Archive for October 17th, 2009

Microsoft's blocklisted add-ons
Almost immediately after the news about a plugin by Microsoft compromising Firefox's security, Mozilla reacted unleashing a "doomsday weapon": Plugin Blocklisting, a feature introduced more than one year ago in Firefox 3 and kept quiet so far, which allows quick disablement of any problematic add-on from a central location. So this morning many of us have been greeted by an "Add-ons may be causing problems" window, announcing that the two "intruders from Redmond" had been put in custody.

Nice to see people in charge don't hesitate to deploy such a draconian countermeasure when it's needed, even though the Windows Presentation Foundation plugin and its .NET Framework Assistant accomplice are so much obscure (the former) and controversial (the latter) that they won't be overly missed. Hard to imagine the same treatment being delivered to Adobe's big ones any time soon, despite their zero day exploit rates and the fact too many browsers run outdated and vulnerable versions (BTW, did you check lately?)

However many users wonder why Windows Update and other native installers (e.g. Skype or AVG) are allowed to bypass the warning dialog which usually asks for permission before installing a Firefox add-on. The obvious objection, though, is that when you run a certain OS or launch an executable, you're fully trusting the vendor and therefore adding further warnings would be just an useless annoyance. Notwithstanding, at least knowing that something has been added to your browser is surely desirable. I, for instance, wasn't aware of this "Windows Presentation Foundation" thing until this incident happened. Moreover, some of these "super add-ons" are quite difficult to uninstall for the average user. Fortunately, Mozilla acknowledges these as real problems, and they're being actively addressed.

Bad Behavior has blocked 968 access attempts in the last 7 days.