On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

October 16th, 2009

Microsoft exposes Firefox users to drive-by malware downloads

Posted by Ryan Naraine @ 9:24 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Firefox, Flash, Google, Google Chrome, Hackers, Malware, Metasploit, Microsoft, Mozilla, Open source, Passwords, Patch Watch, Pen testing

Tags: Google Inc., Mozilla Firefox, Vulnerability, Malware, Microsoft Internet Explorer, Microsoft Corp., Attack Vector, Web Browser, Google Chrome, Plug-in

Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?

Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads.

[ SEE: Patch Tuesday: MS plugs critical IE, Windows Media Player holes ]

The flaw was addressed in the MS09-054 bulletin that covered “critical” holes in Microsoft’s Internet Explorer but, as Redmond’s Security Research & Defense team explains, the drive-by download risk extends beyond Microsoft’s browser.

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different.  Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.

Now, Microsoft’s security folks are actually recommending that Firefox users uninstall the buggy add-on:

For Firefox users with .NET Framework 3.5 installed, you may use “Tools”-> “Add-ons” -> “Plugins”, select “Windows Presentation Foundation”, and click “Disable”.

This introduction of vulnerabilities in a competing browser is a colossal embarrassment for Microsoft.  At the time of the surreptitious installs, there were prescient warnings from many in the community about the security implications of introducing new code into browsers without the knowledge — and consent — of end users.

[ SEE: Microsoft says Google Chrome Frame doubles IE attack surface ]

This episode also underscores some of the hypocrisy that has risen to the surface in the new browser wars.  When Google announced it would introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer, Microsoft whipped out the security card and warned that Google’s move increased IE’s attack surface.

“Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.”

Of course, when it’s Microsoft introducing the security risk to other browsers (Silverlight, anyone?), we should all just grin and take it.

