soeren says » Blog Archive » Extension in a strange land

Extension in a strange land

October 18th, 2009

On Friday, Mozilla blacklisted two Microsoft add-ons for Firefox: the .NET Framework Assistant extension, and the Windows Presentation Foundation plug-in. The latter of the two contains a security issue that has since been fixed as part of MS09-054. As far as I can tell, there was no such issue with the former.

What are these add-ons?

The two add-ons are related in that they both ship as part of .NET Framework 3.5 SP1¹, but unrelated in their purpose.

The .NET Framework Assistant allows ClickOnce applications to be installed (into a sandbox) and launched from Firefox. ClickOnce is comparable to Java Web Start, except that it works for applications written for .NET, not Java. Without the “assistant”, you can still download the .application manifest file (an XML-based file format including a digital signature and a URL pointing to the actual application binaries and resources) and launch it afterwards, but if the name wasn’t a giveaway, seamlessness is the very point of ClickOnce.
Windows Presentation Foundation (WPF) is the new GUI toolkit for .NET, replacing Windows Forms. A subset of WPF wrapped inside a sandbox was originally known as WPF/e (for “everywhere”) and later on branded as Silverlight. This plug-in, however, is for the full WPF, except also for applications running in a sandbox. It’s as confusing as it sounds.

The latter is where the vulnerability occurred; due to the existence of the plug-in, it affected Firefox.

Why do I have those add-ons? Why can’t I uninstall them?

In a controversial move, they were bundled with .NET Framework 3.5 SP1. There is no way of customizing the install² such that you skip those add-ons.

As for uninstallation, the story is once again different for the two:

The original version of the .NET Framework Assistant can’t be uninstalled from within Firefox due to its method of installation. Reasonably, it is installed system-wide (just like .NET itself is system-wide). Unfortunately, while Mozilla provides a developer-level guide for doing so (using the Windows Registry), it doesn’t provide a user-level one for undoing so. Presumably, Firefox would have to provide an external application that is launched with administrator privileges (and therefore, an user rights elevation dialog to launch it) in order to change or remove the installation. The button isn’t missing for some conspiratory reason on Microsoft’s part, but because of what is arguably a missing capability in Firefox. Uninstallation could be done by manually removing the Registry entry.

In a later update, Microsoft changed the extension to be installed per-user. This allows uninstalling (although only for yourself!) from within Firefox.
As Windows Presentation Foundation is a plug-in, it cannot be uninstalled from Firefox at all. Again, this is something Firefox doesn’t support, not something Microsoft went ouf ot their way to prevent.

So, what now?

The vulnerability has been fixed, but only two days before Mozilla decided to blacklist the extension. Problematically, many users are known to wait days, months or sometimes millennia³ to install patches, whether out of a (sometimes rational) fear that they will break other things, because they don’t have permission or knowledge to do so, or for other reasons.

Unfortunately, even if you do have the patch installed, the add-ons are still blacklisted. As I understand it, the add-ons’ versions⁴ haven’t changed from the patch, so Mozilla is unable to verify that you do in fact have them patched. While it is possible to query Windows Update for what patches are installed, such code would presumably require an update to Firefox itself.

Two things trouble me more: from what I can see, the first add-on did in fact not have a vulnerability at all, so ClickOnce support is currently broken in Firefox for what appears to be no actual reason. Second, Mike Shaver claims that “Microsoft is recommending that all users disable the add-on.”, but my reading of their blog entry suggests that, as long as you have the patch installed, you don’t need to disable the add-on at all.

Which should have been named 3.6, as it adds some completely new features, such as the ADO.NET Entity Framework. ↩
To my knowledge, that is. ↩
Hyperbole included. ↩
Or the UUID? ↩

Posted in Uncategorized

Share No Comments

Your Own Thoughts

I'd love to hear your input. Just try to stick to a few rules:

Please, think before you post. It's not a chatroom — you have plenty of time to avoid gratuitous abbreviations (no "u" for "you", please) and to proofread. Everyone benefits from comments which have had an extra minute of thinking.
Though I virtually never delete a comment, I do reserve the right to do so for ones I deem irrelevant, unthoughtful, as trolling or as flaming, or otherwise hostile.
Unfortunately, you cannot currently edit. When necessary, do feel free to double-post; I will merge your posts together, and correct mistakes for you if you so wish.
Likewise, you cannot delete. You can, however, ask me to do it by contacting me. Please only do so if truly necessary.
I reserve the right not to approve comments with bogus names or e-mail addresses, but will typically leave them published as well.

Before you comment for the first time (or, after you have deleted cookies), you will have to answer a little challenge to prove that you are not a spammer.

Comments are written in Markdown.