Posted on

Click-Once deployment suddenly stops working in FireFox!

If you or your users use FireFox, this morning, you and/or they got this message:

Firefox has determined that the following add-ons are known to cause stability or security problems

FireFox popped up this box, strangely, just as I was reading an article about WPF (Windows Presentation Foundation):

image

The first add-on is: “Microsoft .NET Framework Assistant 1.1”.

The second add-on is: “Windows Presentation Foundation 3.5.30729.1”

What or Who does this affect?

It affects all Click-Once deployed applications and users that launch them with FireFox.  These are things like games for Windows written with XNA and deployed for launching from your browser, or any Windows application deployed to a web site to be launched via a URL (with Click-Once technology).  This is a VERY IMPORTANT technology that affects a LOT of products, companies, and end users (including myself) and should NOT have been disabled!!!

Why were these disabled?

The claim is that they provide remote code execution.  The problem is that this disabling may be wrong and your system may not be at risk at all.  The vulnerability is NOT in the plug-ins, but in the .NET framework itself (part of Windows), and not part of the add-ons or FireFox.  If you keep your Windows Updates updated, you most likely are NOT at risk, but FireFox cannot detect whether you’ve got the fix from Microsoft already installed, so it just disables it anyway.  The FireFox programmers were hair-trigger happy to get their fix out quickly (which they did).  Now, they have no way to determine whether your machine is vulnerable or not.  In short, it’s not FireFox’s responsibility to do anything about this since it’s NOT a security vulnerability in either FireFox itself or any of the plugins, but in the Operating System itself.

FireFox should be checking for either the hotfix or the version numbers of the DLLs in the OS that are affected.  At the moment, the current version of FireFox doesn’t have the ability to check system DLLs.  It will require an update to FireFox itself, which they should certainly do if they plan on globally, unilaterally disabling important functionality such as this, even on machines that DO NOT HAVE THE VULNERABILITY!!!!

Here’s how to tell if you’re really NOT at risk:

  • Open a command prompt (a.k.a. a “DOS Box”):
    • In Windows XP, open the start menu, choose “run” and type “cmd” in the run box and either hit [Enter] on your keyboard or click the “OK” button.
    • In Vista or Windows 7, hit image +R and type “cmd” in the run box and either hit [Enter] on your keyboard or click the “OK” button.
  • Type “wmic qfe get hotfix” and hit [Enter].
  • You’ll get a list of 10 or so hot fixes already applied.  Look for KB974455.

image

If you don’t have this hotfix, just do a Windows Update to get it.

However, if you do already have this hotfix, then there’s no reason to let this be disabled, but there doesn’t seem to be anyway to stop it from happening.  Please post a comment below if you know how.  FireFox disabled the add-ons for me, even though I do have the hotfix already on my machine.

According to Microsoft, anyone with automatic updates turned on should already have the fix, but FireFox does not detect whether or not your machine is already protected and disables the add-ons anyway, royally screwing any company that provides Click-Once deployed applications (like me), and their users, and not to mention the help-desks of those companies.

If you want to manually apply the Microsoft hotfix, you should apply MS09-054.  If you understand what I just said, you don’t need instructions from me.

There does not appear to be a way to manually re-enable these add-ons.  If anyone knows of one, please, by all means, post it below.

Update (7:43 AM 10/19/2009):

Mozilla has finally come to their senses and realized that the Click-Once add-on was never vulnerable and has unblocked the Click-Once add-on.  Unfortunately, if yours was already blocked, it appears you have to fix it manually.  Pretty simple though.  Just go here:

https://addons.mozilla.org/en-US/firefox/addon/9449

Um… scratch that.  When I try to install it again, I get this:

image

Before I tried that, I tried doing an update (help/Check for updates) and it didn’t unblock it.  I’ll report back when I learn more…  Keep checking back.

Update:  Mozilla has unblocked both add-ons.  Your browser should have received the unblock instructions by now.  If not, read my comment below about changing the polling frequency.

I now consider this issue finally resolved.  Let’s hope Mozilla has updated their standards for how they choose to implement future blocks.