On 16 October 2009, the Mozilla Firefox team made a decision to issue a “block” for the Windows Presentation Foundation plugin and Microsoft .NET Framework Assistant extension for Firefox due to reports of a vulnerability in the Windows Presentation Foundation (WPF) hosting process.  This is not a vulnerability in the two add-ons in question, but rather in an underlying library from .NET that the add-ons rely upon, thus opening Firefox to the vulnerability.

Where the story gets interesting is that the patch for this vulnerability (MS09-054) was issued via Windows Update by Microsoft on 14 October 2009.  So, two days after the patch for this issue was delivered via automatic updates, Mozilla decided that it would be a good idea to disable these add-ons.  Unfortunately, the block list technology Mozilla has put into place in Firefox does not give the user any option to override a block other than turning off blocking completely.

Read the rest of this entry »