Sky not falling after the latest Firefox 3.5.2 dust-up with .NET plug-in
Mozilla Firefox users awoke this morning to the news in their RSS feeds that the organization had dared to send push notes to its users urging them to upgrade to a Web browser version that was, as the report put it, ".NET incompatible." Hopefully, Firefox veterans knew what was really going on.
Users who upgrade their Firefox versions a few times per month anyway have seen this all before, and have long since discovered there's no need to panic: Microsoft's .NET Framework Assistant add-on has a habit of showing up in users' Firefox plug-ins list without them even asking for it. Its purpose is not to make Firefox compatible with .NET -- anyone who's installed Silverlight 3 in Firefox knows that. What it does is give .NET apps designed to be run through the browser a kind of hook to the .NET runtime -- a hook that Internet Explorer includes by design -- so that these apps can check their servers and update themselves.
Again -- and this is important -- the plug-in does not make .NET compatible with Firefox. It enables the ClickOnce hook -- in fact, in the plug-ins list, that's exactly what the listing explicitly says.
It's not Mozilla's responsibility to maintain this plug-in, it's Microsoft's. In fact, the main problem that users have had with the plug-in up to this point has been that they didn't ask for it. Secondary to that has been the suspicion that ClickOnce could open up a channel for exploitability, letting software install itself on a PC without the user's permission. However, there's no evidence of such an exploit ever taking place; and technically, ClickOnce only enables the automatic installation of updates to the application making the contact.
But apparently Microsoft is not too adept in the practice of making Firefox add-ons, otherwise it wouldn't explicitly code the browser version number into its plug-in's attributes. If every plug-in were built that way, they'd all be rendered incompatible every time Mozilla issued an update. And then we'd have an opportunity for more fatalistic blog posts.
By the way, this incompatibility happens for us with every Firefox update, and eventually Microsoft gets around to issuing a security patch that includes an updated add-on. But in the meantime, we do not notice any functionality detriments or pitfalls in Firefox or .NET while the incompatible plug-in is disabled.