Firefox blocks insecure .Net add-on--awkwardly

Mozilla on Friday disabled a Microsoft plug-in for Firefox called the .Net Framework Assistant because of a security problem--then scrambled to give people with patched systems an override option.

Mike Shaver, Mozilla's vice president of engineering, announced the first step late Friday night on his blog. "It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on," Shaver said. "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."

This warning sign greeted Firefox users after Mozilla blocked use of a Microsoft add-on.

(Credit: Screenshot by Stephen Shankland/CNET)

The .Net Framework Assistant add-on lets Firefox use Microsoft's ClickOnce technology for installing applications that run on its .Net programming foundation. The add-on already was something of a thorn in the sides of some Firefox users: it was automatically installed via Windows Update with the .Net Framework 3.5 Service Pack 1 without telling the user the add-on was being installed or giving an option. More hackles were raised because it wasn't compatible with Firefox 3.5, Shaver said, and because removing it initially required people to edit their Windows Registry--a technically onerous task for most people.

Firefox checks a Mozilla server periodically for a list of add-ons to avoid. Although Mozilla's blocking move was intended to protect users, it caused other problems. Shaver indicated that Firefox's changed behavior irked some system administrators.

That led Justin Angel, a former Silverlight program manager at Microsoft, to tweet, "When business users can't use their core business functionality--they uninstall stuff."

One issue was that Mozilla's add-on blocking technology couldn't tell if people had patched their software and so weren't vulnerable anymore. "We can't distinguish patched from unpatched, so we're blocking it while we sort that out," Shaver twittered. Over the weekend, Mozilla worked to remedy the situation.

"Pushing a change to our blocklist software that will let Firefox 3.5 users override the blocking of .NET FA/WPF plugin if they're patched," Shaver tweeted Sunday. But a few hours later, he added, "We're still working on the blocklist tweaks to help enterprises override the blocking of the WPF plugin, stay tuned!"

Update 6:47 p.m. PDT: Crisis partially averted, apparently. At about 6:10 p.m., Shaver tweeted, "MSFT confirmed that the .NET Framework Assistant is not exploitable, so we've removed it from the blocklist; one down!"

Update 8:34 p.m. PDT: There's still another blocked Microsoft add-on that's vulnerable, one that concerns the Windows Presentation Foundation (WPF), which also is installed with the .Net service pack. Shaver said it was more serious.

"We're hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist," Shaver said in a Sunday night blog post that announced the other plug-in had been removed from the Firefox blocked add-on list.

[timber2005]

Wait... the patched and updated plug-in have the same version number? Odd...

[Random_Walk]

...it prevents Microsoft from sneaking in the same plugin version.

The big question is, why is Microsoft sneaking in add-ons to a competing browser in the first place, especailly w/o user permission or even knowledge? I'm sure they'd go apes^!t if a third-party app maker decided to do something similar with IE.

[fletchb]

You are right Random_walk. FF needs add-on security so MS or anyone else can't sneak in add-ons without user permission. MS was wrong to do this but FF needs to be fixed so this can't happen again.

[FutureGuy]

@Random_Walk, I wonder what you would say if MS decides it will not support Silverlight for FF making stuff like Netflix streaming not work. I bet you would cry foul.

[Random_Walk]

Microsoft is perfectly free to support or not support Silverlight on Firefox. OTOH, you're being ignorant - Silverlight is an optional download that users can decide on whether to install or not.

Microsoft's little .NET addon to Firefox was crammed down the throats of ever Windows-based Firefox user, whether they wanted it or not. The bigger problem is that the forced patch also opened a big fat security hole: http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx

[Lerianis3]

Actually, the Silverlight thing is 'crammed down people's throats' to. I installed Silverlight, thinking it was only going to install in IE8.... I got a big surprise when it installed in Firefox 3.5 as well, and I was PISSED over that.

[Random_Walk]

Not really. It does spread to everything whether you want it to or not, but it is an optional (for now) download in Windows Update. You have to specifically pick it to download and install it.

[gggg sssss]

@Random It is NNicrosoft's OS, so if users allow updates, it is Microsoft who dictates what does or does not get updated. If Firefox cannot deal with that, then FF must yield the floor. Or go develop their own OS. Wait, that has been tried.

[mrorie]

Oddly enough, my Netflix streaming worked fine in FF until Silverlight was installed. Since then, it only works in IE. Way to be, Microsoft.

