Microsoft's blocklisted add-ons
Almost immediately after the news about a plugin by Microsoft compromising Firefox's security, Mozilla reacted unleashing a "doomsday weapon": Plugin Blocklisting, a feature introduced more than one year ago in Firefox 3 and kept quiet so far, which allows quick disablement of any problematic add-on from a central location. So this morning many of us have been greeted by an "Add-ons may be causing problems" window, announcing that the two "intruders from Redmond" had been put in custody.

Nice to see people in charge don't hesitate to deploy such a draconian countermeasure when it's needed, even though the Windows Presentation Foundation plugin and its .NET Framework Assistant accomplice are so much obscure (the former) and controversial (the latter) that they won't be overly missed. Hard to imagine the same treatment being delivered to Adobe's big ones any time soon, despite their zero day exploit rates and the fact too many browsers run outdated and vulnerable versions (BTW, did you check lately?)

However many users wonder why Windows Update and other native installers (e.g. Skype or AVG) are allowed to bypass the warning dialog which usually asks for permission before installing a Firefox add-on. The obvious objection, though, is that when you run a certain OS or launch an executable, you're fully trusting the vendor and therefore adding further warnings would be just an useless annoyance. Notwithstanding, at least knowing that something has been added to your browser is surely desirable. I, for instance, wasn't aware of this "Windows Presentation Foundation" thing until this incident happened. Moreover, some of these "super add-ons" are quite difficult to uninstall for the average user. Fortunately, Mozilla acknowledges these as real problems, and they're being actively addressed.

15 Responses to “Firefox's Immune System”

  1. #1 Tim says:

    A great action by Mozilla :)
    This one of the reasons that i use for firefox. it's quick with security fixes :D (also are these temporary xD)

  2. #2 Twitter Trackbacks for hackademix.net » Firefox's Immune System [hackademix.net] on Topsy.com says:

    [...] hackademix.net » Firefox's Immune System hackademix.net/2009/10/17/firefoxs-immune-system – view page – cached Almost immediately after the news about a plugin by Microsoft compromising Firefox’s security, Mozilla reacted unleashing a “doomsday weapon”: Plugin Blocklisting, a feature introduced more... (Read more)Almost immediately after the news about a plugin by Microsoft compromising Firefox’s security, Mozilla reacted unleashing a “doomsday weapon”: Plugin Blocklisting, a feature introduced more than one year ago in Firefox 3 and kept quiet so far, which allows quick disablement of any problematic add-on from a central location. So this morning many of us have been greeted by an “Add-ons may be causing problems” window, announcing that the two “intruders from Redmond” had been put in custody. (Read less) — From the page [...]

  3. #3 hackademix.net » Firefox's Immune System | Firefox News on Twitter says:

    [...] Visit link: hackademix.net » Firefox's Immune System [...]

  4. #4 exceed says:

    Giorgio, is there any way to prevent this "feature"?

  5. #5 Giorgio says:

    @exceed:
    Yes, open

    about:config

    and toggle the extensions.blocklist.enabled preference to false.

  6. #6 exceed says:

    Thank you very much.

  7. #7 Zipper says:

    Google litters Firefox with plugins too. Apparently I've got the Google Earth plugin (don't want/need it, just Google Earth is fine), Google Update (don't know what it is), Google Updater (don't know what it is), Picasa (don't know what it is). The rest of the plugins I installed myself, with the exception of "2007 Microsoft Office system", the purpose of which is also clouded to me.

  8. #8 Bill says:

    IE8 in protected mode in Vista/7 is the most secure way of browsing the internet. I won't touch Firefox with a ten foot pole. Microsoft and .Net Framework rocks.

  9. #9 JB says:

    "Bill says:

    IE8 in protected mode in Vista/7 is the most secure way of browsing the internet. I won’t touch Firefox with a ten foot pole. Microsoft and .Net Framework rocks."

    Paid for by Microsoft.

  10. #10 Basti says:

    @JB (9)

    Bill Gates doesn't need to pay himself for promoting IE ;)

    No browser is safe.

  11. #11 Browsers Anon says:

    Update:
    So that bit of smiting didn't last long; it appears that those with patched installs, and that fabled animal "enterprise" were not comfortable about Firefox getting unilateral and decisive without giving them an easy button to re-enable their click-once stuff.
    A selection from the news feed
    http://news.google.com.au/news/story?cf=all&ned=tau&ncl=dBbwgnwHa3gf6fMeikJgk89857PiM&topic=t
    Take home summary: the .NET assistant lives again, but thankfully for the really clueless, the Infestation plugin remains blocklisted.
    And the quote from Shaver:
    "We (especially I) appreciate your patience and support as we work to keep our users safe and comfortable with all the tools at our disposal"
    Safe *and* comfortable? How likely is that ever going to be.

  12. #12 Tom T. says:

    This is why I get my MS Updates manually with Firefox, and not through IE or MS Update. With MS Update set to "notify, don't download or install" (the only sane setting) I would have to vet each one individually anyway, so if I'm going to do that, I might as well skip the ActiveX scan, the pushing for Service Pack 3 (opposed by my OEM), IE 7 and 8, etc., and just get manually each one that I decide I need.

    Anyone who uses a 400-MB pdf reader when a 4-MB reader does just as well (I use Foxit older version 2.0, with no native JavaScript support) is asking for 396 MB of attack surface and vulnerabilities. Adobe needs to be denigrated more widely on the web for its bloat, vulnerabilities, and once-every-three-months patches.

    BTW, at the recommended Fx plug-in check, I received this message:

    "You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the *awesome* power of JavaScript. Please enable this Content Preference and reload the page.

    Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls."

    (my emphasis on "awesome".

    Yes, the power of JS is awesome, all right -- for evil as well as good. It doesn't seem appropriate for Mozilla to be touting it as Superman, nor to be sneering at users who browse with it disabled. I've seen many "JS-disabled" messages, but that's the second-worst one ever. I'd rather not bring up the worst one again. Cheers.

  13. #13 Anonymous Coward says:

    Defending an *ahem* extreme caution about active content on a blog?
    Love it ;)
    And of course retail doesn't rule the web either.
    http://geekz.co.uk/lovesraymond/archive/eric-buys-an-ipod

  14. #14 Wellington beef says:

    Yo, Giorgio, would you mind telling me why NoScript comes up with an update like every 5 minutes? It's pretty damn annoying, I restart my browser after downloading an update, and then when it restarts, there's ANOTHER update for NS. Could you make your updates a little less frequent? Thanks.

  15. #15 Giorgio says:

    @Wellington beef:
    After last update (1.9.9.14) you've been greeted by this message:

    Why such a tight release schedule?
    Version 1.9.9.14 fixes an hard to reproduce but serious and
    reported by many page loading issue..
    Thanks for your patience.

    That said, aside this emergency update, you got just 3 updates in a month. It doesn't seems "like every 5 minutes" to me, but YMMV...

Bad Behavior has blocked 554 access attempts in the last 7 days.