Microsoft.NET Add-On Exposes Firefox Users to Malware Attacks

Do you trust that your web browser application is safe and free from vulnerabilities that could open up your system to an attack?

Firefox, one of the most trusted and most used web browser applications, received a .NET add-on from Microsoft that put users at risk of an attack from a remote hacker. The .NET add-on from Microsoft was included in a security bulletin release on Tuesday which consisted of a patch that fixed 34 flaws within various Microsoft applications. Unfortunately, Firefox users did not have an option of receiving the add-on if they chose to allow the Microsoft update to occur on their system.

Microsoft has always delivered security updates and patches to the Windows operating system and other Microsoft software when a flaw or security vulnerability was discovered. This is one of the rare times that an application that was not developed by Microsoft succumbs to a vulnerability all because of a "security update", or in Firefox’s case, a .NET add-on update.

A post on Microsoft's Security Research & Defense blog stated that, "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox." The Microsoft engineers also admitted, "While the vulnerability is in an IE component, there is an attack vector for Firefox users as well."

Surprisingly, if computer users wanted to remove the add-on that could cause a system to be vulnerable to an attack, it would be a difficult task to perform. After the installation of the latest Windows update that addresses several security flaws, computer users are unable to remove the .NET add-on within Firefox because the option is grayed out. However, users can attempt to remove the add-on through somewhat difficult instructions that have been posted on several sites, one being Annoyances.org.

If you are wondering what the .NET add-on is capable of doing to your system then you are not alone. According to Annoyances.org, this update that adds an add-on to Firefox is one of the most dangerous vulnerabilities present in all versions of Internet Explorer. It basically gives a web site the ability to secretly install software onto your computer.

Microsoft's answer and solution to all of this is to suggest that users simply uninstall the component (.NET) if they are not able to deploy patches provided in the latest MS09-054 update.

We have always recommended that computer users keep their software up-to-date to ward-off any potential vulnerabilities from parasite infections. However, in the case of this discovered .NET Firefox add-on that can potentially be a threat to your computer, that rule does not completely apply. If you have applied the latest MS09-054 Microsoft Security Bulletin update, then you may want to uninstall the .NET component to avoid the unscrupulous Firefox add-on.