Firefox hit the one
billion download mark in August and has 32% of the browser market
while IE holds about 60% of the market.
Mozilla and Microsoft are working
together on a security flaw in some Microsoft add-ons that affects
Firefox users. Mozilla reports that it
has blocked two Microsoft add-ons installed silently for
computers running the .NET Framework 3.5 SP1. The add-ons that
Mozilla is blocking are the .NET Framework Assistant and Windows
Presentation Foundation component because of a vulnerability that the
add-ons allow for Firefox.
Mozilla VP of engineering Mike
Shaver wrote in a blog post, "Because of the difficulties some
users have had entirely removing the add-on, and because of the
severity of the risk it represents if not disabled, we contacted
Microsoft today to indicate that we were looking to disable the
extension and plug-in for all users via our blocklisting mechanism.
Microsoft agreed with the plan, and we put the blocklist entry live
The vulnerability in question is CVE-2009-2529
that allows an exploit when a Firefox user visits a malicious
website. The user only has to visit a website running malicious code
to be affected.
Microsoft wrote a blog post about the threat
saying, "Triggering this vulnerability involves the use of a
malicious XBAP (XAML Browser Application). Please note that while
this attack vector matches one of the attack vectors for MS09-061,
the underlying vulnerability is different. Here, the affected process
is the Windows Presentation Foundation (WPF) hosting process,
Microsoft says that Firefox users
with .NET Framework 3.5 installed can disable the add-ons by going to
Tools'-> 'Add-ons' -> 'Plugins,' select 'Windows Presentation
Foundation,' and click 'Disable'. Those who have downloaded the
Microsoft patch are protected against the vulnerability as well.