Mozilla shoots Microsoft plug-in
A BIG CHEESE at the Mozilla Foundation first ordered a Volish plug-in to be shot as a security risk and then decided it was alright really.
The Firebadger developers blocked a Firefox plugin that had been quietly pushed out by Microsoft, saying that it presents a security risk.
The add-on was released by the Vole as part of a .Net software update last February. It could be disabled but was tricky to completely remove.
The Vole has warned that Firebadger users who have not applied a recent Internet Explorer patch that they were vulnerable to a "browse-and-get-owned attack" because of the add-on.
It said that if users had installed the update for Internet Explorer they would be safe. Quite why anyone would install anything for Internet Exploder if they did not use it, Microsoft did not say.
Mozzarella responded by automatically blocking two add-ons - the Microsoft .Net Framework Assistant and a related plugin called the Windows Presentation Foundation.
Given that most users will probably have installed the Volish upgrade this is shutting the door not only after the horse has bolted but also after it moved to another country and set itself up under an assumed name.
However when we woke up this morning the so called security threat was nothing of the sort.
Mozzarella apparently has had a rethink and decided that the 'security threat' is really nothing to worry about after all and unblocked it.
Mozilla's Vice President of Engineering, Mike Shaver, after first claiming in his blog that Microsoft agreed to this plan, is now saying that he changed his mind after the Vole told him that the Framework Assistant was not "a mechanism for exploiting the vulnerabilities". µ
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
Stupid vole installed this carp on my Firefox without my consent. I disabled both plugins, including some retarded Google plugins that also hooked up without authorization, before this story broke out.
When will stupid companies stop pushing stupid carp on our machines? And when will Mozzarella stop allowing plugins to install like that? Got malware?!?!
Stupid Mozilla foundation removed a plugin without giving me even the slightest option to ignore it. Way to go, now I can no longer use Firefox at work due to it no longer playing nice with .NET applications.
Say what you want but at least the evil vole gives you the option to not install it's upgrade. Where's my option to re-enable my plugin, especially given that the plugin isn't a security threat.
I understand. But because of the second plug-in that Microsoft forcefully installed in everybody's Firefox, everybody's got a problem. The only solution is to scramble and block it all.
Reading on the newer news, Mozzarella already knows about the .NET thingy, but the WDF carp continues being carp. There's a fix coming for you, it seems.
But I'm still pissed at the Vole and dissapointed with the plug-in liberty that Mozilla hands everyone. Hmpf.
I noticed Firefox had disabled my WPF plugin. Clicking on "More information" I get a warning that the Mozilla site linked to has an invalid certificate. Pot calling the kettle black?
Anything which installs without explicit consent should be blocked, and stay blocked, including this sneaky plugin.
Any time I see this garbage, both the registry entry and the plugin dll get deleted; no mercy!
I wrote the truth on my blog: Microsoft agreed that we should block both, and later told me that both add-on and plugin were vulnerable. When they sent me a correction to their assessment, which now confirmed that the add-on *was not* a way to exploit this vulnerability, we removed the add-on from the block list.
Feel free to use the email address for this comment if you'd like to learn more about what actually happened.
(The certificate error on the more-info page was indeed a dumb mistake, and we've repaired it. Nostra culpa.)