Mozilla goes back and forth with Microsoft over add-ons
by Steve Ragan - Oct 19 2009, 17:31On Friday and carrying over into the weekend, Mozilla gained a good deal of press over some protective actions they took for users of their Firefox browser. Namely, they disabled two Microsoft installed add-ons. Later, they unblocked one of them, after some discussions with the software giant in Redmond.
Starting with the add-ons that were blocked, one of them was already semi-infamous. The first block issued by Mozilla targeted the .NET Framework Assistant add-on, which was the center of some debate after it was silently installed by Microsoft.
The .Net Framework Assistant allows ClickOnce installations, something that is used more by the business world than the general Internet populous. ClickOnce technology aside, the add-on was found to have contained a serious security flaw and the recommendation from Microsoft was that it be disabled if MS09-054 was not applied during the October security updates. The other disabled add-on, Windows Presentation Foundation (WPF), was included with the .NET Framework Assistant add-on. As such, it was blocked as well.
“We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we’ve removed it from the blocklist. As the blocklist update propagates to clients, the add-on should be re-enabled for users who had it previously enabled,” said Mike Shaver, Mozilla's vice president of engineering on Sunday.
On the Mozilla blog over the weekend, there was a good bit of heated discussion. The focal points for those conversations took a few different directions. Some were happy to see Mozilla take action, others were wondering why Mozilla bothered. An enterprise Mozilla user commented that the block resulted in them switching back to Internet Explorer because they actually used the ClickOnce ability.
On Slashdot, Shaver and Larry Seltzer, as well as a few others, had a discussion over logistics and the fact that there is no way to separate patched systems from those vulnerable to the security issue. So Mozilla had little choice when they moved forward with the block, as it really was an all or nothing scenario.
Yet, in all the coverage, one point was missing. Windows users need to apply the monthly patches offered by Microsoft consistently. They should really make an effort to apply all the ones that are pushed for Internet Explorer. Regardless of a Mozilla block, or what their default browser is, they should be patching their systems. The trick is to get them to do so, a feat easier said than done.
As for the blocks, almost everyone should have the .NET Framework Assistant block removed by now, and according to Shaver “We’re hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist.”
Tell us what you think. Was Mozilla correct in issuing the blocks? Why or Why not?
Comment on this Story