Firefox blocking add-ons AFTER they've been fixed - what gives?

SeanW

Ok, about an hour ago, I got a Firefox prompt saying that two add-ons had been disabled. I clicked it's "More Information" link and found out that two addons related to Microsoft's .NET platform, were added to the Mozilla blocklist because they presented a possible attack vector for hackers.
The Add Ons are
Microsoft .NET Framework Assistant 1.1
Windows Presentation Foundation

The probelm is that not only did the More Information link inappropriately use a "https://" prefix, but additionally I read that the issue has already been fixed and anyone who has Automatic Updates fully on would have had these components made perfectly safe some time ago.

Now, Automatic Updates presented me with a zillion critical security patches some days ago, and of course I used them. So while I can understand that the Mozilla people could rightly be pissed off that these things were added to Firefox surreptitiously in the beginning, I really don't understand why they started this blocking deal AFTER a patch had been released and any half-competently managed computer had updated, AND they offer no choice for the user to tell whether it makes sense to block the add-ons or not.

I don't give a toss because I don't use the plugins in question, but I understand there are some enterprise people who do ... wtf? I thought the Mozilla crew were some fairly smart guys (after all, they made FireFox ) but this makes one wonder.

https://bugzilla.mozilla.org/show_bug.cgi?id=522777

Overheal

Theyre smart.

Theyre also Pissed.

http://gizmodo.com/5383413/shady-microsoft-plugin-pokes-critical-hole-in-firefox-security

SeanW

Overheal wrote: »

Theyre also Pissed.

And understandably, from what I've read. But isn't this no-prompt block just cutting your nose off to spite your face?

From what I've read so far, there are some enterprise users who - having custom software and special requirements - had come to trust FireFox (and the Add On in question) for and with their business. I can quite imagine there will be a number of such enterprises waking up Monday morning to some major headaches, followed shortly thereafter by IT departments removing FF and replacing it with Internet Explorer :mad:

I don't think the Mozilla people have really thought this through.

Snowbat

Mike Shaver {VP Engineering, Mozilla Corporation) posted on Slashdot:

I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.

and in response to a similar enterprise concern:

I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.

(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)