Microsoft's implementation of the liberal idea of a level playing field

[Fatman]

http://blogs.zdnet.com/security/?p=4614&tag=nl.e539

Microsoft exposes Firefox users to drive-by malware downloads

Posted by Ryan Naraine @ 9:24 am


Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?

Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads.

[ SEE: Patch Tuesday: MS plugs critical IE, Windows Media Player holes ]

The flaw was addressed in the MS09-054 bulletin that covered “critical” holes in Microsoft’s Internet Explorer but, as Redmond’s Security Research & Defense team explains, the drive-by download risk extends beyond Microsoft’s browser.

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different.  Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.

Now, Microsoft’s security folks are actually recommending that Firefox users uninstall the buggy add-on:

For Firefox users with .NET Framework 3.5 installed, you may use “Tools”-> “Add-ons” -> “Plugins”, select “Windows Presentation Foundation”, and click “Disable”.

This introduction of vulnerabilities in a competing browser is a colossal embarrassment for Microsoft.  At the time of the surreptitious installs, there were prescient warnings from many in the community about the security implications of introducing new code into browsers without the knowledge — and consent — of end users.
[SEE: Microsoft says Google Chrome Frame doubles IE attack surface ]

This episode also underscores some of the hypocrisy that has risen to the surface in the new browser wars.  When Google announced it would introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer, Microsoft whipped out the security card and warned that Google’s move increased IE’s attack surface.

“Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.”

Of course, when it’s Microsoft introducing the security risk to other browsers (Silverlight, anyone?), we should all just grin and take it.

* Image via DevExpress.  Hat tip to Gregg Keizer.

[Pathfinder]

Shortly after my last set of 24 (24!!!!!) Windows upgrades - one of which was this one - I got a ping from Firefox saying that the .NET add-on had been disabled due to "incompatibility".

I guess the Mozilla universe was on top of this one.

[ericire12]

Hahaha.... I blocked it on mine!

[Fatman]

Yeah, it was installed on mine, then FF notified me it disabled it and wouldn't allow one other item to be installed.

[ericire12]

My firewall alerted me..... it looked weird..... so I did not grant it access.

[Sponsor]

[tombogan03884]

Yeah, it was installed on mine, then FF notified me it disabled it and wouldn't allow one other item to be installed.

Shortly after my last set of 24 (24!!!!!) Windows upgrades - one of which was this one - I got a ping from Firefox saying that the .NET add-on had been disabled due to "incompatibility".

I guess the Mozilla universe was on top of this one.

What they said

[Big Frank]

I'm not having any problems like that with Vista. I use McAfee site advisor too. As soon as a page opens it tells you if they have a problem with people trying to hack your browser, or if there are viruses waiting to be download.

[jaybet]

Ever notice how liberal new world order asshats like Bill Gates and George Soros are filthy rich and stay that way by screwing people? Bull****!

[philw]

no issues here