Twist: on Tech » clickonce http://www.twistontech.com Life Seen Through Geek Goggles - Technology Blog Mon, 01 Mar 2010 05:53:36 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Firefox team unnecessarily blocks add-ons, breaks ClickOnce http://www.twistontech.com/mytwist/firefox-team-unnecessarily-blocks-add-ons-breaks-clickonce/ http://www.twistontech.com/mytwist/firefox-team-unnecessarily-blocks-add-ons-breaks-clickonce/#comments Sat, 17 Oct 2009 20:49:45 +0000 George Roberts http://www.twistontech.com/?p=73 On 16 October 2009, the Mozilla Firefox team made a decision to issue a “block” for the Windows Presentation Foundation plugin and Microsoft .NET Framework Assistant extension for Firefox due to reports of a vulnerability in the Windows Presentation Foundation (WPF) hosting process.  This is not a vulnerability in the two add-ons in question, but rather in an underlying library from .NET that the add-ons rely upon, thus opening Firefox to the vulnerability.

Where the story gets interesting is that the patch for this vulnerability (MS09-054) was issued via Windows Update by Microsoft on 14 October 2009.  So, two days after the patch for this issue was delivered via automatic updates, Mozilla decided that it would be a good idea to disable these add-ons.  Unfortunately, the block list technology Mozilla has put into place in Firefox does not give the user any option to override a block other than turning off blocking completely.

When bringing this up on the BugZilla thread for this issue, the members of the team responsible for issuing this block essentially have said that they do not plan on removing the block, putting thousands of developers using ClickOnce for distribution of their software in the position of not being able to effectively deliver their software to Firefox users.

“Updates are not magic. Some people have them now; some don’t. If it’s not 100% then it’s vulnerable and hence the block. If a version that is 100% (preferably with user permission) were put out then that could be allowed, as already stated,” stated Dave Garret. “Fundamentally, Microsoft introduced a security risk into Firefox with these add-ons. That risk came to fruition and thus Mozilla closed the risk entirely.”

Although the issue was not with the add-ons themselves, the Mozilla team apparently is refusing to unblock them until new versions of the add-ons are released that are not vulnerable.  The funny thing is, the current versions of the add-ons are not vulnerable.  It seems as though the few people who are making the decision about this block may have decided to take advantage of this opportunity to block a set of add-ons that have been controversial.

This is bad news for software developers and many enterprises who use the ClickOnce technology to deliver applications to their users.  It’s especially bad news for Mozilla, in my opinion, because if this block isn’t removed, those enterprise IT organizations who managed to get Firefox approved as their standard browser may be forced to switch back to Internet Explorer.

Hopefully someone with some sense will step in and realize that this block needs to be removed.

More information:
http://csharpner.blogspot.com/2009/10/firefox-has-determined-that-following.html

]]> http://www.twistontech.com/mytwist/firefox-team-unnecessarily-blocks-add-ons-breaks-clickonce/feed/ 8