Mozilla blocks Microsoft's sneaky Firefox plug-in
Triggers rarely-used blocking feature to protect users from attack
Computerworld - Mozilla late Friday blocked the Microsoft-made software that put Firefox users at risk from attack.
The two-part Microsoft component -- an add-on dubbed ".NET Framework Assistant" and a plug-in named "Windows Presentation Foundation" -- have been blocked by Mozilla as a precautionary measure, said Mike Shaver, the company's head of engineering.
"Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism," Shaver said in an announcement posted Friday night to the company's security blog.
Mozilla maintains an add-on/plug-in blocking list that automatically bars risky software from being used by Firefox. The open-source company first used the blocker in 2007. Mozilla has used the tool only nine times, including Friday's blocking of the Microsoft add-on and plug-in. In May 2008, Mozilla added a Vietnamese language pack for Firefox to the blocking list when the pack was found to contain a worm.
According to Shaver, Microsoft gave Mozilla the go-ahead to block the .Net Framework Assistant and the Windows Presentation Foundation.
Last week, Microsoft's security team acknowledged that its software -- which had been silently installed in Firefox as far back as February 2009 -- contained a critical vulnerability that could be used by hackers to hijack Windows PCs. The same vulnerability also affects all versions of Internet Explorer (IE), including the newest version, IE8.
Microsoft maintained that users who applied the patches it issued last week as part of a record-setting security update would protect Firefox users from attack. However, the MS09-054 bulletin, which provided details on the vulnerability, said nothing about Firefox. Later last Tuesday, Microsoft expanded on MS09-054 in a blog post by security engineers, and confirmed that Firefox was affected because of the add-on and plug-in.
Mozilla clearly felt that that was not enough, and took the unusual step of blocking the Microsoft add-on and plug-in. Multiple Computerworld staffers have confirmed that Firefox is now blocking the Microsoft software. "These add-ons have a high risk of causing stability or security problems and have been blocked, but a restart is required to disable them completely," the Firefox warning message reads.
The history of the .Net Framework Assistant and Windows Presentation Foundation software is tangled and contentious. Firefox users complained last February, and then again in May, when they found out that Microsoft had pushed the components to their browser as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update.
Users were furious that the software was installed without their approval. To add salt to the wound, the components were impossible to uninstall without editing the Windows registry, a chore most users avoid because any misstep could cripple the PC. Later, Microsoft issued a follow-on update that made it possible to uninstall or disable the components without a registry edit.
Mozilla has been aggressively pursuing risky add-ons and plug-ins of late. Last month, it warned Firefox users running outdated versions of Adobe's Flash Player to upgrade, then last week added a more thorough plug-in checking service to its arsenal.
The next edition of the browser, Firefox 3.6, will warn users when they visit a Web site that relies on one or more outdated plug-ins. A beta of Firefox 3.6 is set to launch Wednesday.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts