Before anyone starts removing the plugin , they should try using a ClickOnce application to see just how Hyped this report has been...
I deploy applications via ClickOnce and there is no issue here with the way its been designed or deployed by Microsoft, they have worked on ClickOnce for the last 10 years and it has had zero security vulnerability's in its entire history, basically because the Source-Code for the .net Framework is viewable on every system using a program called Reflector (
.NET Reflector, class browser, analyzer and decompiler for .NET).
Reflector is able to show you the Source Code to any .net framework based executable or dll file including the source to Microsoft's own .net Framework files, bugs and issues are found very early and if someone tried releasing a virus using ClickOnce, anyone can see the source code to their application.
Heres a screenshot of the System.Net.Security.dll found in the C:\Windows\Microsoft.NET\framework\ folder:
Heres a screenshot of an application Im developing for Sevenforums:
You can test your Firefox ClickOnce support Here: (by James Dobson)
ClickOnceTester
Testing Manual here: (by James Dobson)
FFClickOnce Testing Manual
By design, You see this security warning when applications are deployed via ClickOnce and also when the .net framework runs the application with low-rights, in that mode applications can not prompt for Elevation, can not access your entire system or make dangerous system changes.
ClickOnce applications have to request security permissions to do anything particularly nasty to your system. Yet this is not foolproof. A poor security configuration on your machine or a bug in the .NET Framework (none in the last 9 years) that could allow an application to do more than it should.
ClickOnce is blocked from being able to access system components, unless you have changed file ownership and reset file permissions to system files, then even restricted applications like ClickOnce will have full access to your system.
Seriously, ClickOnce is not a security issue unless you have changed the default security of system files