Microsoft opens Firefox users to risk
p2pnet news view P2P | Security:- “Numerous” users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley on the Windows Secrets newsletter.
Now, one of the flood of security bulletins Microsoft released yesterday impacts not only Internet Explorer (IE), but also Firefox with a “browse-and-get-owned” danger.
And it’s all down to a Microsoft plug-in pushed to Firefox users eight months ago in a Windows Update, says Computerworld.
“While the vulnerability is in an IE component, there is an attack vector for Firefox users as well,” say Microsoft engineers on Microsoft’s Security Research & Defense blog, admitting »»»
A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not [sic] that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different. Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.
While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a Windows Presentation Foundation plug-in in Firefox. (See pic).
Via this plug-in it is possible to launch XBAP, and reach this vulnerability, from within Firefox.
Particularly galling to users was, “once installed, the .NET add-on was virtually impossible to remove from Firefox,” says Computerworld, continuing »»»
The usual “Disable” and “Uninstall” buttons in Firefox’s add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org.
Annoyances also said the threat to Firefox users is serious. “This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC,” said the hints and tips site. “Since this design flaw is one of the reasons [why] you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.”
Specifically, the.NET plug-in switched on a Microsoft technology dubbed ClickOnce, which lets .NET apps automatically download and run inside other browsers.
What to do?
“Customers should apply MS09-054 as this addresses the underlying vulnerability for all users, both IE and Firefox,” says Microsoft, adding, “While you’re evaluating and testing your deployment of MS09-054, you may want to consider the following workarounds.
“For IE users, our recommended workaround is to disable XBAP in the Internet zone. By default, IE8 on Win2k8 and Win2k3 already has XBAP disabled in the internet zone. For others, you can disable XBAP via the following security setting in IE.
“For Firefox users with .NET Framework 3.5 installed, you may use ‘Tools’-> ‘Add-ons’ -> ‘Plugins’, select ‘Windows Presentation Foundation’, and click ‘Disable’.”
This is all very well for people who know what they’re up to, but most ordinary folks won’t have a clue, and that’s even if they know about this ‘dangerous vulnerability’.
Computerworld – Sneaky Microsoft plug-in puts Firefox users at risk, October 16, 2009
Use free p2pnet newsfeeds for your site. It`s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.
October 19th, 2009 at 12:50 pm
The Micorsoft code is so crappy that not only IE is 20 time slower 7 time bigger than Firefox but there SP not only mess up their own code but the code of others as well!
Unbelievable!
I mean come on:
IE 8 120MB of shit! still unsecured still buggy and still unstable.
Firefox 3.5 8mb, very stable and 20 time faster! I am not kidding! And it does the same thing and it more compliant to internet standard than IE.
Another example:
Window vista cut to the bone: Boot time on a superfast machine AMD quad core/ Serial ata 2terabyte segate/ 4gb DDR3: 1 minute 20 sec.
Linux Unbuntu 3.2:< 29 sec.
I mean really! Come On Microsoft!
October 19th, 2009 at 4:27 pm
How many “security flaws” over the years have been the result of MS installing things that never should have been installed in the first place?
October 19th, 2009 at 4:29 pm
lol, not surprised to see a MS hater post something like above.
the funniest thing about all this is that everyone points their finger at MS instead of pointing it at the low life’s that use the security hole to launch malicious code.
but as a programmer I blame FireFox, why is it that their application is vulnerable to a windows component, or are they using windows components instead of building their own, which would be the better practice when security is imperative.
October 19th, 2009 at 6:26 pm
“I blame FireFox, why is it that their application is vulnerable to a windows component”
I believe microsoft made this specifically for firefox. That’s like asking “why does something designed for firefox work with firefox?” Microsoft had no business modifying firefox on our systems without explicitly asking.
