If you or your users use FireFox, this morning, you and/or they got this message:
Firefox has determined that the following add-ons are known to cause stability or security problems
FireFox popped up this box, strangely, just as I was reading an article about WPF (Windows Presentation Foundation):
The first add-on is: “Microsoft .NET Framework Assistant 1.1”.
The second add-on is: “Windows Presentation Foundation 3.5.30729.1”
What or Who does this affect?
It affects all Click-Once deployed applications and users that launch them with FireFox. These are things like games for Windows written with XNA and deployed for launching from your browser, or any Windows application deployed to a web site to be launched via a URL (with Click-Once technology). This is a VERY IMPORTANT technology that affects a LOT of products, companies, and end users (including myself) and should NOT have been disabled!!!
Why were these disabled?
The claim is that they provide remote code execution. The problem is that this disabling may be wrong and your system may not be at risk at all. The vulnerability is NOT in the plug-ins, but in the .NET framework itself (part of Windows), and not part of the add-ons or FireFox. If you keep your Windows Updates updated, you most likely are NOT at risk, but FireFox cannot detect whether you’ve got the fix from Microsoft already installed, so it just disables it anyway. The FireFox programmers were hair-trigger happy to get their fix out quickly (which they did). Now, they have no way to determine whether your machine is vulnerable or not. In short, it’s not FireFox’s responsibility to do anything about this since it’s NOT a security vulnerability in either FireFox itself or any of the plugins, but in the Operating System itself.
FireFox should be checking for either the hotfix or the version numbers of the DLLs in the OS that are affected. At the moment, the current version of FireFox doesn’t have the ability to check system DLLs. It will require an update to FireFox itself, which they should certainly do if they plan on globally, unilaterally disabling important functionality such as this, even on machines that DO NOT HAVE THE VULNERABILITY!!!!
Here’s how to tell if you’re really NOT at risk:
- Open a command prompt (a.k.a. a “DOS Box”):
- In Windows XP, open the start menu, choose “run” and type “cmd” in the run box and either hit [Enter] on your keyboard or click the “OK” button.
- In Vista or Windows 7, hit
+R and type “cmd” in the run box and either hit [Enter] on your keyboard or click the “OK” button.
- Type “wmic qfe get hotfix” and hit [Enter].
- You’ll get a list of 10 or so hot fixes already applied. Look for KB974455.
If you don’t have this hotfix, just do a Windows Update to get it.
However, if you do already have this hotfix, then there’s no reason to let this be disabled, but there doesn’t seem to be anyway to stop it from happening. Please post a comment below if you know how. FireFox disabled the add-ons for me, even though I do have the hotfix already on my machine.
According to Microsoft, anyone with automatic updates turned on should already have the fix, but FireFox does not detect whether or not your machine is already protected and disables the add-ons anyway, royally screwing any company that provides Click-Once deployed applications (like me), and their users, and not to mention the help-desks of those companies.
If you want to manually apply the Microsoft hotfix, you should apply MS09-054. If you understand what I just said, you don’t need instructions from me.
There does not appear to be a way to manually re-enable these add-ons. If anyone knows of one, please, by all means, post it below.
Update (7:43 AM 10/19/2009):
Mozilla has finally come to their senses and realized that the Click-Once add-on was never vulnerable and has unblocked the Click-Once add-on. Unfortunately, if yours was already blocked, it appears you have to fix it manually. Pretty simple though. Just go here:
https://addons.mozilla.org/en-US/firefox/addon/9449
Um… scratch that. When I try to install it again, I get this:
Before I tried that, I tried doing an update (help/Check for updates) and it didn’t unblock it. I’ll report back when I learn more… Keep checking back.
Update: Mozilla has unblocked both add-ons. Your browser should have received the unblock instructions by now. If not, read my comment below about changing the polling frequency.
I now consider this issue finally resolved. Let’s hope Mozilla has updated their standards for how they choose to implement future blocks.
Thanks Roman.
FireFox does indeed poll once every 24 hours for block lists, but you can change that by entering:
about:config
In the address bar and changing extensions.blocklists.interval. It defaults to 86400 seconds (24 hours). I changed mine to 60 seconds to get the block list updated, then changed it back.
Per my previous comment, disabling blocklists (see my post at Bugzilla) does in fact re-enable both the .Net Framework Assistant and WPF extension/plugin. If you have uninstalled the .Net Framework Assistant, disabling the blocklist will allow it to be re-installed from Addons.Mozilla.Org here.
I read the updates from Mike Shaver which are saying that the .Net FA has been unblocked and that the WPF is on a "soft block" allowing users to unblock it if they want, but every time I re-enable blocklists in about:config, I lose both with no way to get them back other than disabling blocklists again.
The issue may be that the blocklists are only polled once every 24 hours by Firefox and as such these items will remain blocked until the next polling. The problem there is that when blocklists are disabled, Firefox doesn't poll the updated list…and when I turn on blocklists, I lose the plugin/extension and the ability to turn them on.
If I knew what time of day Firefox was polling, I could re-enable just prior to that time and wait for it. But I don't know and so far haven't been able to find out.
In any case, disabling blocklists in about:config does the trick.
I'm not sure about re-enabling as I did not allow Firefox/Bugzilla/Mozilla to actually disable these add-ons to begin with. I prevented the disabling by turning off the ability of the blocklist to disable this plugin and extension before re-starting the browser. I think that the same step might re-enable them but the only way to find out is to try.
To disable the blocklist, you have to open about:config. (Just type about:config into the address bar and hit enter.) From there, search for extensions.blocklist.enabled in the filter box, right click the resulting entry and toggle it to false.
Give it a shot. It may re-enable these items (but I fear that they may actually have to be re-installed which will be a pain.)
wmic qfe get hotfix … no such command. XP3.
Sounds like a good reason not to use FF. 🙁