Microsoft exposes Firefox users to drive-by malware downloads

Microsoft exposes Firefox users to drive-by malware downloads

Summary: The Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without permission from end users is vulnerable to a serious code execution vulnerability.


Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?

Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the "browse and you're owned" attacks that are typically used in drive-by malware downloads.

[ SEE: Patch Tuesday: MS plugs critical IE, Windows Media Player holes ]

The flaw was addressed in the MS09-054 bulletin that covered "critical" holes in Microsoft's Internet Explorer but, as Redmond's Security Research & Defense team explains, the drive-by download risk extends beyond Microsoft's browser.

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different.  Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.

Now, Microsoft's security folks are actually recommending that Firefox users uninstall the buggy add-on:

For Firefox users with .NET Framework 3.5 installed, you may use “Tools”-> “Add-ons” -> “Plugins”, select “Windows Presentation Foundation”, and click “Disable”.

This introduction of vulnerabilities in a competing browser is a colossal embarrassment for Microsoft.  At the time of the surreptitious installs, there were prescient warnings from many in the community about the security implications of introducing new code into browsers without the knowledge -- and consent -- of end users.

[ SEE: Microsoft says Google Chrome Frame doubles IE attack surface ]

This episode also underscores some of the hypocrisy that has risen to the surface in the new browser wars.  When Google announced it would introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer, Microsoft whipped out the security card and warned that Google's move increased IE's attack surface.

“Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."

Of course, when it's Microsoft introducing the security risk to other browsers (Silverlight, anyone?), we should all just grin and take it.

* Image via DevExpress.  Hat tip to Gregg Keizer.

Topics: Security, Browser, Google, Malware, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • is this a part of - framework assistant

    I am using Firefox 3.5.3 and it has
    ".net framework assistant 1.0" disabled,
    claiming that is not compatible with this
    version of the browser.

    what makes this different from the
    ?Windows Presentation Foundation"
    that was not disabled until i did it my self ?

    is one or both the problem ?
    not of this world
    • MS proves it can't be trusted one more time

      Best thing is to adopt other options and move away
      from Windows products.

      Firefox is not to blame, its Microsoft.
      • I'd love to, but I'm stuck with MS...

        Re: "Best thing is to adopt other options and move away
        from Windows products."


        Many of us, including me, would love to do just that, but, professionally, we're stuck. I don't use MS at home when not programming; I opt for Ubuntu 9.04...

        MS is trying to crush Linux, too, with bogus patent lawsuits (remember the SCO fiasco)...they just don't work and play well with others. Microsoft, if it would focus on quality more, could have crushed all before it years ago; instead it opts for petty backbiting...bad karma for Microsoft!
        • You aren't stuck

          You're never 'stuck'. There are always options.

          The options apparently aren't good enough to make you switch, but that's not MS's problem.

          If you don't like the MS tools, use an alternative, and make that alternative work better.

          == John ==
          • Aren't Stuck?

            Are you really that naive?

            If you've ever worked in the corporate world, you should know that frequently there are [b]no[/b] [i]viable[/i] options.

            In fact, the normal use of [i]options[/i] presumes the [i]viable[/i] qualifier.
            Remember the attack on the WTC? Some folk jumped rather than burn. The option was not life or death, it was the [i]manner[/i] of death.

            Your statement is somewhat true, but it's totally unrealistic ... in life, particularly at work, many available options--change vocations, get a new job?--simply are not tenable.
          • Wow, that's out there...

            comparing jumping from the WTC to using Windows is a stretch, no matter how much you dislike MS. However the person you responded to had a very valid point. Just because the alternatives aren't as good doesn't mean that is somehow Microsoft's fault.
          • There really are no options in the corporate world.

            Because none are allowed. It really is that simple. It is not that there are
            not options that will technically work, it is that IT is so narrow minded
            that they allow none to be used.
          • Quite So [n/t]

            narrow thinking
          • narrow minded!?!?

            IT can only support a limited number of options within the framework of any organization.

            Who is supposed to pay for the uber-guru with in-depth knowledge of every piece of crapware end-users want to muck their systems up with?

            Who is supposed to pay for the fantastic network/system that supports every option? How much spare time do you think IT has to pander to unrealistic expectations from _narrow minded_ end-users who can't seem to understand that they work for a BUSINESS and that changes COST MONEY. If the organization has committed time and money to a M$ solution, suck it up and deal, because IT CAN'T change it anytime soon.