October 19th, 2009 at 6:50 pm
It is MS at fault. Why? Because MS code is acting in a slightly malicious way. When .Net is installed, it adds a Firefox plug-in without asking the user for permission. It isn’t a matter of Firefox using MS code at all. In fact the plug-in isn’t really required or necessary as far as I’m aware. The only thing Mozilla is guilty of is not making Firefox more self aware to changes made to it by other programs. Quite normal really as it’s usually only the security apps that have this kind of self awareness built in. Hackers are exploiting a security hole in MS code, and just like them MS is exploiting a security hole in Mozilla’s code. Typical behavior for MS really and it makes me lol.
October 19th, 2009 at 7:05 pm
PS: In addition to Firefox I also use Thunderbird, foobar2000, Tugzip, and The Gimp. The thing they all have in common is that they use plug-ins. If Microsoft had installed bad code into any one of them without my permission, would anger not still be a justified response?
October 19th, 2009 at 9:21 pm
” lol, not surprised to see a MS hater post something like above. ”
Neither am I surprised to see a M$soft publicist post the drivel you spout.
Micorsoft has a very long history of pushing ‘patches’ that cause
competitive apps to have problems. That’s actually the reason
IE was ‘merged’ into Windows as an unseperable part of the OS.
they were sued many years ago when they kept creating
‘patches’ that broke the Netscape browser, which at the time was
the only real browser competition. Msoft pushed a patch, broke
Netscape, Netscape patched to fix the problem, Msoft pushed another
patch that broke netscape etc. ad nauseum. They were sued and ordered
to make windows available with no browser. Msoft countered by making
IE inseperable from the OS to get around the order.
Yup Microsoft knows better than enyone else how to ‘break’ competitive
apps.
October 19th, 2009 at 9:42 pm
The problem is that the MS OS itself is no secured.
October 19th, 2009 at 9:44 pm
“Yup Microsoft knows better than enyone else how to âbreakâ competitive
apps.”
The result of MS slosh corporate gread is that : Shity code that can not stand the competion!
October 20th, 2009 at 7:53 pm
” The problem is that the MS OS itself is no secured. ”
It’s ‘secured’ allright, but not the way you think.
None of Msoft S problems are accidents per se.
Most of these ‘vulnerabilities’ are the direct result of backdoors
that were deliberately built into the OS to allow Msoft and others
with the cash to pay to be able to snoop on internet connected systems.
Their secret little backdoors are being found and used against them.
Stop trying to snoop and close those backdoors, and just maybe
there won’t be as many problems.
October 21st, 2009 at 10:44 pm
“lol, not surprised to see a MS hater post something like above.”
Let’s see…
They added a peview pane to Outlook Express that would automaticall launch any attachment, including executable files. Users then had to disable the preview pane and MS had to patch a security hole created by a “feature” that they never should have added in the first place.
They added ActiveX to Internet Explorer to allow web sites to install and execute software. They then had to patch the gaping security hole that they created.
They designed the WMV format with the ability to add browser triggers to videos, which automatically open a web browser and send it to a particular site. They then had to add options to Windows Media Player to disable these triggers.
They created auto-run to automatically execute code on any disc or drive that’s connected to the system, paving the way for silent virus and mallware installation. They then had to create patches and provide options for users to disbale this huge security hole. Not only that, but you can’t even disable auto-run 100% on any version of Windows past 98. No matter what you do, there are still situations where auto-run will still execute the code on a disc/drive without asking.
The key word being “automatically”. None of these things would be an issue if they stopped and asked the user’s permission, but they don’t, they just do it.
“the funniest thing about all this is that everyone points their finger at MS instead of pointing it at the low lifeâs that use the security hole to launch malicious code.”
Yeah, that’s because this isn’t some obscure bug that allows hackers to exploit an undocumented feature, it’s a piece of software designed to allow web sites to silently download and run software. MS has a long history of adding “features” that are tailor made to be exploited.
It’s like a car company putting a button on the car’s door that will instantly unlock it, in case you lose your keys. You take one look at it and ask WTF were they thinking? What’s the point of even having a lock if there’s a way to instantly bypass it.