Saturday, October 17, 2009

Disabled for your protection

My Firefox, on Windows, just reported that it had disabled the Microsoft .NET Framework Assistant 1.1 extension and the Windows Presentation Foundation plugin. Supposedly, these were security issues. If I'd be so kind as to restart the browser for the changes to take effect.

Well, whatever, go ahead. After the restart, the Extensions window pops up, showing .NET Framework Assistant as “Disabled for your protection.” Phew, thank you.

But now I'm curious. What's so evil about these Microsoft plugins that Mozilla feels the need to block them automatically? Luckily, there is a “More Information” link right there in the dialogue! So I click it:

It's great to see that Mozilla really cares about my security.

3 comments:

Anonymous said...

https://bugzilla.mozilla.org/show_bug.cgi?id=522777

remote code execution bug

Eamon Nerbonne said...

I'm curious how this will turn out - it's a pretty dubious move on the blocklist maintainers part. The vulnerability exists in the base .NET framework (not the blocked plugins), and an update fixing the vulnerability was released last tuesday (the 14th) - but the blocklist cannot detect the framework version, only the plugin version, so the plugin is disabled even on non-vulnerable systems.

It's very hard for a non-technical user to circumvent this particular ban, so if anyone actually uses clickonce or xbap, they'll need to switch browsers or disable the entire blocklist.

Apparently some sites do rely on it, and for them, this will be a firefox blocker - and unfortunately, it doesn't exactly inspire confidence in the use of firefox as a stable base. One can only wonder how this would have turned out had the plugin+extension in question not been microsoft code.

Natalia said...

I also wanted to know why this happened. Although I have not faced this situation so far but I still remember that one of the extension was disabled few months back because of the security reasons. How plugins are checked and whats the reason behind this problem ?
digital certificates