p2pnet news view P2P | Security:- “Numerous” users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley on the Windows Secrets newsletter.
Now, one of the flood of security bulletins Microsoft released yesterday impacts not only Internet Explorer (IE), but also Firefox with a “browse-and-get-owned” danger.
And it’s all down to a Microsoft plug-in pushed to Firefox users eight months ago in a Windows Update, says Computerworld.
“While the vulnerability is in an IE component, there is an attack vector for Firefox users as well,” say Microsoft engineers on Microsoft’s Security Research & Defense blog, admitting »»»
A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not [sic] that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different. Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.
While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a Windows Presentation Foundation plug-in in Firefox. (See pic).
Via this plug-in it is possible to launch XBAP, and reach this vulnerability, from within Firefox.
Particularly galling to users was, “once installed, the .NET add-on was virtually impossible to remove from Firefox,” says Computerworld, continuing »»»
The usual “Disable” and “Uninstall” buttons in Firefox’s add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org.
Annoyances also said the threat to Firefox users is serious. “This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC,” said the hints and tips site. “Since this design flaw is one of the reasons [why] you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.”
Specifically, the.NET plug-in switched on a Microsoft technology dubbed ClickOnce, which lets .NET apps automatically download and run inside other browsers.
What to do?
“Customers should apply MS09-054 as this addresses the underlying vulnerability for all users, both IE and Firefox,” says Microsoft, adding, “While you’re evaluating and testing your deployment of MS09-054, you may want to consider the following workarounds.
“For IE users, our recommended workaround is to disable XBAP in the Internet zone. By default, IE8 on Win2k8 and Win2k3 already has XBAP disabled in the internet zone. For others, you can disable XBAP via the following security setting in IE.
“For Firefox users with .NET Framework 3.5 installed, you may use ‘Tools’-> ‘Add-ons’ -> ‘Plugins’, select ‘Windows Presentation Foundation’, and click ‘Disable’.”
This is all very well for people who know what they’re up to, but most ordinary folks won’t have a clue, and that’s even if they know about this ‘dangerous vulnerability’.
Computerworld – Sneaky Microsoft plug-in puts Firefox users at risk, October 16, 2009
Use free p2pnet newsfeeds for your site. It`s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.