[L2Type]

@Random_walk, Do you have iTunes installed? Do you remember giving iTunes express permission to install a browser plugin to FF? I didn't give it permission but I have one installed. This isn't an MS problem it's a much wider one.

@Lerianis3 When you installed Flash did you only expect it to be installed to IE or FF or did you expect it in all of them? Considering SL is a flash competitor kind of obvious it will go into all of them.

[PiiSPii]

The little notification popped up telling me to block it, then the browser crashed and vista had a conniption. I really hope this sort of thing doesn't happen again, it was a real pain.

[Lerianis3]

Vista shouldn't have had a conniption about this....... if the browser crashed when you tried to block this thing, something on your system must use it.... though honestly, I cannot think of any non-enterprise thing that does.

[gggg sssss]

crappy programming by FF obviously

[krypter]

Already uninstalled it myself long ago. Microsoft and their endless security holes are invading Firefox now too...

[Lerianis3]

Hey, Microsoft has no more security holes than any other OS and, to be fair, this thing doesn't install in Windows 7 that I can find.

[drobosson]

Lerianis3, actually this impacts Firefox users on Windows 7 as well. I ran across it on my Win7 box at home over the weekend and also at work this morning.

[Lerianis3]

It does install on Windows 7? I couldn't find it installed on any of my 3 Windows 7 machines...... maybe I just haven't downloaded the thing that installs them yet.

[shinji257]

You have not gotten the service pack for .net 3.5 then. I got it installed on my machine as well. :p

[zyxxy]

Installed on my Win7 machine with the update last week. Promptly blocked by Mozilla on Saturday.

[FutureGuy]

Right FF never releases any security patches.

/s

[thumper9000]

Lerianis3, to say that "Microsoft has no more security holes than any other OS" is not a well researched statement. And it has absolutely nothing to do with the problem being discussed. The real problem, IMO, is that Microsoft forced a plugin on a Firefox browser *without getting the users permission*. Probably because most users would have said "No." Microsoft should stop jamming their technology (good or bad) down peoples throats. I have WinXP, Windows 7 and Mac OS-X, and I find this behavior on all three (are you listening Mr. Jobs?). I don't curse Mozilla for taking the action they did - I THANK them. Why on earth would I want my Firefox browser exposed just like IE? That's why I use Firefox (and Chrome and Opera).

"Awkwardly"

Would you rather it had been done later, yet more gracefully, at the price of more users exposed for longer?

[tektaktyks]

yea it is a stupid title...nothing new to cnet

[celticbrewer]

"Would you rather it had been done later, yet more gracefully, at the price of more users exposed for longer? "

Yes!

I'm sure there's thousands of unpatched scenerios on millions of machines. Should companies just start blocking things as they pelase?

Should ISPs start blocking your computer from the internet if you're running XP SP1 and havent updated since? I'm sure that's a bigger threat to the public than this .net issue. Maybe e-mail accounts should all be disabled if the password is 123456.

[Random_Walk]

"Should companies just start blocking things as they pelase? "

The bigger question is, should companies sneak in add-ons to competitors' products in the first place? Windows users had no choice in the matter - Microsoft plopped it into Firefox without users' knowledge or consent. It showed up after-the-fact, with no recourse by the user.

[AlwaysSmiling]

This comment is for celticbrewer.

It has nothing to do with "millions of unpatched scenarios" nor does it have to do with the idea of ISP's blocking your computer from the Internet if you're running XP SP1 and haven't patched since. What this has to do with is that if you installed .NET Framework 3.5 SP1 and had Firefox installed, it automatically installed this addon. You may like it, and a lot of enterprise users may like it. However, the original purpose of Firefox was an alternative to IE and ActiveX technology. And the fact that it was installed WITHOUT YOU KNOWING is a big issue.

This addon introduces ActiveX technology to Firefox. While a lot of people may think it's a good thing, the fact that Microsoft did NOT give anyone a choice in the matter is not a good thing. There's probably an equal number of people who use Firefox for their daily needs-- and use Internet Explorer when the site requires ActiveX. Why should their choice of whether or not to have the functionality in Firefox be decided by Microsoft or anyone else but them?

