Microsoft .NET Plug-In Exposes Firefox Users to Malware Attacks

Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?
Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads.

Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?

Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads.

The flaw was addressed in the MS09-054 bulletin that covered “critical” holes in Microsoft’s Internet Explorer but, as Redmond’s Security Research & Defense team explains, the drive-by download risk extends beyond Microsoft’s browser.

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different.  Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.

Now, Microsoft’s security folks are actually recommending that Firefox users uninstall the buggy add-on:

For Firefox users with .NET Framework 3.5 installed, you may use “Tools”-> “Add-ons” -> “Plugins”, select “Windows Presentation Foundation”, and click “Disable”.

More from Computerworld’s Gregg Keizer.

Suggested articles

Discussion

  • Anonymous on

    One more example of how hard all of this stuff is. Even the guys at Microsoft can't get it all right. I just got the warning from Windows to uninstall this component. Sweet.

  • Anonymous on

    Tried to find the original blog entry (via link) describing the original installation - no way would ZDNet let me find it.  Google cache to the rescue.

    Oh yes, and now I know why I so carefully didn't install .NET in the first place.  When do you actually NEED .NET if you're a home user?

  • Buddyw on

    I just went to Firefox plugins to disable Windows Presentation Foundation but, low and behold, the good folks at Firefox had already taken care of it.

  • TheGift73 on

    Yep, Firefox are now blocking access to this plug-in. Well as of 09:00hrs my time (UK)

  • vietvet52 on

    firefox disable itself the other day ,.

  • Anonymous on

    I keep getting a popup message asking me if I want to install Internet  Addons Assistant Installer (is this the exactly correct name?). I say go ahead, but nothing happens. Yet the popup never stops. What to do? Is this the issue affecting Firefox?

  • Michael on

    I think that's something else. Mine actually had .NET in the name of the addon. I didn't have it in there until after I installed the big batch o' windows updates from last Tuesday.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.