Mozilla Blocks Microsoft Security Add-ons

Mozilla disables two Microsoft add-ons for Firefox to thwart a vulnerability that allows an attacker to take over Windows machines

Mozilla is blocking the use of two Microsoft add-ons installed silently on Windows computers with .NET Framework 3.5 Service Pack 1.

Mozilla is blocking the Microsoft .NET Framework Assistant and Windows Presentation Foundation components in light of a vulnerability that attackers can use to impact Firefox users.

“Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism,” Mike Shaver, vice president of engineering at Mozilla, blogged on 16 Oct. “Microsoft agreed with the plan, and we put the blocklist entry live immediately.”

The vulnerability at the heart of the issue is CVE-2009-2529, covered here in Microsoft’s latest batch of Patch Tuesday bulletins. To exploit the vulnerability in question, all that is needed is for a user to visit a malicious site, Microsoft explained on its Security Research and Defense blog.

“Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application),” according to the Microsoft blog. “Please note that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different. Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

“For Firefox users with .NET Framework 3.5 installed, you may use ‘Tools’-> ‘Add-ons’ -> ‘Plugins,’ select ‘Windows Presentation Foundation,’ and click ‘Disable,'” Microsoft added.

Firefox users who download the Microsoft patch are protected against the vulnerability as well, according to the Microsoft blog.

This is not the first time Mozilla has shown concern for plug-ins from other vendors. Earlier this year, the company decided to warn users if they are using a vulnerable version of Adobe Flash Player plug-in.