Wednesday, October 21, 2009

Firefox Locks Out Microsoft's App Dev Tech



Developers who use Firefox found themselves without some Microsoft add-ons after Mozilla blocked them due to security concerns. Browser access to one of the tools, .Net Framework Assistant, has been restored. The companies are working together to come up with a way to safely reopen access to Windows Presentation Foundation.
Microsoft technology used to program applications that can be accessed through a browser continued to be blocked for Firefox users Monday.
Mozilla had been blocking two Microsoft plug-ins after the discovery that Microsoft's .Net 3.5 SP1 install silently adds a plug-in to Firefox allowing the surreptitious launch of a malicious XAML browser application that could take over infected machines.
One add-on, the Windows Presentation Foundation, aids programmers in developing applications using Microsoft technologies, including Silverlight, that can be accessed via a browser. It remains blocked, but Mozilla Vice President of Engineering Mike Shaver wrote in a blog posting on Sunday that the Firefox team is working to find an alternative.

Restoration Timing Uncertain

Mozilla initially blocked Microsoft's .Net Framework Assistant as well, but reversed that policy after speaking with Microsoft engineers over the weekend and learning that it does not provide access to the same vulnerability.
The current blockade is redundant for users who have already applied Microsoft's patch for the vulnerability, which rolled out Oct. 12 as part of what Microsoft described as its largest vulnerability patch of 2009.
Although Microsoft has patched against the vulnerability, it's unclear when the Windows Presentation Foundation access will be restored.
Mozilla's press office did not return an email message seeking comment by deadline for this article.

Microsoft's Misbehavior

Most home users likely didn't notice anything more than an odd security warning when they fired up their browsers, but some may have encountered malfunctioning Web apps. Also, some enterprise users and designers may have faced trouble accessing custom applications and design capabilities through Firefox with the technologies blocked, said Wolfgang Kandek, CTO of Qualys, a vulnerability management company.
This is the second time this year Microsoft has been called out for silently installing plug-ins into Firefox. The first time was when the company included the Framework Assistant add-on in a service pack for the .Net application framework without alerting users.
"That normally is not considered to be good behavior," Kandek told the press.
Microsoft didn't respond to requests for comment by deadline.

Cooperation Between Competitors


While it appears that Mozilla initially overreacted in blocking the .Net Framework assistant, which is necessary for many third-party applications to run, it restored access to the plug-in quickly.
Mozilla and Microsoft appear to be working well together to address the issue for the benefit of users, Kandek said.
"I thought it was a great example of cooperation between two companies that are competing a lot," he said.