[conspire] More Firefox Addon problems - this tie from MS

Ruben Safir ruben at mrbrklyn.com
Mon Feb 1 12:46:57 PST 2010


Sneaky Microsoft plug-in puts Firefox users at risk
Submitted by MacRonin on October 17, 2009 - 11:58pm

    * Alert
    * Companies
    * Exploits
    * Hmmm
    * Microsoft
    * Microsoft
    * Microsoft Windows
    * Open Source
    * Privacy
    * Remember
    * Reviews
    * Scams
    * Security
    * Software
    * Violations
    * Windows

Sneaky Microsoft plug-in puts Firefox users at risk: Via computerworld.
Patches critical bug, exploitable because of add-on silently slipped
into Firefox last February

An add-on that Microsoft silently slipped into Mozilla's Firefox last
February leaves the browser open to attack, Microsoft's security
engineers acknowledged earlier this week.

One of the 13 security bulletins Microsoft released Tuesday affects not
only Internet Explorer (IE), but also Firefox, thanks to a
Microsoft-made plug-in pushed to Firefox users eight months ago in an
update delivered via Windows Update.

"While the vulnerability is in an IE component, there is an attack
vector for Firefox users as well," admitted Microsoft engineers in a
post to the company's Security Research & Defense blog on Tuesday. "The
reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation
Foundation' plug-in in Firefox."

The Microsoft engineers described the possible threat as a
"browse-and-get-owned" situation that only requires attackers to lure
Firefox users to a rigged Web site.

Numerous users and experts complained when Microsoft pushed the .NET
Framework 3.5 Service Pack 1 (SP1) update to users last February,
including Susan Bradley, a contributor to the popular Windows Secrets

"The .NET Framework Assistant [the name of the add-on slipped into
Firefox] that results can be installed inside Firefox without your
approval," Bradley noted in a Feb. 12 story. "Although it was first
installed with Microsoft's Visual Studio development program, I've seen
this .NET component added to Firefox as part of the .NET Family patch."

What was particularly galling to users was that once installed, the .NET
add-on was virtually impossible to remove from Firefox. The usual
"Disable" and "Uninstall" buttons in Firefox's add-on list were grayed
out on all versions of Windows except Windows 7, leaving most users no
alternative other than to root through the Windows registry, a
potentially dangerous chore, since a misstep could cripple the PC.
Several sites posted complicated directions on how to scrub the .NET
add-on from Firefox, including Annoyances.org.

Annoyances also said the threat to Firefox users is serious. "This
update adds to Firefox one of the most dangerous vulnerabilities present
in all versions of Internet Explorer: the ability for Web sites to
easily and quietly install software on your PC," said the hints and tips
site. "Since this design flaw is one of the reasons [why] you may have
originally chosen to abandon IE in favor of a safer browser like
Firefox, you may wish to remove this extension with all due haste."

Specifically, the.NET plug-in switched on a Microsoft technology dubbed
ClickOnce, which lets .NET apps automatically download and run inside
other browsers.

Read Original Article:(Via computerworld.)

http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software

So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world  - RI Safir 1998

http://fairuse.nylxs.com  DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002

"Yeah - I write Free Software...so SUE ME"

"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."

"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt.  I guess you missed that one."

© Copyright for the Digital Millennium

More information about the conspire mailing list