            Chances are that most of those IT guys have banged their heads up against the wall of the corporate monolith trying to get things changed and been told "we can't afford it" often enough that they lack the energy - or have the foresight - not to waste their time again. Chances are also pretty high that most of those so-called narrow minded IT guys happily toy with multiple OS's and "options" whenever somebody else isn't footing the bill.

            This isn't narrow-mindedness, it's common sense.

            How would you like it if people constantly came along wanting to triple your workload without a raise or any extra time?

          • The Business Should Pay!

            The business should go and hire such teams as are necessary to cover all of your examples.

            [b]And they should do it with local talent here in the United States.[/b] It's about time that the enterprise got back on a hiring spree with sign-on bonus money, relocation and so forth in hand.

            This also would also help put a dent in the "jobless recover" aspect of the Great Recession. See, two problems solved!!
            Too Old For IT
          • Our IT support two laptop platforms...

            Toshibas running Win XP and MacBooks running Leopard. They seem to do quite well actually, I'm pleased with my MacBook Pro, and I've been a Microsoft supporter since before I ran Windows 1.10 on an HP 150 Touchscreen around 1988.
          • Sorry, I work in the real world

            My work is writing programs for my client's Windows environment. In a .Net language, as my client requires. Without exception my clients IT staffs always lock down their environments so they aren't eternally chasing ghosts. What are my options again John? Give up my livelihood and become a Mac or Linux programmer? Now those are huge job markets. Sorry buddy, you're talking non-sense.
          • You are wrong

            Usually, the people who decide the computing environment don't have an IT background - sometimes they aren't even computer literate. They listen to MS tell them they are the best, and nothing will change their mind. If they say it's MS, it's MS. Unless, of course, you want to get a new job. Oh, and when someone gets a drive-by, it's your fault too - regardless of OS, browser, security system, or even the inability of the end user to LISTEN.
            library assistant
        • Linux doesnt need any help from MS

          Linux doesn't need any help from MS to be crushed,Linux does that all on its own by making an OS no one wants. And if you think Linux doesn't have any patented code in it your a moron. I mean Linux is all about copying someone Else's ideas and making it free.
          • Er, yeah...

            [i]"I mean Linux is all about copying someone Else's ideas and making it

            As opposed to Microsoft copying everyone else's ideas, dumbing them
            down, and then making you PAY for it.

            Even if what you said were true, Linux is still the better option!
          • Learn to write

            Before posting personal insults, maybe you should at least learn some basic rules of spelling and syntax.
            Don Collins
          • that's funny

            So all the money IBM, SAP, Oracle, and others spend on running Linux
            or porting to Linux is because it's a looser OS? For example, search
            for the following SAP article on the web: "SAP ON LINUX IN GENERAL

            If Linux is about copying someone else's ideas, then MS should get a
            medal for doing exactly that... in hideous ways.

            I don't run Linux at home any more because the systems I have are
            sufficient for what I do. But I do know a bunch of people that love
            Linux and swear by it. This OS can still run on PC's that would be way
            underpowered by Windows' "standards."
          • Re: Linux doesn't need any help from MS

            While it's true that Linux is tripping over its own shoelaces in many respects, it isn't an "OS no one wants". I'm someone, and I'm writing this snide reply to your comment on a Linux box ... and you're nobody, Stan57. You sound remarkably uninformed.
            Tony R.
          • The uninformed speak

            You might want to become a little more educated before you expose your ignorance. The first corporate-use operating systems from the 60's were UNIX variants such as BSD, ie progenitors of Linux. Microsoft's first attempt at a corporate desktop - Windows NT 3.5 - was an unmitigated disaster. They didn't really have a decent platform until Windows 2000. And you really need to watch "Pirates of the Silicon Valley". You're just making yourself look silly.
          • Not that I want to defend a Troll...

            ...but even though I disagree with his rant you need to do some research too. Bell UNIX wasn't out until the early 1970ies and BSD did not ship until 1977. There were no UNIX variants in the 1960ies as far as I know.
            As to NT, I was a beta tester for NT 3.1 back in 1992, and I can tell you it was a solid product, really quite bulletproof IMHO, it really showed it's VMS roots. The only issue was it was really sloooooow, so they made it faster with NT 3.5, but at the expense of robustness.
            Lastly, I'm not sure that movie got everything exactly right....