Microsoft technology used to program applications that can be accessed through a browser continued to be blocked for Firefox users Monday.
Mozilla had been blocking two Microsoft plug-ins after the discovery that Microsoft’s .Net 3.5 SP1 install silently adds a plug-in to Firefox allowing the surreptitious launch of a malicious XAML browser application that could take over infected machines.
One add-on, the Windows Presentation Foundation, aids programmers in developing applications using Microsoft technologies, including Silverlight, that can be accessed via a browser. It remains blocked, but Mozilla Vice President of Engineering Mike Shaver wrote in a blog posting on Sunday that the Firefox team is working to find an alternative.
Restoration Timing Uncertain
Mozilla initially blocked Microsoft’s .Net Framework Assistant as well, but reversed that policy after speaking with Microsoft engineers over the weekend and learning that it does not provide access to the same vulnerability.
The current blockade is redundant for users who have already applied Microsoft’s patch for the vulnerability, which rolled out Oct. 12 as part of what Microsoft described as its largest vulnerability patch of 2009.
Although Microsoft has patched against the vulnerability, it’s unclear when the Windows Presentation Foundation access will be restored.
Mozilla’s press office did not return an email message seeking comment by deadline for this article.
Microsoft’s Misbehavior
Most home users likely didn’t notice anything more than an odd security warning when they fired up their browsers, but some may have encountered malfunctioning Web apps. Also, some enterprise users and designers may have faced trouble accessing custom applications and design capabilities through Firefox with the technologies blocked, said Wolfgang Kandek, CTO of Qualys, a vulnerability management company.
This is the second time this year Microsoft has been called out for silently installing plug-ins into Firefox. The first time was when the company included the Framework Assistant add-on in a service pack for the .Net application framework without alerting users.
“That normally is not considered to be good behavior,” Kandek told TechNewsWorld.
Microsoft didn’t respond to requests for comment by deadline.
Cooperation Between Competitors
While it appears that Mozilla initially overreacted in blocking the .Net Framework assistant, which is necessary for many third-party applications to run, it restored access to the plug-in quickly.
Mozilla and Microsoft appear to be working well together to address the issue for the benefit of users, Kandek said.
“I thought it was a great example of cooperation between two companies that are competing a lot,” he said.
instead of just disable it, or want to get rid of the Java plugin, here is where they can be located. Launch regedit and they are at HKLM>Software>Mozilla>Firefox>Extensions. Back them up if you like, and to delete them just delete the keys located there for .NET and/or Java. I personally don’t like the fact that EITHER company installed plugins without my permission, and deleted both on all my machines.