HomeMalware Attacks
October 16, 2009, 12:29PM

Microsoft .NET Plug-In Exposes Firefox Users to Malware Attacks

Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?

Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the "browse and you're owned" attacks that are typically used in drive-by malware downloads.

The flaw was addressed in the MS09-054 bulletin that covered "critical" holes in Microsoft's Internet Explorer but, as Redmond's Security Research & Defense team explains, the drive-by download risk extends beyond Microsoft's browser.

Recommended Reads

Get News by Email!

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different.  Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.

Now, Microsoft's security folks are actually recommending that Firefox users uninstall the buggy add-on:

For Firefox users with .NET Framework 3.5 installed, you may use “Tools”-> “Add-ons” -> “Plugins”, select “Windows Presentation Foundation”, and click “Disable”.

More from Computerworld's Gregg Keizer.

Shorten URL: http://threatpost.com/en_us/lvp. Click to copy to clipboard or post to Twitter

Comments

Submitted by Anonymous (not verified) on Sat, 10/17/2009 - 4:10pm.

One more example of how hard all of this stuff is. Even the guys at Microsoft can't get it all right. I just got the warning from Windows to uninstall this component. Sweet.

Submitted by Anonymous (not verified) on Sun, 10/18/2009 - 6:34am.

Tried to find the original blog entry (via link) describing the original installation - no way would ZDNet let me find it.  Google cache to the rescue.

Oh yes, and now I know why I so carefully didn't install .NET in the first place.  When do you actually NEED .NET if you're a home user?

Submitted by Buddyw (not verified) on Sun, 10/18/2009 - 9:24am.

I just went to Firefox plugins to disable Windows Presentation Foundation but, low and behold, the good folks at Firefox had already taken care of it.

Submitted by TheGift73 (not verified) on Mon, 10/19/2009 - 9:42am.

Yep, Firefox are now blocking access to this plug-in. Well as of 09:00hrs my time (UK)

Submitted by vietvet52 (not verified) on Mon, 10/19/2009 - 3:43pm.

firefox disable itself the other day ,.

Submitted by Anonymous (not verified) on Mon, 10/19/2009 - 4:43pm.

I keep getting a popup message asking me if I want to install Internet  Addons Assistant Installer (is this the exactly correct name?). I say go ahead, but nothing happens. Yet the popup never stops. What to do? Is this the issue affecting Firefox?

Submitted by Michael (not verified) on Mon, 10/19/2009 - 5:15pm.

I think that's something else. Mine actually had .NET in the name of the addon. I didn't have it in there until after I installed the big batch o' windows updates from last Tuesday.

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
Please enter the two words below to help prevent spam.
Incorrect please try again
Enter the words above: Enter the numbers you hear:
Get another CAPTCHA
Get an audio CAPTCHA
Get an image CAPTCHA
Help

 

Copyright © 2010 threatpost.com | Terms of Service | Privacy