News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael Horowitz's picture
Michael Horowitz

Defensive Computing

More posts | Read bio

October 17, 2009 - 6:22 P.M.

Thank you Firefox

19 comments

Yesterday, Gregg Keizer reported here about buggy, vulnerable software that Microsoft installed into Firefox. The first time Microsoft zapped Firefox without warning, it added an extension. This time, the vulnerable software is a plug-in. 

Firefox to the rescue. 

Firefox warns of a vulnerable add-on

Without any effort on my part, Firefox took it upon itself today to warn me about the vulnerable Microsoft .NET Framework Assistant software. As shown above, the browser automatically disabled the software, told me about the situation and patiently waited for me to click a button to complete the process. 

I had no idea that Mozilla maintains an Add-ons Blocklist.

Reason 314 of the 500 reasons to use Firefox.

Update: Just hours after writing the above, I was using another Windows XP computer and Firefox again warned about buggy Microsoft software. 

Why did this second warning (above) include software that the first one didn't?

I don't need to know. 

And for that, thank you Firefox.

 

 

What People Are Saying

Add new comment

Mozilla admits that they were wrong

Submitted by Anonymous on October 19, 2009 - 10:23 A.M.

"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we’ve removed it from the blocklist. As the blocklist update propagates to clients, the add-on should be re-enabled for users who had it previously enabled."

http://shaver.off.net/diary/2009/10/18/update-net-framework-assistant-clickonce-support-unblocked/

Apparently the good folks at Mozilla have a Block First, Ask Questions Later philosophy. Dumb, dumb, dumb...

Reply | Report this comment

Good

Submitted by Rob on October 19, 2009 - 1:22 P.M.

I consider being safe rather than sorry a good approach. Yes, the folks at Mozilla jumped the gun. However, they did it with good intentions. The result did cause some folks problems, but they restored the blocked plug-in once they realized the problem. All in all, I think they did pretty well.

Reply | Report this comment

automated nightmare

Submitted by Trollicus on October 19, 2009 - 5:13 P.M.

I agree, I would rather be safe. If I need something I can always install it, It is after all my responsibility at work and I will be the one that takes the blame if something goes wrong..

MS, Please don't automate my nightmares.

Reply | Report this comment

It's more complex...

Submitted by CSharpner on October 18, 2009 - 7:12 P.M.

It is definitely cool that they have that ability. The problem is they "fixed" something that wasn't broken. The add-ons never had a vulnerability. The vulnerability was in the .NET framework itself (part of Windows). Also, the .NET Framework Assistent plug in was not involved in any way and was necessary for Click-Once deployment. The WPF (Windows Presentation Foundation) plug in is what used that vulnerable piece of the .NET framework.

Additionally, Microsoft had /already/ fixed the .NET vulnerability 2 days before Mozilla even heard about it.

Now, because of Mozilla's dash to "fix" a "vulnerability" that didn't exist in /any/ add-on, Mondy morning, hundreds of thousands of people are going to go into work to run their business critical applications (that are launched with click-once technology) and be totally hosed.

Even worse, there's no way to re-enable either of the plug ins for all of the machines that didn't even HAVE the vulnerability.

Worse still: Since Microsoft has already fixed it in the framework, there's no need for them to release 2 new plugins, so they'll never be reactivated again (unless Mozilla fixes it on their end, which it appears they're finally doing now with all the bruhaha on the bug entry).

Sometimes there's such a thing as "too much" security.

Reply | Report this comment

Monday came

Submitted by Anonymous on October 19, 2009 - 2:20 P.M.

Well... Monday came and... Nothing... no call from users.

Oh that's right, most organizations run IE, because that's what all our App servers have been programmed to. So the only people effected by this were home users and IT staff that run Firefox because we are smart enough to have two browsers installed and know when one will work and the other one will not.

Reply | Report this comment

Mmmm

Submitted by Anonymous on October 17, 2009 - 8:25 P.M.

I heard Microsoft wanted to improve IE's security, I did not expect it would be a relative improvement due to lowering the bar of all browsers running on their platform.

Reply | Report this comment

and this is 1024 of 65536

Submitted by Anonymous on October 17, 2009 - 7:39 P.M.

and this is 1024 of 65536 reasons not to use Windows and use Linux instead

Reply | Report this comment

Linux sounding board

Submitted by Anonymous on October 19, 2009 - 5:25 P.M.

I like how everyone comes on this website to trash Windows and talk up Linux. Linux users: take a Windows class if you are too slow to figure out how to use it. Linux is in the same category as: BetaMax, HD DVD and analog television. It's called 'cut off your nose, to spite your face.' God is dead, and so is Linux. A vote for Linux is like a vote for Ralph Nader. Great idea, no real world practicality. Go be l33t somewhere else.

Reply | Report this comment

You might've been right on

Submitted by Anonymous on October 21, 2009 - 12:17 A.M.

You might've been right on everything until you gratuitously injected religion ...

God's not dead...you are; your rigor mortis just prevents you from detecting your lack of a pulse.

Reply | Report this comment

been there done that

Submitted by Anonymous on October 19, 2009 - 5:39 P.M.

I used windows for a long time before I switched to Linux. Vista's sluggish performance poor hardware compatibility and annoying interface forced me to try something else.

One year later and the only windows system I use is at work, where I spend my time pushing patches and patiently listening to complaints from users.

I still know a lot more about the windows environment than Linux, but I'm happily learning. My 68 year old mother wont use anything but Linux.

I also don't miss having to pay for third party software to protect a vulnerable OS. It's still annoying that I paid for an OS that's just going to be formated away.

Reply | Report this comment

Related Posts

Testing Microsoft Security Essentials and the Hosts file
Microsoft Security Essentials is here; download it if you dare
How to save the Internet from Windows
One billion Firefoxes

Today's Top Stories

IE9 to tap hardware to boost performance
Free Web apps to help organize your holidays
KT to sell iPhone in South Korea
New attack fells Internet Explorer
Google's Chrome OS hits BitTorrent
The 5 best and worst features of Google Chrome OS
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.