Personally, I think that Mozilla should have banned the addon from Day 1. Please understand that I use Internet Explorer for a lot of my surfing, but if I am not sure if I trust the site, I use Firefox to check it first (with No-Script and other security addons running). To find out that my security plan may be vulnerable because I installed .NET Framework 3.5 SP1 utterly p!sses me off. I'm one of the people who followed the registry tweak method to remove this addon.

Have a great day:)
Patrick.

[Dalkorian]

by Random_Walk October 19, 2009 6:51 AM PDT
Windows users had no choice in the matter - Microsoft plopped it into Firefox without users' knowledge or consent.

-------------------------------------------------------------------

Slaves never have, nor should they ever have, a say in how the plantation is run.

[L2Type]

@ AlwaysSmiling

"This addon introduces ActiveX technology to Firefox. " That's quite far from the truth

[Tech Diva XXX]

I didn't get that message so I just disabled it.

[aitchondo]

Since .NET Framework Assistant is not exploitable, does that make Firefox as stupid as the others. I guess that if you can't find a bad thing, you just screw up a good thing.

[Mergatroid Mania]

Since when is MSFT adding things to FF without the user's permission "a good thing"?

[Lerianis3]

Mergatroid Mania makes a good point. If something is going to be added to IE, Firefox, Chrome, WHATEVER..... I want to be able to tell it to NOT add the thing in question to them.

[shinji257]

@aitchondo: actually it was exploitable. it's just resolved now and they are just trying to figure out how to deal with it now.

[Random_Walk]

Mergatroid is correct.

The early versions of this "add on" wouldn't even allow you to uninstall or disable it. You were stuck whether you liked it or not.

And yes, the .NET Framework itself has multiple vulns: http://secunia.com/advisories/26003/

[zyxxy]

You couldn't uninstall, but you could disable. The problem was, then you got a warning on every restart that a pluggin failed to load.....

[apple_rocks]

At least firefox is more secure on the great Windows Vista and Win 7 than on OS X Leopard and it's SP1 Snow Leopard

[unklemonkeh]

i hope java quick starter will be next to get the chop.

[Lerianis3]

I just deleted these things totally off my system. There is nothing that I use that uses these add-ons/plugins so I just found them and totally DELETED THEM off my system.... along with some other add-ons/plugins that were marked as 'bad' by Mozilla.

[StrikeEagle1]

Everyone seems to be ignoring the fact that Microsoft installed these plug-ins via "update" but did so without warning the use of this fact. Personally, I do not want ANY vendor installing plug-ins without my express knowledge and permission. I use Firefox to get away from this sort of thing. If I want a plug-in, I will install it. If Microsoft wants to alert me to the availability and function of a plug-in, AND give me the option to install or not install it, that's fine. However, IMHO it is NOT acceptable to simply install something into a third party application without my permission.

[Vegaman_Dan]

Apple's been doing this for years now and it doesn't seem to attract the media's attention or cause people to really complain that much. Mostly because they don't know it's happening, I expect.

Example: iTunes

If you install QuickTime or iTunes, you get the other included. And even if you never have an iPod or iPhone, if you open up the task manager and look at the processes you'll find that you're wasting system ressources running iTunesHelper and iPodServices. Those are there running, you know, in case you some day buy an iPod/iPhone and plug it in. Then it will be ready and waiting. It just comes with the apps without your knowledge.

*shrugs* If it's okay for Apple to do this sort of thing, why isn't it okay for everyone?

[Lerianis3]

Good point, Dan...... Apple has been doing this exact same thing for years, and no one has yelled at them yet. Really, these .Net things should NOT be installed on most people's machines, from what I have seen. Nothing in the consumer arena, absent a few graphics control panels for discrete graphics, use them.

[Mergatroid Mania]

I agree 100%. This sounds to me like a law suit just waiting for an ambulance chaser to get things rolling.

No software company has any right to add anything to any piece of software on my computer without my permission. Yet again one of these companies proves they cannot be trusted to do the morally right or legally right thing.

I'm sure if a lawyer type person looked into this, there must be some law prohibiting companies from altering someone's property without their permission.

I also cannot believe no one else is complaining about this. I am outraged. Once again we are raising an entire generation that is so used to these companies telling them what's good for them that they have started believing it and accepting it as normal.

If I owned a big company and had lost time because of this I would definitely have my lawyers looking into it.

And as for "That led Justin Angel, a former Silverlight program manager at Microsoft, to tweet, "When business users can't use their core business functionality--they uninstall stuff." "

You just prove that a programmer does not have to be a genius. It seems to me that all these problems were started by MS adding .net to FF without anyone's permission, so it also seems to me that if there's any uninstalling to be done, it should be .net, not FF. Get a freeking brain.

When is FF going to make damn 100% sure that nothing can be installed to FF without being easily uninstallable? I have run into this same problem with some anti-virus software and, IMAO, it makes that software almost as bad as the viruses! Since when should we not be able to remove software we don't want, for ANY reason, from our own computers? For about the 10, 000th time I have to say the ONLY thing keeping me using Windows is that the software I want to use is on that platform. If I could run my current software on Linux, my home computers AND all my business computers would be running Linux and not Windows.

If Mozilla Foundation cannot keep control of their own software, then how about just preventing ANY additions since we cannot trust that we will be able to remove them? How about a selection in the options that says "Prevent any software from modifying FF (Y/N)".

Get with it Mozilla people. Are you asking us to stop using your software because you can't prevent these things from happening? Get some balls and threaten a lawsuit if MS doesn't stop doing this. Of course, I guess I could always just stop using FF. If that's what you're looking for......

[odubtaig]

I seem to remember quite the fuss when Apple started doing that, although the important difference is that the updater does say these things are being installed (you can untick the box if you want). It's not quite as serruptitios as the .Net framework and WPF plugins. Also worth noting at http://www.mozilla.com/en-US/blocklist/ that some versions of the Quicktime plugin have been blocked for a remote code execution vuln.

Once again Dan, you need to do your homework.

[DrtyDogg]

Actually odubtaig you should re-read his post instead of telling him to do his homework. He wasn't talking about the auto Safari install thing, though that was bad too.

[Random_Walk]

So someone kindly show us where Apple allegedly installed plugins to competing apps with no warning or recourse.

Anyone?

Buehler?

Thought so.

[HyraxX]

And I do not want Mozilla to ban plug-ins they feel I would not want. They can give me an option to remove due to security issues. But to ban it outright is something amazon or apple would do.

[AlwaysSmiling]

Apple doesn't do this exactly as Dan says however. If you go to http://www.apple.com/download and look at QuickTime, you can install it with our without iTunes. I believe (although I haven't verified) that it's the same scenario when you install iTunes from their download site.

The iPod/iPhone helper is installed also, but it's an integral part of iTunes (since iTunes is intended to synch your music from your computer to your ummmmmm IPOD and IPHONE). You can simply go into Services and disable it. Originally you couldn't do anything that simple with the "Click Once" plugin that Microsoft installed.

When I installed .NET Framework 3.5 SP1, the only indication that anything was added to Firefox was when I did a manual check for updates (or when I installed another addon). That's wrong in every sense of the word.

Also for the comment that these .NET things shouldn't be installed on consumer's machines.... Any program that you install, which has been created in Visual Studio (and there are a lot of them) uses the .NET Framework. If you look at the installer (or CD) and it contains a file called dotnetfix.exe, then it's using the .NET Framework. My printer (Lexmark X2350), camera (Kodak camera), weather alert program (WeathAlert), PlanPlus software, and quite a few other programs fall into this category. Only the "PlanPlus software" could be considered business use. You'd be surprised how many games fall into this category also.

Have a great day:)
Patrick.

[Renegade Knight]

I noticed that. When Firefox pulled the plug on the two plug ins I was perfectly happy.

[fmhudson]

I don't understand the uproar - I use Windows XP SP3 with all the updates. when the .NET and WPF automatic downloads were complete<i got a window giving me the choice of automatic installation of custom installation. The custom installation option had check boxes with install or not options for both down loads. No sweat - just uncheck the box for the files you don't want.

[zeroplane]

Wait, is this guy implying that that any organization or business would build a "core business system" on sliverlight? Maaahahaa.. yeah right.. bummer to be them....

That is like saying it was ever a good idea to build your "core business system" using ActiveX..

Loooooosseeeerrrr

[thelemurking]

You don't stream Netflix do you?

[ertem0]

Actually I used to stream Netflix.. Then one day last spring it said I had to install Silverlight to watch 'Gandhi'. Did so on a guinea pig laptop to test it. Then Netflix refused to run on my other 'real' machine because it had automatically set my account preferences to use Silverlight on all machines. I called / emailed customer service multiple times trying to restore to previous settings, from about 10 minutes before. They said it was 'impossible'. They would not reset account settings to non-Silverlight, by corporate policy.

