Some time ago we advised to uninstall the Microsoft .NET Framework assistant because it was breaking some Firefox extensions.
Windows Presentation Foundation Plugin in the Add-Ons Manager
Of course, as many noticed at that time, having add-ons from Microsoft installed into Firefox behind your back by a Windows update also expanded the attack surface of the Mozilla browser, by adding the possible (likely) vulnerabilities of Microsoft's technology to the mix. Ironically, this is the very argument used by Microsoft itself against Google Frame.

This easy precognition is reality now. According to Microsoft,

MS09-054 addresses an IE vulnerability (CVE-2009-2529), which was discovered and presented by Mark Dowd, Ryan Smith, and David Dewey at the BlackHat conference in July. [...]

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. [...]

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well.

The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.
Via this plug-in it is possible to launch XBAP, and reach this vulnerability, from within Firefox.

The Windows Presentation Foundation plugin enables "XAML Browser Applications" (XBAPs) to run into your browser. Ironically, this appears to be Microsoft's late equivalent of Java Applets, with some ActiveX scent as a bonus (native code). Talk about lesson learned...

In order to protect yourself, open Tools|Add-ons|Plugins, select Windows Presentation Foundation, and click the Disable button.

30 Responses to “Microsoft Windows Exploitation Foundation for Firefox”

  1. #1 hackademix.net » Microsoft Windows Exploitation Foundation for Firefox | Firefox News on Twitter says:

    [...] View post: hackademix.net » Microsoft Windows Exploitation Foundation for Firefox [...]

  2. #2 hackademix.net » Microsoft Windows Exploitation Foundation for Firefox | Firefox News on Twitter says:

    [...] See original here: hackademix.net » Microsoft Windows Exploitation Foundation for Firefox [...]

  3. #3 Sid says:

    > Ironically, this is the very argument used by Microsoft itself against Google Frame.

    It isn't ironic at all -- it actually reinforces Microsoft's point.

  4. #4 hackademix.net » Microsoft Windows Exploitation Foundation for Firefox says:

    [...] See the original post here:  hackademix.net » Microsoft Windows Exploitation Foundation for Firefox [...]

  5. #5 fsync says:

    So, what triggers the installation of this plug-in?

    I guess we need to check our list of plug-ins for every installed version of Firefox, after every new Firefox installation, and after every run of Windows Update?

  6. #6 Morac says:

    Mozilla just automatically blocked both the Microsoft .NET Framework Assistant 1.1 add-on and the Windows Presentation Foundation 3.5.30729.1 plugin from Firefox.

  7. #7 hackademix.net » Microsoft Windows Exploitation Foundation for Firefox says:

    [...] the whole story here: Giorgio aggregated by [...]

  8. #8 pseudotecnico:blog » Microsoft, giù le mani da Firefox says:

    [...] anche post di Giorgio Maone, autore di NoScript: The Windows Presentation Foundation plugin enables “XAML Browser [...]

  9. #9 fs Linux | Future System Linux − hackademix.net » Microsoft Windows Exploitation Foundation for Firefox says:

    [...] Read the original:  hackademix.net » Microsoft Windows Exploitation Foundation for Firefox [...]

  10. #10 Twitter Trackbacks for hackademix.net » Microsoft Windows Exploitation Foundation for Firefox [hackademix.net] on Topsy.com says:

    [...] hackademix.net » Microsoft Windows Exploitation Foundation for Firefox hackademix.net/2009/10/16/microsoft-windows-exploitation-foundation-for-firefox – view page – cached Some time ago we advised to uninstall the Microsoft .NET Framework assistant because it was breaking some Firefox extensions. — From the page [...]

  11. #11 hackademix.net » Microsoft Windows Exploitation Foundation for Firefox | Work4Real | Blogs search says:

    [...] Show original post here [...]

  12. #12 Chris Lees says:

    That should read "In order to temporarily protect yourself". If you want to permanently protect yourself, you should get a boot CD of some description and erase your Windows partition.

  13. #13 Windows Presentation Foundation says:

    [...] hackademix.net » Microsoft Windows Exploitation Foundation for Firefox [...]

  14. #14 Basti says:

    @sid (3)

    It is ironical because M$ says that when Google chrome takes over IE (injects itself into it) with it's own engine it doubles the risk for attacks.

    However they inject a plugin into another application (that doesn't belong to them) that increases the risk of exploitation.

    M$ point: Injecting something into IE is dangerous.
    What does M$?... inject a plugin in Firefox.

    This is ironic like a dead cat with the name Lucky.

    @Giorgio: if this is your screenshot: you accidentally installed Silverlight (that gets blocked by NoScript of course)

  15. #15 What Is Windows Presentation Foundation Firefox | Hot Web Trends says:

    [...] Windows Presentation Foundation Plugin in the Add-Ons Manager Of course, as many noticed at that time, having add-ons from Microsoft installed into Firefox behind your back by a Windows update also expanded the attack surface of the … Read more [...]

  16. #16 hackademix.net » Firefox's Immune System says:

    [...] Microsoft Windows Exploitation Foundation for Firefox 17 10 2009 [...]

  17. #17 Laurens Holst says:

    The sad part is, installing Google Chrome (or presumably Google Gears as well) installs a similar thing, which lets Google automatically install software (e.g. a Chrome update when going to the download site) from within Firefox. Luckily I found this out and managed to disabled it from the plugins page, however until that time it was running without me knowing.

    Dear Microsoft, Google (I presume you are reading this because you acquired reCaptcha): Not Appreciated.

    Aside from the fact that this is not the kind of operation I like to be done from within my browser, I already have too many plugins which all have their own set of vulnerabilities and I need to keep updated to keep my browser secure (Acrobat, Flash, Java), and the last thing I need is for other vendors to install additional plugins that I need to keep up-to-date without my consent.

  18. #18 Giorgio says:

    @Basti:
    Silverlight is mandatory for me to watch Repubblica.it TV (one of the few mainstream news outlets in Italy opposing Silvio Berlusconi).

    The fact you cannot just disable Javascript and plugins everywhere is the main reason why I created NoScript, actually :)

  19. #19 Nan M says:

    More like Windows *Infestation* Foundation, this set of obnoxious security whiteanting behaviours from MS.

  20. #20 Firefox » В принудительно устанавливаемом Microsoft расширении для Firefox найдена уязвимость says:

    [...] В одном из таких расширений “Windows Presentation Foundation” найдена серьезная уязвимость, позволяющая злоумышленнику [...]

  21. #21 Windows 7 VS Snow Leopard - Bloggone we love our tech says:

    [...] hackademix.net » Microsoft Windows Exploitation Foundation for Firefox For The Love Of Tech [...]

  22. #22 Silent Install Firefox Plugin Backfires on Microsoft « Aftirmative says:

    [...] surface area of attack, when Microsoft do it to Firefox, it’s a different matter. Now a security hole has been found in a plugin that Microsoft have been silently installing into [...]

  23. #23 В принудительно устанавливаемом Microsoft расширении для Firefox найдена уязвимость | Сумы.biz says:

    [...] обновление с исправлением уязвимости - MS09-054. Описание Источник: uinС: Новости компьютерной [...]

  24. #24 Microsoft: Pot, Kettle, Black. | Coolvibe's digital moshpit says:

    [...] the user knowing about it. Guess what, the “crap” Microsoft installs into Firefox has a security vulnerability. The kind folks at Hackademix warmed about this before. I guess they have egg on their face now. [...]

  25. #25 Basti says:

    @Giorgio

    Flash is mandatory and widely used although it creates problems. Java is mandatory for some things if not in the net then it's needed from software to run. JS is mandatory as clicking a link seems to be something so complex that only JS can do the job. ;)

    However I use Flash, Java and JS, but fight Silverlight as long as I can.

  26. #26 electronic cigarette says:

    Yes..I learned the hard way. Now I watch carefully after Window updates for sure.

  27. #27 security alarm systems says:

    security alarm systems

    I think I am gonna research this some more!

  28. #28 strel says:

    For your information, you can build custom .NET installers that allow to avoid install XBAP and/or ClickOnce, or completely remove them, with this:
    http://www.msfn.org/board/index.php?showtopic=127790

  29. #29 Internet | Microsoft, giù le mani da Firefox says:

    [...] anche post di Giorgio Maone, autore di NoScript: The Windows Presentation Foundation plugin enables “XAML Browser [...]

  30. #30 Club Penguin Cheats says:

    It is ironical because M$ says that when Google chrome takes over IE (injects itself into it) with it’s own engine it doubles the risk for attacks.
    However they inject a plugin into another application (that doesn’t belong to them) that increases the risk of exploitation.

Bad Behavior has blocked 3097 access attempts in the last 7 days.