bringing this up on the BugZilla thread for this issue, the members of the team responsible for issuing this block essentially have said that they do not plan on removing the block, putting thousands of developers using ClickOnce for distribution of their software in the position of not being able to effectively deliver their software to Firefox users.
“Updates are not magic. Some people have them now; some don’t. If it’s not 100% then it’s vulnerable and hence the block. If a version that is 100% (preferably with user permission) were put out then that could be allowed, as already stated,” stated Dave Garret. “Fundamentally, Microsoft introduced a security risk into Firefox with these add-ons. That risk came to fruition and thus Mozilla closed the risk entirely.”
Although the issue was not with the add-ons themselves, the Mozilla team apparently is refusing to unblock them until new versions of the add-ons are released that are not vulnerable. The funny thing is, the current versions of the add-ons are not vulnerable. It seems as though the few people who are making the decision about this block may have decided to take advantage of this opportunity to block a set of add-ons that have been controversial.
This is bad news for software developers and many enterprises who use the ClickOnce technology to deliver applications to their users. It’s especially bad news for Mozilla, in my opinion, because if this block isn’t removed, those enterprise IT organizations who managed to get Firefox approved as their standard browser may be forced to switch back to Internet Explorer.
Hopefully someone with some sense will step in and realize that this block needs to be removed.
More information:
http://csharpner.blogspot.com/2009/10/firefox-has-determined-that-following.html
Tweets that mention Twist: on Tech » Firefox team unnecessarily blocks add-ons, breaks ClickOnce -- Topsy.com says:
October 17th, 2009 at 3:09 pm
[...] This post was mentioned on Twitter by George Roberts and George Roberts, George Roberts. George Roberts said: Firefox team unnecessarily blocks add-ons, breaks ClickOnce http://ff.im/-a1yDN [...]
Christopher Blizzard says:
October 17th, 2009 at 3:50 pm
George -
Just to be 100% clear on this we didn’t blocklist this plugin because we think it’s “controversial” as you put it. We put it out because there are drive-by vulnerabilities in the wild that are affecting people. We also worked in concert with Microsoft before doing this – they were aware of it and agreed that we should do it.
Twitted by davux says:
October 17th, 2009 at 4:59 pm
[...] This post was Twitted by davux [...]
Bob says:
October 17th, 2009 at 5:03 pm
The official Mozilla announcement is here:
http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/
The post in the bug from him is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c56
pchelptech says:
October 17th, 2009 at 6:11 pm
“The funny thing is, the current versions of the add-ons are not vulnerable”
While this may be true in many, or even most cases, the fact remains that Firefox can’t yet hook in to the OS to get the list of patches installed, to verify that the user is safe.
Microsoft seem to have agreed that, in this case, Mozilla should go ahead and add it to the block list.
It also seems that in FF 3.5.4, the feature to check the list of installed MS patches will be good to go, so this kind of thing shouldn’t happen in the future.
Carl says:
October 18th, 2009 at 2:23 am
Those plugins should not be there to begin with, they came with windows update. It was not easy to know that they where installed and they are very hard to disable/remove. If they where easy to disable I think alot of users would have done so alredy.
Nico Sap says:
October 18th, 2009 at 4:26 am
I agree with Christopher Blizzard completely.
But, as the problem resides in the .net framework, is internet explorer also affected?
George Roberts says:
October 18th, 2009 at 7:27 am
Christopher – I keep seeing that comment from people at Mozilla that Microsoft was on board with this, however, we haven’t heard anything like that from Microsoft and there’s been no mention of exactly who it was at Microsoft that supposedly okayed this. And to be honest, even if someone from MS did sign off on it, it was still a stupid thing for Mozilla to do. As many of the comments on the bug report and on the blog post that Bob linked in the comments here show, this is going to have a huge impact on a lot of people, especially businesses that use ClickOnce for distribution of apps. Remember all that work you guys have done to try to get Firefox into the enterprise? Well, this decision just caused you to take a step back on that.
Carl, there are a lot of plugins that get installed into Firefox when you install other programs. Have you looked at the list on your Firefox lately? I have 15 installed on my system and I only purposefully installed a couple of them. That has absolutely nothing to do with the issues at hand, to be honest.
Nico, yes, IE was affected, but as I stated in the article, the issue was patched on 14 Oct 2009.