We mentioned last week how the latest update from Microsoft included a .NET add-on for Firefox that proved to allow malware attacks. Normally, Microsoft updates are initiated to fix software issues while, at the same time, protect computer users from security related attacks. This time the Microsoft update MS09-054 created a new issue. It basically put computer users at risk of an attack from a remote hacker.
Microsoft attempted to clarify the impact of the update and how to resolve the Firefox .NET add-on vulnerability but many of the instructions were not clear enough for the average computer user to utilize without creating a risk of damaging their system. One of the 'fix' instructions included editing the system registry which could cause serious issues if a user is inexperienced with that process. After several computer users have reported that they received an 'Add-ons may be causing problems' pop-up message with the Microsoft .NET Framework Assistant listed, Mozilla made it their mission to address this issue even though it was not their mistake.
The cumulative security update for Internet Explorer is the initiating factor for the .Net add-on for Firefox but was not well received by Mozilla, the makers of Firefox. The update repaired one notable security issue known as a 'browse-and-get-owned' vulnerability in Internet Explorer. Unfortunately, this exploit could also be pushed through Firefox via the Windows Presentation Plug-in. That is where the confusion begins. Firefox would be left out in the cold without a fix to this same issue.
How to Disable .NET Framework Assistant Security Vulnerability
Obviously Microsoft's so-called 'fix' that involved following a set of risky tasks in editing the system registry and a point-and-click method that left behind the Windows Presentation Foundation plug-in, would not cut it with many computer users. Instead, Mozilla was able to address Microsoft with a solution to the matter.
Mike Shaver, Mozilla's Vice President of engineering, said on Friday, "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately," on Mozilla's Security blog
The Microsoft security update MS09-054 advisory now has the following statements that clearly mentions Firefox instead of only Internet Explorer:
- Firefox users who are running the Windows Presentation Foundation (WPF) plug-in and do not have it disabled should also apply this security update.
- If I use Firefox, which Internet Explorer update do I need to install?
If a computer system is configured for 'Automatic Update', the correct update will be downloaded and made available for installation depending on the 'Automatic Update' configuration. In the event that a computer system is not configured for 'Automatic Update', users should verify which version of the Windows operating system and Internet Explorer is on their system and download the appropriate update.
- If I install this security update, do I need to disable the Windows Presentation Foundation Plug-in in Firefox to be protected from this vulnerability?
No. Customers who have installed the security updates associated with this security bulletin are protected from this vulnerability.
- If I have not yet applied this security update, how do I disable the Windows Presentation Foundation plug-in in Firefox?
If you have not yet applied this update, you can disable the Windows Presentation Foundation plug-in in Firefox to block this vulnerability. To do this, launch the Firefox browser, select the 'Tools' pull-down menu, and then click 'Add-ons'. Then select the 'Plugins' icon at the top of the 'Add-ons' window. In the list of 'Plugins', select 'Windows Presentation Foundation 3.5.30729.1' and click 'Disable'.
- If I uninstall the .NET Framework Assistant extension, does it disable or remove the Windows Presentation Foundation plug-in?
If the .NET Framework Assistant extension is uninstalled it does not disable or remove the Windows Presentation Foundation plug-in. The .NET Framework Assistant and Windows Presentation Foundation plug-in are controlled through different screens in the Firefox Add-ons management window.
Additional information on the .Net Framework Assistant being blocked to disarm the security vulnerability can be found on Mozilla's Security Blog. In the past few days, did you notice the 'Add-ons may be causing problems' pop-up message on Firefox and wonder what it was?