The plot thickens! Mozilla has now put Microsoft’s “stealth” Firefox plugin (that I wrote about most recently yesterday) on its “block list”, to prevent its being installed, and to disable it for users who may have already installed it. Many Firefox users (on Windows) may have gotten a pop-up message like this:
According to Microsoft, if the user has applied one of the security patches released earlier this week, the MS09-054 update for Internet Explorer, the plugin should be safe. (Microsoft had previously admitted that the plugin effectively added an Internet Explorer vulnerability to Firefox.)
Mozilla, in their “Security Blog” post on the action, says that they cleared the removal action with Microsoft before putting the block list entry in place.
Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately.
The vulnerability introduced to Firefox by the plug-in was a severe security risk. I accept that Microsoft in good faith thinks that their patch repaired the flaw, but I would still deep-six the plugin. Its only value is to enable the use of content written to be exclusive to Internet Explorer, which you can probably live without. (I have been using Firefox on Linux for 6+ years, and seem to be getting along OK.)
PC World also has an article on this.
Update Sunday, October 18, 13:00
Update Monday, October 19, 10:58
There is also an article at Ars Technica about this kerfuffle. According to the article, Mozilla has blocked all versions of the plugin, because they can’t tell the patched from unpatched versions:
Adding the plugin to a blocklist seems reasonable in light of the risk that this security vulnerability poses to users, but it’s a very blunt weapon. Microsoft apparently doesn’t properly maintain version numbers in the plugin, so Mozilla has no way to selectively target the block to the insecure version.
As I said earlier, I don’t think the function provided by the plug-in is a great loss; but wouldn’t it be nice if the vendors could all agree to abide by standards?