Microsoft’s Plug-in puts Firefox Users at Risk

Back in February, Microsoft silently slipped Windows Presentation Foundation plugin into Firefox without user’s consent. This plugin came along with .NET Framework 3.5 Service Pack 1 and was installed in IE as well as Firefox via Windows Update.

It has now been discovered that the code in the plugin can cause a very serious vulnerability in Firefox, which will potentially expose users to "browse and you’re owned" attacks. According to Microsoft’s Security Research and Defense blog:

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different.  Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a "Windows Presentation Foundation" plug-in in Firefox, as shown below.

Good news is that, Microsoft has released a fix (MS09-054), which has been delivered through Windows Update. Firefox users, who haven’t installed this update, please open "Tools"-> "Add-ons" -> "Plugins", select "Windows Presentation Foundation", and click "Disable".

Installing a plugin with vulnerability without user consent into other browsers is a shame on Microsoft’s part, especially when they complain about Google’s Chrome Frame making IE less secure.