Mozilla temporarily added the dangerous Microsoft .NET Framework Assistant add-on to its blacklist over the weekend, a move that effectively disabled the dangerous extension and plug-in for all Firefox users. However, after some clarifications from Redmond, the add-on was unblocked.
The move came in the wake of an admission from Microsoft that the add-on was exposing users to drive-by malware downloads via a remote code execution vulnerability.
Here’s the original explanation from Mozilla VP of engineering Mike Shaver explains:
> Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)
This Firefox add-on, which was added by Microsoft without the permission of end users, has been a source of controversy for months. It triggered a debate about whether vendors should add code to a rival browser without explicit disclosure — and permission — and prompted warnings about the security implications.
Those warnings became reality last week when Microsoft shipped a “critical” security bulletin with fixes for security problems in its own Internet Explorer browser — a flaw that presented an attack vector on Firefox because of the controversial .NET Framework extension.
This is not the first time Mozilla has used its blocklist mechanism to kill problematic extensions.
In addition to Microsoft, the blocklist also includes add-ons from anti-virus vendor AVG, Yahoo and Apple.
* Listen to our Big Story podcast where Shaver explains the decision-making process behind the moves.