Mozilla and Microsoft work together on WPFClickOnce plugins

 image Recently some friends mentioned that they saw Firefox had block-listed some Microsoft WPF\ClickOnce add-ons. As Mike Shaver (VP Engineering for the Mozilla) noted in his blog post, this action is the result of Mozilla and Microsoft working together to protect customers in relation to Security Update MS09-054.

I think it is very important for Microsoft and Mozilla to collaborate so actively to help protect customers… in this case we all agreed it made sense to add the Microsoft add-in to the block-list. We also heard clearly that many customers, especially enterprise customers are relying on this add-on for their daily work. As such Mozilla and Microsoft are working together to give these customers the best possible experience. Like Mike mentioned, as we learned more about MS09-054, we felt mutually good about re-enabling the clickonce addon and as this security fix hits market saturation, we expect to feel comfortable with re-enabling the WPF add-on as well.

We've heard loud and clear from customers how we need to work better with Mozilla around how our plug-ins and add-ons interact with Firefox. And I can promise you that our group will continue to collaborate with Mozilla to more proactively notify them of the effect of updates in the future to help ensure customers have interoperable solutions for their business needs.

I’d like to thank Mike and his team at Mozilla for their great work on this issue and look forward to working with them in the future.

Comments

  • Anonymous
    October 21, 2009
    The comment has been removed

  • Anonymous
    October 21, 2009
    The comment has been removed

  • Anonymous
    October 21, 2009
    @David Nelson Your analysis is fine until the point where you decide to blame just MSFT.  Why didn't Mozilla provide user options as you aptly pointed out?  Like I said, you were doing great until the hyperbole of "dragging Mozilla" got ramped up. I have seen the add-ons in question, and I don't use them, but I'm sure some people do and needed the functionality for those days.  Perhaps both companies will open up a little.

  • Anonymous
    October 21, 2009
    Yeah I agree there has got to be a better way than just uni-laterally disabling addons. It threw a curve ball into debugging firefox's Blinking Close Button Bug... which by the way is still an open bug. At least we know now .NET and WPF are not culprits for THAT BUG!

  • Anonymous
    October 21, 2009
    @Bertrand: we might if Adobe agreed that it was the best way to deal with a vulnerability, or to provide "safe cover" for an update to get deployed. @CGomez: we did, within 72 hours of the initial block -- we had to build the capability into our server software in a hurry, because of how the timeline played out.  Is it not overridable for you?

  • Anonymous
    October 21, 2009
    Brad, A big part of this problem is that Microsoft bypassed the standard Firefox plugin distribution mechanism.  A lot of people who never asked for .NET integration in Firefox were exposed to a security problem. Will Microsoft commit to NEVER AGAIN shipping a Firefox plugin via Windows Update?

  • Anonymous
    October 21, 2009
    @CGomez: I was able to enable the WPF plugin in my Firefox (3.5).  Anybody not able to re-enable the plugin?

  • Anonymous
    October 21, 2009
    Why so much of negativity here.. If a security flaw is discovered, it should immediately be addressed to - and thats what Microsoft and Firefox did in this instance. You(they) cannot afford to say 'there is a serious vulnerability and gee, all you enterprise customers or otherwise, we will have a fix coming in the next couple of days/weeks and hopefully your PCs wont be affected by the vulnerability'..

  • Anonymous
    October 21, 2009
    The comment has been removed

  • Anonymous
    October 21, 2009
    The comment has been removed

  • Anonymous
    October 22, 2009
    @CGomez, Don't get me wrong, I DO blame Mozilla. Both for not having a soft block option in the first place, and for choosing to block both the plugin and the extension when they knew it would disrupt their users. But this is not a Mozilla blog, and Brad doesn't work for Mozilla, so my comments on his blog were directed towards Microsoft's actions. Microsoft has already been roundly chastised for the way the plugin was rolled out in the first place. I have no interest in revisiting that tired discussion. My only interest at the moment is how both companies handled the situation they found themselves in on Friday the 16th. I do not believe that my comments were vitriolic, nor do I believe there was any hyperbole. I would thank you to point out where you believe you saw that in my comment. I offered my (admittedly strongly worded) analysis of what I believe was a critical error by both companies. Perhaps you are mistaking passion for vitriol? You say that they might yet announce some new policy after the incident is examined. Why would you believe that when both companies have stated repeatedly that they believe they did the right thing? The purpose of my comment is to help them understand that it is NEVER the right thing to unilaterally deny potentially critical functionality to end users. Ultimately what both companies need to understand is that it is not their job to decide for me that security should be at the top of my priority list. Security is a trade-off, and it is one that I am responsible for making for my organization. A vulnerability is discovered; ok, that's bad news, and it puts me in the position of having to make an unpleasant choice. But it is MY choice to make. I am responsible for weighing the risk of the vulnerability versus the effort of patching our systems versus the cost to my organization of having our critical workflows disrupted. Neither Mozilla nor Microsoft can make that decision for me. The fact that they chose to do so announced loud and clear that they believe they are better at determining security policy for my organization than I am. That is an unacceptable attitude, and I will not apologize for demanding that it be changed.

  • Anonymous
    October 22, 2009
    The comment has been removed

  • Anonymous
    October 22, 2009
    The comment has been removed

  • Anonymous
    October 22, 2009
    Great cooperation team work! Thanks

  • Anonymous
    October 22, 2009
    The comment has been removed