bit-tech.net

Mozilla blocks vulnerable MS plugin

Mozilla blocks vulnerable MS plugin

The vulnerability in the Windows Presentation Foundation plugin opens Firefox up to attack - and has been centrally blocked.

The Mozilla Foundation took the controversial step this weekend of blocking certain Microsoft plugins - at least one of which contains an exploitable vulnerability - from installing and executing in its Firefox web browser.

As reported over on PC Magazine, the Foundation has chosen to prevent Microsoft's Windows Presentation Foundation plugin from operating within the Firefox browser after Microsoft announced vulnerability MS09-054 in the plugin - a vulnerability which opens up an exploitable hole in the browser.

Perhaps the biggest issue - and the reason why the Foundation has chosen to block the plugin outright - is that, in common with the .Net Framework Assistant add-on - it installs in Firefox automatically as part of the .Net Framework 3.5 Service Pack 1 update, with no user interaction or warning. Uninstalling the plugin or add-on is also somewhat difficult.

This sneaky behaviour may have contributed to the choice to block not only the vulnerable Windows Presentation Foundation plugin, but also the .Net Framework Assistant add-on - a move which has now been reversed with confirmation that the Framework Assistant add-on is not vulnerable.

However, the blocking of the Windows Presentation Foundation plugin remains in effect - causing at least one Microsoft employee to post the warning that "when business users can't use their core business functionality - they uninstall stuff [like Firefox]" to Twitter.

Perhaps the biggest issue with Firefox using its central blacklisting feature against such a large company's software is that, according to vice president of engineering Mike Shaver, the Foundation is unable to distinguish "patched from unpatched, so we're blocking it [the plugin] while we sort that out."

Since then Shaver has posted that work continues on allowing corporate users - or those on Firefox 3.5, at least - the option of overriding the block as the Foundation "[works] to keep our users safe and comfortable with all the tools at our disposal."

Are you pleased to see that the Foundation takes the safety of its users seriously enough to risk the ire of Microsoft, or was it a bad call to block such a major plugin - despite the risk? Should Microsoft get its sweaty mitts off your Firefox browser and stop installing plugins and add-ons without your permission? Share your thoughts over in the forums.

27 Comments

Discuss in the forums Reply
Mankz 19th October 2009, 15:01 Quote
Nice to see Mozilla has some balls.
Musicboffin 19th October 2009, 16:16 Quote
Lol... "We installed a plugin which the user had no control over and it got blocked for containing an exploit... boo hoo". Harden the **** up, Microsoft.
jezmck 19th October 2009, 16:37 Quote
Agree with Mankz here. Glad to see Moz do the right thing
dazworld 19th October 2009, 16:56 Quote
I think Microsoft have done many good things for computer evolution and the web. However, when it comes to its browser, Internet Explorer and its approach to forcing its browser in Windows, creating its own CSS standards and being way-behind in helping web developers de-bug (bar Visual Studio) their web pages, IE has caused me soooooo much pain and I use, as standard, Firefox and Firebug and its saved my skin loads.

I trust Mozilla as a future. I don't trust IE.
Mr T 19th October 2009, 17:07 Quote
Nice one mozilla. It's this kind of action that prompt's MS to get their finger out and fix the issue. I'm sure MS could have a fix out by this time next week.
HourBeforeDawn 19th October 2009, 17:32 Quote
anyone know whats going on with my firefox, for some reason when I type anything in the address bar and hit enter nothing at all happens, I can pull up my favorites and load those fine, I can search google to get to websites from my home page but when it comes to the address bar nothing happens? any thoughts? this is the first time I have ever had an issue with FF.
Shagbag 19th October 2009, 19:43 Quote
Quote:
Originally Posted by Mr T
I'm sure MS could have a fix out by this time next week.
That's if Google doesn't beat them to it. lol.
Star*Dagger 19th October 2009, 20:24 Quote
I think it is great that MS did this, it will allow the EU to play whack-a-mole with their moronic corporate heads.
I wonder if MS relaizes how close they are to being forced by the EU to do A LOT of things with MS win code that they would never do on their own.
This is just the opening the EU wants, so keep up the good work MS!!

Yours in MS Win gone by 2020,
Star*Dagger
leexgx 19th October 2009, 21:23 Quote
bit late this news they now re-moved it from the block list now (from an other site i seen this news before), need to update the content
Gareth Halfacree 19th October 2009, 21:35 Quote
Quote:
Originally Posted by leexgx
bit late this news they now re-moved it from the block list now (from an other site i seen this news before), need to update the content
Have they? As the article says, they removed the .Net Framework Assistant plugin, but as far as I'm aware the Windows Presentation Foundation plugin is still blacklisted.
Joeymac 19th October 2009, 22:14 Quote
After these addons were blocked the other day I noticed an immediate speed boost.... anyone else have this?
alpaca 19th October 2009, 22:15 Quote
my firefox told me it blocked this plugin right now, so it is not yet removed from their blacklist
thehippoz 19th October 2009, 23:35 Quote
got the block couple days ago too
leexgx 20th October 2009, 01:13 Quote
should of posted they say may take some time to filter down to each firefox client (what they posted) something that the securty problem that afected IE should not affect firefox (wish i had that link)

i just installed firefox and mine is not blocked (mine is 1.1 net plugin windows 7) press the find update button and then restart firefox once it says there is no update mite turn it back on (you can then disable the plugin if you want it off as it will turn back on)
crazyceo 20th October 2009, 14:04 Quote
Simple solution DON'T USE FIREFOX. The alledged vulnerability isn't exposed on IE, it's just firefox.

This is just another reason for businesses to remove vulnerable third party products from their networks and stick with the work horse trusted Microsoft. The ONLY player in the corporate world!
TreeDude 20th October 2009, 14:39 Quote
Quote:
Originally Posted by crazyceo
Simple solution DON'T USE FIREFOX. The alledged vulnerability isn't exposed on IE, it's just firefox.

This is just another reason for businesses to remove vulnerable third party products from their networks and stick with the work horse trusted Microsoft. The ONLY player in the corporate world!

The vulnerability lies in a plugin that MS created. So I fail to see your point.

As long as IE has ActiveX, I will NEVER use it as my main browser. ActiveX is one great big vulnerability.
crazyceo 20th October 2009, 15:48 Quote
Yes another nice anti-microsoft sweeping statement. " ActiveX is one big vulnerability" and where is your evidence for that comment?

This topic was about the alledged vulnerability in the plugin for firefox. Simple solution DON'T USE FIREFOX
Gareth Halfacree 20th October 2009, 15:51 Quote
Quote:
Originally Posted by crazyceo
This topic was about the alledged vulnerability in the plugin for firefox. Simple solution DON'T USE FIREFOX
I've got a better solution - DON'T USE WINDOWS.

Firefox on my Ubuntu installs is completely unaffected by this vulnerability. Funny that.
crazyceo 20th October 2009, 21:35 Quote
HA HA HA yes thats funny! Nice joke, you may as well just unplug your machine and set it on fire as it would become completely useless.
themcman1 20th October 2009, 21:41 Quote
Quote:
Originally Posted by crazyceo
HA HA HA yes thats funny! Nice joke, you may as well just unplug your machine and set it on fire as it would become completely useless.

:|

IE is possibly the Worst. Browser. Ever.

Your sweeping comment about ubuntu is also unwarranted. Why would it be completely useless?
Bindibadgi 20th October 2009, 23:06 Quote
Quote:
Your sweeping comment about ubuntu is also unwarranted. Why would it be completely useless?

The sweeping statement about Windows is just as bad.

Why don't we get some rationale here and not just an entire OS based on one application?
geekboyUK 21st October 2009, 00:26 Quote
Don't feed the trolls ;)
Shagbag 21st October 2009, 17:32 Quote
The only ActiveX vuln I'm aware of was the one that took Microsoft over 18 months to address and, to be fair, it's more of an indictment of Microsoft than ActiveX.
crazyceo 21st October 2009, 22:11 Quote
Did I ever tell you about this really big company that had approximately 95% of the planets computer users as its customers. It's been going for years now and making lots of money. It also ploughs loads of money in trying to secure it's own products that let's say that again "95% of the planets computer users" from glitchy third party programs that it's forced to accommodate.

You trolls mess your systems up with all that crap from Mozilla, Google, Opera blah, blah, blah. I happily use Windows 7 Ultimate with IE8, Bing, Windows Live Messenger, Microsoft Office, Windows Media Player and I have no need whatsoever to use any other crappy glitchy adware program that everyone else climbs over themselves to shout "But mine is bigger than yours"

Just wait and you will hear a few shout it next.

It's called choice ladies and just because you use it, it doesn't mean it's the best or better than what I use for what I want to use it for.
thehippoz 21st October 2009, 22:40 Quote
well ask any web guy what he would rather write for.. the proprietary CSS in IE (which only works in IE) or CSS for mozilla browsers (which stick to specifications and work for all)

proprietary sucks.. course to the end user- the bonus of running IE is he gets to see everything, as sites badly written just for IE will be displayed correctly :D doesn't mean it's any better.. just means the web guy sucks

far as exploits, firefox is open source
impar 22nd October 2009, 09:43 Quote
Greetings!
Quote:
Originally Posted by crazyceo
You trolls mess your systems up with all that crap from Mozilla, Google, Opera blah, blah, blah. I happily use Windows 7 Ultimate with IE8, Bing, Windows Live Messenger, Microsoft Office, Windows Media Player and I have no need whatsoever to use any other crappy glitchy adware program...
You havent mentioned one non-Microsoft program that is adware in your post.
crazyceo 22nd October 2009, 20:16 Quote
Impar, I think you better rethink that comment. (Cough*Google*Cough)
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums