It's not just me - Firefox doesn't like Windows Presentation Foundation either

You may have seen this "Add-ons may be causing problems" window recently.

It seems that there's plenty of evidence to suggest that Microsoft's .NET Framework Assistant and WPF add-ons cause serious instability and can leave your computer vulnerable to remote code execution.

If I'd installed these add-ons, I'd say fair enough - uninstall them for now, wait until MS patch them, and install the patched versions.

I suppose I happened to visit a site with some (or lots) of Silverlight content. I was told that I needed these add-ons to allow the content to be displayed properly. I allowed them, restarted and the content was loaded. Presumably. To be honest, I don't even really remember doing it. Perhaps I didn't.

It seems that these pesky parasites latched on to my lovely browser when I installed .NET Framework 3.5 SP1. They are slipped in the back door, without so much as a by your leave. For most of us that have these add-ons, they were installed around February this year. That's eight months of risk.

So, there they were, and they were leaving our browsers vulnerable to crashes, and worse.
They're disabled now, and I'll be uninstalling them shortly. I'm not impressed that the warning came from Mozilla and not from Microsoft. I imagine that Mozilla noticed them in user-submitted crash reports and opened a ticket with Microsoft's security team to say that their .NET / WPF add-on / plugin was causing crashes. MS probably said it was a browser issue, for Mozilla to sort out, and so on...

You might like to take a look at Mozilla's list of dodgy add-ons - you'll also see the Apple QuickTime Plugin, v7.1.*, which also can allow remote code to be executed on your machine. I have version 7.6, so I guess that's safe, for now.

You can also view the details on these add-ons, and the .NET / WPF add-on thread on Bugzilla is especially illuminating. It pretty much says that Microsoft advised Mozilla to just go ahead and block the plug-in, probably because they missed it in the Patch Tuesday roll-up, and the next one is still some way away.

David Baron [:dbaron]  says:

It does show up in
http://people.mozilla.org/~dbaron/crash-stats/20090929-interesting-addons ,
although the correlations that show up aren't necessarily signs of causation. 
However, that shows that it's quite common in the wild: it's installed for the
users submitting 48% of our Windows crash reports on Firefox 3.5.3.

If Microsoft is recommending disabling it (all versions, or just some?) because
of security vulnerabilities, then I'd strongly support adding it to the
blocklist.

I'm was not too impressed that MS didn't quickly release a patch themselves - but reading further down in that thread, you can see that there is some doubt creeping in - perhaps they did?

George Robert said:

Is there a particular reason why these are being blocked two days after
Microsoft released a fix for this issue?

MS09-054 was released on 10/14/2009, which the linked technet article in
comment #23 very clearly states resolves this issue for both IE and Firefox

Yay! So I'm safe and I can enable it again? Well, no:

Matthias "matti" Versen said:

Read
http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/
MS agreed to the plan to blocklist it according to the security post.

It seems that the reason they had to put a blanket ban on all versions of the WPF plugin, is because:
a) There is presently no way for Firefox to hook into the OS list of installed MS patches
b) MS don't bother putting version numbers on their WPF libraries - they are just called NPWPF.dll
c) MS didn't put a new version # on the WPF plugin or .NET add-on to indicate that it was downloaded / installed after the patch was applied

Ultimately, this decision to add them to the blocklist was arrived at by mutual consent, which is clearly stated by Mozilla's Mike Shaver. This is the final word on the matter, and I'm satisfied that Mozilla did the best they could in the situation, even if some administrators in the field who got Firefox approved as the browser of choice in their company, and use some of the affected technologies will be very put out.

So, tough luck for MS.  Now most Firefox users will have a slightly lower opinion of them than they did before and this is another setback for WPF, its advocates and users.

Oh, and while all you Firefox on Linux users are welcome to have a little chuckle about it, you'd better check if you have Moonlight 2.0 (BETA) installed first.

Further reading

• Sneaky Microsoft Add-on Put Firefox Users At Risk (it.slashdot.org)
• Dear Microsoft, please keep your lousy mitts off my Firefox install (downloadsquad.com)
• Object Lesson: Use Firefox? Don't Let Microsoft Install Anything In It! (lockergnome.com)
• Shady Microsoft Plugin Pokes "Critical" Hole In Firefox Security [Firefox] (gizmodo.com)
• Researcher sees Patch Tuesday nightmare (infoworld.com)
• Moonlight 2.0 goes beta (thaibrother.com)