Mozilla has now unblocked a Microsoft add-on thought to pose a danger due to a software vulnerability, but a second add-on remains blocked, the organization said on Sunday.
Microsoft has confirmed that the .NET Framework Assistant add-on can’t be used as a “mechanism” for exploiting a vulnerability in Internet Explorer (IE), wrote Mike Shaver, Mozilla’s vice president of engineering, on Sunday. The add-on enables what’s called “ClickOnce” support, a Microsoft technology for application deployment.
Mozilla is updating its list of blocked add-ons, and it should be re-enabled for those users who had it enabled in the first place, Shaver said.
Mozilla blocked the Framework Assistant last Friday. Earlier in the week, Microsoft warned that Firefox users were vulnerable to an attack because of a problem in the add-on if users had not applied the MS09-054 IE patch. Mozilla consulted Microsoft before implementing the block.
Still blocked is the Windows Presentation Foundation (WPF) add-on, but Mozilla is working on an alternative for users.
“We’re hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist, and I’m working on a post to clarify the events of the past few days,” Shaver wrote. “We (especially I) appreciate your patience and support as we work to keep our users safe and comfortable with all the tools at our disposal.”
Microsoft landed in hot water earlier this year when it pushed out the Framework Assistant add-on as part of a service pack for its .Net application framework. Users complained since they couldn’t uninstall the plugin using the normal Firefox menu.
Microsoft later released an update allowing users to remove the add-on through Firefox rather than fiddling with the Windows registry.