Microsoft makes Firefox vulnerable: Mozilla responds
- Date: October 18th, 2009
- Author: Chad Perrin
- Category: Application Security, News, Security, patching, vulnerability
- Tags: Security, Mozilla Firefox, Microsoft Corp., Mozilla Corp., Web Browsers, Internet, Chad Perrin
A months-old Microsoft security faux pas rears its ugly head, and Firefox users pay the price.
Earlier this year, Microsoft came up with a way to surreptitiously add a feature to Firefox — and, at the same time, a new way for Firefox to be vulnerable to malicious security crackers. In Microsoft may be Firefox’s worst vulnerability, I pointed out that:
Microsoft has decided to quietly install what amounts to a massive security vulnerability in Firefox without informing the user.
A number of articles sprang up, including my own, explaining how Microsoft’s .NET extension for Firefox could be removed, and in some cases warning users to refuse to let the .NET update install itself at all. After taking enough heat from users and security experts, Microsoft even released another MS Windows update that made it easier to disable the .NET extension for Firefox.
Unfortunately, a number of subsequent updates have played havoc with the ease of maintaining a system clear of that particular Firefox extension. Microsoft, as always, thinks it knows better than users. In several cases, people have reported removing or disabling the extension only to have it reappear or reactivate itself later, when it wasn’t expected.
On Tuesday this month, Microsoft released a security bulletin that addresses this problem. The company has admitted to a critical vulnerability introduced to Firefox because of the .NET extension it originally claimed was nothing but a perfectly safe improvement in Firefox functionality. According to ComputerWorld’s Sneaky Microsoft plug-in puts Firefox users at risk:
“While the vulnerability is in an IE component, there is an attack vector for Firefox users as well,” admitted Microsoft engineers in a post to the company’s Security Research & Defense blog on Tuesday. “The reason is that .NET Framework 3.5 SP1 installs a ‘Windows Presentation Foundation’ plug-in in Firefox.”
The Mozilla Foundation, which manages the open source Firefox browser development project, has taken steps to protect its users. Some Firefox users may be treated to a warning dialog similar to this screenshot, bearing ominous messages like:
Firefox has determined that the following add-ons are known to cause stability or security problems
The listed add-ons include the Microsoft .NET Framework Assistant and Windows Presentation Foundation. In case the point was not driven home well enough, the point is reinforced below the list of offending add-ons:
These add-ons have a high risk of causing stability or security problems and have been blocked
Mozilla offers more information at its Add-ons Blocklist page.
Hopefully, Microsoft’s evil extensions to third party applications will not be a problem any longer. Hopefully Microsoft will have learned a lesson from the bad press it has gotten as a result of this fiasco. I will not, however, hold my breath.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools. Read his full bio and profile.
