backtop


Print 16 comment(s) - last by slimg00dy.. on Oct 25 at 5:04 PM

Add-ons blocked because of serious security vulnerability for Firefox users.

A war has been raging between different web browsers for a long time now. The two main combatants in the battle are Microsoft's Internet Explorer and Firefox from Mozilla. Microsoft is still in the lead in marketshare with IE, but Firefox is grabbing up a large portion of the market for itself.

Firefox hit the one billion download mark in August and has 32% of the browser market while IE holds about 60% of the market.

Mozilla and Microsoft are working together on a security flaw in some Microsoft add-ons that affects Firefox users. Mozilla reports that it has blocked two Microsoft add-ons installed silently for computers running the .NET Framework 3.5 SP1. The add-ons that Mozilla is blocking are the .NET Framework Assistant and Windows Presentation Foundation component because of a vulnerability that the add-ons allow for Firefox.

Mozilla VP of engineering Mike Shaver wrote in a blog post, "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately.”

The vulnerability in question is CVE-2009-2529 that allows an exploit when a Firefox user visits a malicious website. The user only has to visit a website running malicious code to be affected.

Microsoft wrote a blog post about the threat saying, "Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please note that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different. Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe."

Microsoft says that Firefox users with .NET Framework 3.5 installed can disable the add-ons by going to Tools'-> 'Add-ons' -> 'Plugins,' select 'Windows Presentation Foundation,' and click 'Disable'. Those who have downloaded the Microsoft patch are protected against the vulnerability as well.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

I didn't know this was a political blog...
By lilliputawayy on 10/19/2009 4:06:04 PM , Rating: 1
What's Meghan McCain got to do with any of this?




By lilliputawayy on 10/19/2009 4:17:40 PM , Rating: 2
oh ok just had myself a closer look its moZILLa shirt


RE: I didn't know this was a political blog...
By Xavi3n on 10/20/2009 5:59:19 AM , Rating: 2
It's not Meghan McCain, but a porn star, with the firefox logo photo-shopped onto the shirt.


RE: I didn't know this was a political blog...
By Camikazi on 10/20/2009 5:16:41 PM , Rating: 3
The Firefox girl is Francesca Lee, not the porn star Francesca Le, 2 different people. Lee is a model and hasn't done any pornographic movies (least none for public viewing). Le on other other hand is an award winning starlet and porn director.


By cochy on 10/21/2009 1:48:55 PM , Rating: 2
Haha don't Google that name if you're on a company PC.


RE: I didn't know this was a political blog...
By FaaR on 10/21/2009 5:56:09 PM , Rating: 2
Whoever she is, she can block my addons anytime anywhere...

(Hereby endeth obligatory male schauvinist remark fired off each time a picture of a beautiful woman is shown on a web page with a commenting feature.)


By Camikazi on 10/22/2009 2:35:32 PM , Rating: 2
Wait... you WANT her to block your add-ons? Isn't that the opposite of what most want done? :P


By kattanna on 10/20/2009 10:55:21 AM , Rating: 2
while its not her.. have to say, she did look damn good in that twitter pic.


By slimg00dy on 10/25/2009 5:04:24 PM , Rating: 2
She is Francesca Lee but that image, the firefox logo was photoshopped.

http://pixdaus.com/single.php?id=100402


By slimg00dy on 10/25/2009 5:04:32 PM , Rating: 2
She is Francesca Lee but that image, the firefox logo was photoshopped.

http://pixdaus.com/single.php?id=100402


Nice
By damianrobertjones on 10/19/2009 9:45:35 AM , Rating: 5
Good to see that they're working together.

Good news for once. Thanks DailyTech




RE: Nice
By Gul Westfale on 10/19/09, Rating: -1
RE: Nice
By mfed3 on 10/19/2009 10:07:48 AM , Rating: 5
yes that is why it is discovered 2 years after .net 3.5 came out. that really makes a lot of business sense for microsoft to do as well.


RE: Nice
By Cypherdude1 on 10/19/2009 8:30:39 PM , Rating: 3
quote:
Microsoft says that Firefox users with .NET Framework 3.5 installed can disable the add-ons by going to Tools'-> 'Add-ons' -> 'Plugins,' select 'Windows Presentation Foundation,' and click 'Disable'. Those who have downloaded the Microsoft patch are protected against the vulnerability as well.
It would've been nice if DailyTech had told us where exactly this patch is located. Security patches are not always located at the Windows Update Site. Sometimes Microsoft security patches are located in M$'s security site. Also, if you download the M$ patch, can you re-enable the M$ .Net Framework Assistant 1.1 extension and the Windows Presentation Foundation plug-in? I installed these plug-ins because they were required. Two months ago I installed numerous software titles; I cannot remember exactly which software title depends on these plug-ins.

On 10/17/2009, I did receive Mozilla's block command while I was surfing. Both of these items were disabled. Since there are millions of FF 3.5.x users, the above information should've been asked of Mozilla and Microsoft. The above information should've been posted in this news story.


Ah no wonder why....
By MustangMike on 10/21/2009 7:32:09 PM , Rating: 2
I was wondering why it kept popping up about blocking Windows Presentation Foundation! Interesting to see why.




Nicer!
By R3T4rd on 10/19/09, Rating: -1
"Folks that want porn can buy an Android phone." -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki