Archive for October, 2009

Microsoft's blocklisted add-ons
Almost immediately after the news about a plugin by Microsoft compromising Firefox's security, Mozilla reacted unleashing a "doomsday weapon": Plugin Blocklisting, a feature introduced more than one year ago in Firefox 3 and kept quiet so far, which allows quick disablement of any problematic add-on from a central location. So this morning many of us have been greeted by an "Add-ons may be causing problems" window, announcing that the two "intruders from Redmond" had been put in custody.

Nice to see people in charge don't hesitate to deploy such a draconian countermeasure when it's needed, even though the Windows Presentation Foundation plugin and its .NET Framework Assistant accomplice are so much obscure (the former) and controversial (the latter) that they won't be overly missed. Hard to imagine the same treatment being delivered to Adobe's big ones any time soon, despite their zero day exploit rates and the fact too many browsers run outdated and vulnerable versions (BTW, did you check lately?)

However many users wonder why Windows Update and other native installers (e.g. Skype or AVG) are allowed to bypass the warning dialog which usually asks for permission before installing a Firefox add-on. The obvious objection, though, is that when you run a certain OS or launch an executable, you're fully trusting the vendor and therefore adding further warnings would be just an useless annoyance. Notwithstanding, at least knowing that something has been added to your browser is surely desirable. I, for instance, wasn't aware of this "Windows Presentation Foundation" thing until this incident happened. Moreover, some of these "super add-ons" are quite difficult to uninstall for the average user. Fortunately, Mozilla acknowledges these as real problems, and they're being actively addressed.

Some time ago we advised to uninstall the Microsoft .NET Framework assistant because it was breaking some Firefox extensions.
Windows Presentation Foundation Plugin in the Add-Ons Manager
Of course, as many noticed at that time, having add-ons from Microsoft installed into Firefox behind your back by a Windows update also expanded the attack surface of the Mozilla browser, by adding the possible (likely) vulnerabilities of Microsoft's technology to the mix. Ironically, this is the very argument used by Microsoft itself against Google Frame.

This easy precognition is reality now. According to Microsoft,

MS09-054 addresses an IE vulnerability (CVE-2009-2529), which was discovered and presented by Mark Dowd, Ryan Smith, and David Dewey at the BlackHat conference in July. [...]

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. [...]

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well.

The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.
Via this plug-in it is possible to launch XBAP, and reach this vulnerability, from within Firefox.

The Windows Presentation Foundation plugin enables "XAML Browser Applications" (XBAPs) to run into your browser. Ironically, this appears to be Microsoft's late equivalent of Java Applets, with some ActiveX scent as a bonus (native code). Talk about lesson learned...

In order to protect yourself, open Tools|Add-ons|Plugins, select Windows Presentation Foundation, and click the Disable button.

Bad Behavior has blocked 927 access attempts in the last 7 days.