Got me so pissed I immedicately cancelled our Netflix subscription.

Wow, zeroplane, I am hearing that several really big organizations and businesses are doing just that. It was a recent article in the Programmers Paradise catalog and the list of companies (I can't find the darn thing now but it should be on their web site) was really big boys.
... and you can still buy ActiveX controls for development (although they have seen the light at the end of the tunnel and are headed for it.)
I am more and more impressed with .NET (not) ... especially since I have to reinvent all the cool things I created in a new noncompatible decompilable language and the recommended way to approach about half of them is pInvoking Win32 APIs ... which by the way, makes that functionality secure but then it is not 'pure' ... oh brother.

[Lerianis3]

by ertem0 October 19, 2009 6:35 AM PDT
Actually I used to stream Netflix.. Then one day last spring it said I had to install Silverlight to watch 'Gandhi'. Did so on a guinea pig laptop to test it. Then Netflix refused to run on my other 'real' machine because it had automatically set my account preferences to use Silverlight on all machines. I called / emailed customer service multiple times trying to restore to previous settings, from about 10 minutes before. They said it was 'impossible'. They would not reset account settings to non-Silverlight, by corporate policy.

Got me so pissed I immedicately cancelled our Netflix subscription.
___________________________________

You should have immediately threatened a lawsuit over that, and they would have changed it back REAL fast.

[gggg sssss]

obviously no clue how Windows works.

[virgilp]

FWIW, I can now use FF again. I had to switch to Chrome because FF was behaving erratically - sometimes it simply froze for ~30s and I couldn't do anything with it. It happened especially on startup, so it was extremely frustrating if I just wanted to just check something quickly on the net.
After Mozilla blocked the MS addons, all my problems disappeared. I don't even browse to Silverlight sites... not sure why it was making so many troubles. Anyway, I uninstalled MS crap and will keep an eye on it in the future :). But I too find it outrageous that MS installed Silverlight on my computer without asking for my permission.

[rage6060]

This is one of the meny reasonds why I stopped using window and use linux, most of it is done by Microsoft pushing a stupid updates through there Updater while not doing any good testing before hand...

Whats even more shocking is that they secrely included an update to 3rd party software, that pretty quetional is you ask me. Whats even more odd is that Apple can secretly install ITunes while you where just installing lets say QuickTime video player... Get my driffet, this means that any software vender can potentally install any thing they want on to your windows box, which to is one big security hole... Also it not just installing but running too~ ;). Heh heh, Scarrry isn't it. Hmm, I was wondering how some one installed a funny little scripted that destroid my ability to log in to my labtop...

Well enough rambling, my adviced to Monzilla is to create an alert component that detectes any other entity other than the user installing plugins. This component will alert its user that some one other than the user is going to install a plugin, this will give the user a nice little prompt, the first button will say "yes" and the second button will say "NO!!!".

Also to Mergatroid Mania google WINEHQ. :D

[S Nijs]

Or Crossover Office if you don't want to tinker much, and use Windows only software.

Their Lameduck Challenge certainy turned me into a custormer...

[Mike Acker]

and this is just 1 more example confirming how the software builders cavalier use of ad-hoc over-the-air updates has led to trouble. the practicce of ad-hoc, over-the-air software updates must end.

[exactlyy]

wow..really Firefox startsup much faster after disabling this scum .

[irondog1970]

I'm glad this article made sense to some people. I'm a computer user, not a computer programmer. So, I don't have a clue as to what .NET is or what the Windows Presentation Foundation is.

So that's cool and everything but ...
I am using FF to debug a WPF app I am writing and I do want the functionality of the .NET assistant because I am developing in .NET and ... FF is my browser of choice.

So HOW DO I RE-ENABLE/INSTALL THESE ADD ONS?

When I saw the message I was, like, "that's odd." So I followed the "More Info" link and I find a bunch of propeller heads (almost like me but with a deep hatred of MSFT) talking a bunch of crap. I followed the links that were 'supposedly' to some MSFT official who said that everyone should disable these add ons ... now and it was a dead link. So instead of a warning that I may want to temporartily disable these add ons (that only an uber geek could exploit) while some more research is done and the problems could BE VERIFIED ... I have somebody else controlling my choices.

And I don't want to get off on a rant here but ...
What is with this trend in software of removing options and functionality ... there are no simple ways to deal with cache and cookies in the latest couple versions of FF. I have installed a couple add ons and will be looking into it but ... give me a break. i just want a place where I can add adserver.com (and a ton of others) to a list of places that I never want to accept cookies from. Then a way to export or import that list to and from a simple text file. That is called functionality and convenience. IE doesn't have it either. I use NIS (okay, I know ... but I have used it for over ten years ... even back to when it was a pretty good product). So my background scan finds a tracking cookie ... and deletes it. It is the same one it found for the last twenty times. Any functionality for blocking it? Nope. In fact you have to dig through four screens to even see from where it came and then? There is no way to even highlight and 'blankity blank' copy it to the clipboard. Very functional, that. Sounds like they need a few more 'Program Managers' over there to (insert pointless buzz words here).
I should have become a commercial fisherman.

[Random_Walk]

"HOW DO I RE-ENABLE/INSTALL THESE ADD ONS?"

Can you show me which websites actually use them?

[zyxxy]

It allows our internal websites to work with firefox. I can still work with them, but it takes some indirection, with the plugins, it just works. I would show you, but they are inside our firewall.

[ColinABQ]

Both Microsoft and Mozilla made some interesting mistakes here. Obviously, Microsoft should never had installed the plug-ins/add-ons without user consent. And Mozilla did not block them until AFTER the vulnerabilities had been patched. Let's think about that. The installation was done as part of a service pack, meaning that it was on systems owned by people and businesses who actually keep their systems patched and up-to-date. That implies that the blocking was unnecessary, since it was not done until after the patching, at which time there were no actual security issues.

[AlwaysSmiling]

Except that the functionality may have had a security issue in it. Patches are not 100% perfect either. Hense why later patches fix issues in the earlier patches (called superceding). Or the patches don't fix the issue 100% in the first place.

Would you be happy if the ebay auction sniper just automatically installed itself the next time you opened Firefox? Or the next time you went to Ebay (whether it was in Firefox or Internet Explorer)? And would you be happy if you couldn't uninstall the addon?

One thing that some people are overlooking is that Mozilla contacted Microsoft BEFORE they blocked the addons. Microsoft agreed with them that it should be done. Then Mozilla blocked them. When Microsoft said that the one addon is patched, Mozilla unblocked it. It's not like Mozilla did this without Microsoft or anyone else knowing-- quite the contrary to the actual installation of the addon in the first place.

Have a great day:)
Patrick.

[jc364]

Its a good point that other applications have done this before. Apple, some anti-virus apps, etc... The difference in this case is that Microsoft pushed this out as a Windows update.

The problem is that Windows is such a core piece of software, because it is what allows the user to operate the computer. You can get along without iTunes, and you can switch antivirus programs, but most people either can't or aren't willing to change operating systems. So when Microsoft uses Windows as a launchpad to push its other products, it is much more intrusive than a regular application doing so. Security risks are also a lot higher.

[AlwaysSmiling]

Also, I wanted to add that you can't be sure that 100% of the Firefox users with this addon, have patched their systems for this. So, it's taking the risk that by not blocking this addon, they are allowing millions of people to become infected (if/when an exploit is released) using their browser.

If I had to decide between making sure that everyone was safe (until they patched up properly) or risking millions of infected people who all will say "I only use Firefox, so how did I get infected?", I'd choose to block and make sure they are safe. But, that's just me.

Have a great day;)
Patrick.

[john55440]

"MSFT confirmed that the .NET Framework Assistant is not exploitable, so we've removed it from the blocklist; one down!"

The morons at Mozilla/Firefox delete first, and ask questions later.

[jc364]

Uhm, it says that Mozilla worked with Microsoft before blocklisting the add-ons, and Microsoft agreed to the measure.

You know, it's usually a good thing to know that something's secure before pushing it to thousands of users. So I am glad that Mozilla will block something if there's even a question that it may not be secure.

[zyxxy]

He forgot to read the whole article first....

[Nestiiii]

@ Mergatroid Mania

omg. you have no idea how software is done these days... sorry but with your statement you outed yourself... are you a lawyer?

But I like to read the comments on cnet - as a software developer it's fun to see what perception of software the "average computer user" has.