* Image via DevExpress.  Hat tip to Gregg Keizer.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 309 Talkback(s)
you ever try to run all of your software on linux?
If you have software that require windows you are stuck. But unfortunately most people don't understand that. They think all software will run on all computers so the won't support other operating systems.... (Read the rest)
Posted by: dougogd@... Posted on: 02/04/10 You are currently: a Guest | | Terms of Use
is this a part of - framework assistant  not of this world | 10/16/09
MS proves it can't be trusted one more time  Uralbas | 10/16/09
I'd love to, but I'm stuck with MS...  CPPDEV | 10/16/09
You aren't stuck  jgwinner | 10/16/09
Aren't Stuck?  techrepubliclist@... | 10/16/09
Wow, that's out there...  LiquidLearner | 10/17/09
There really are no options in the corporate world.  Bruizer | 10/18/09
Quite So [n/t]  over2sd | 10/19/09
narrow minded!?!?  DErentzen | 10/19/09
The Business Should Pay!  Too Old For IT | 10/19/09
Our IT support two laptop platforms...  914four | 10/20/09
Sorry, I work in the real world  vbnomad@... | 10/22/09
You are wrong  library assistant | 10/27/09
Linux doesnt need any help from MS  Stan57 | 10/17/09
Er, yeah...  rahbm | 10/18/09
Learn to write  Don Collins | 10/18/09
that's funny  TroutHound | 10/19/09
Re: Linux doesn't need any help from MS  Tony R. | 10/19/09
The uninformed speak  blarman_z | 10/19/09
Not that I want to defend a Troll...  914four | 10/20/09
Linux isn't crushing it's self...  linuxer | 10/19/09
And Microsoft doesn't?  athynz | 10/19/09
Ever heard of Bell Labs?  billjacobus1 | 10/19/09
Have you ever heard of Xerox PARC?  de-void | 10/20/09
Ahhh...  Jkirk3279 | 10/20/09
Correcting Lies About Linux From MS Fanbois  Renifer | 10/19/09
Horay!  Altotus | 10/20/09
Amen!  TWBurger | 10/22/09
And you wonder why nobody takes you seriously?  de-void | 10/23/09
sounds like microsofts buisness tactics nt  dougogd@... | 01/10/10
Nothing New Under the Sun (M$ EEE)! grin  i2fun@... | 10/18/09
This assumes..  g-ssg | 10/19/09
Probably...  Jkirk3279 | 10/19/09
with all due respect...  g-ssg | 10/20/09
"Ethics are bad for business"  Ole Man | 10/23/09
Your revisionist history ignores important facts  de-void | 10/23/09
Excuses are good  Ole Man | 10/24/09
Re: is this a part of - framework assistant  edchuy | 10/16/09
Update: Mozilla has added MS .Net Assistant WPF to Blocklist and Bugzilla  edchuy | 10/17/09
Mozilla steps up to the plate  duchovny | 10/17/09
RE: Mozilla step up to the plate?  zdnja532 | 10/18/09
Isn't that kind of weak?  Wintel BSOD | 10/19/09
Disabled that BlockList here...  kaninelupus | 10/19/09
MS vulnerabilities == MS cannot be trusted  Renifer | 10/19/09
This doesn't make Google's action less bad...  Roque Mocan | 10/16/09
I could be mistaken...  jasonp@... | 10/16/09
law?  dgrainge | 10/16/09
Except  DannyO_0x98 | 10/16/09
However, Updating MS own software is  JM1981 | 10/19/09
Google's thing wasn't installed without user consent  Lerianis10 | 10/16/09
How about Google Update?  rtk | 10/16/09
How ironic.  UserLand | 10/16/09
Well to be fair  jdbukis@... | 10/16/09
Look who came to pay us a visit...  The Mentalist | 10/16/09
Nice try at turning...  bjbrock | 10/16/09
Well blind fanboi  croberts | 10/16/09
Firefox didn't even need to be running...  anothercanuck | 10/18/09
The Chrome plug in for IE is  JM1981 | 10/19/09
And they wonder why security conscious people turn off WU  The Mentalist | 10/16/09
No it isnt.  jdbukis@... | 10/16/09
Go tell that to those firefox users...  The Mentalist | 10/16/09
completely actually  gnesterenko | 10/16/09
You have Missed the Point  mejohnsn | 10/19/09
Hardly  DNSB | 10/19/09
You would be right IF...  The Mentalist | 10/16/09
RE: You would be right IF  Stan57 | 10/17/09
List of Questionable purposes  blarman_z | 10/19/09
You forgot .NET framework  914four | 10/21/09
AAARGH! dreaded damn WGA!!  uaintseenmeuk@... | 01/26/10
you should try it when you can't even install it without crashing the......  dougogd@... | 02/04/10
If you ever worked...  bjbrock | 10/16/09
Have  gnesterenko | 10/16/09
I do not doubt  Viva la crank dodo | 10/16/09
disk clones  zdnet-gregc | 10/19/09
The whole point of WSUS  LiquidLearner | 10/17/09
small round objects  dgrainge | 10/16/09
Yes it is!!  On Site PC | 10/17/09
I hear your "automatic update" anxiety  Renifer | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  sreesiv | 10/16/09
I'm glad I use a MAC!  Trolleur | 10/16/09
OS X is NOT the most secure system...  The Mentalist | 10/16/09
Sure, but...  gfeier | 10/17/09
How would you know?  UsersRevil | 10/19/09
Come on !  Jkirk3279 | 10/20/09
You have  Viva la crank dodo | 10/16/09
If only that were true....  frankinks | 10/16/09
Apple a monopoly?  Ole Man | 10/17/09
I've never had Microsoft 'brick' a product..  Marty R. Milette | 10/19/09
Of course its all (fill in the blank___________'s) fault  Ole Man | 10/19/09
Human error  DNSB | 10/19/09
Exactly WHICH human error would that be?  Ole Man | 10/23/09
Huh?  rahbm | 10/18/09
Proprietary Ford Parts  Greenman76 | 10/19/09
Laughable, purely laughable  DNSB | 10/19/09
And...  Jkirk3279 | 10/20/09
Ok you caught me  Greenman76 | 10/21/09
Sure now you can.  frankinks | 10/21/09
In a nutshell  Ole Man | 10/23/09
Yeah, and someone get  rtk | 10/23/09
Only the guilty need suffer, rtk  Ole Man | 10/24/09
RE: "CONTROL"  RedVeg | 10/19/09
Sigh ...  zdnet-gregc | 10/19/09
Nice fishing  kaninelupus | 10/17/09
Totally agree,  JM1981 | 10/19/09
Linux distro's are virus free  Christian_<>< | 10/16/09
Sell that junk...  bjbrock | 10/16/09
keep on sellin it, it is true.  lefty.crupps | 10/16/09
Yes, and?  gnesterenko | 10/16/09
I'm just curious  kyn_67@... | 10/16/09
Banking  DirtyDingus | 10/16/09
Sorry for the confusion!  kyn_67@... | 10/16/09
These days, most banks use flash or java`  akulkis | 10/16/09
Quicken and Quickbooks both...  Dave32265 | 10/17/09
I don't use Quicken (or any other proprietary banking system)  Ole Man | 10/17/09
"Banking"  TheCableGuyNY | 10/19/09
GNU Cash  Spikey_Mike | 10/19/09
Accounting program  jmorgus@... | 10/19/09
Funny aint it?  Ole Man | 10/17/09
Funny indeed...  Marty R. Milette | 10/19/09
My credentials shall remain annonymous (to you)  Ole Man | 10/19/09
@Marty  JM1981 | 10/19/09
C'mon, @Marty  Wintel BSOD | 10/19/09
Like the above poster  Viva la crank dodo | 10/16/09
lol... What?!? happy  none none | 10/16/09
The great wide world...whaa?  apostate | 10/20/09
What IS the age limit here?  Ole Man | 10/24/09
Huge difference in Linux certification...  Christian_<>< | 10/19/09
*nix rootkits  DNSB | 10/19/09
recent reports of the "first Linux botnet"  Ole Man | 10/24/09
I'n not sure you know  apostate | 10/20/09
Linux distro's what? [nt]  olePigeon | 10/16/09
Linux leopard, et al  Rikaroo | 10/16/09
Then explain why  akulkis | 10/16/09
RE: "more computers out there with windows"  RedVeg | 10/19/09
Hmmm...  DNSB | 10/19/09
Your just a flat out lier  Stan57 | 10/17/09
There is no cure for stupidity, no matter what they use  Ole Man | 10/17/09
RE: How do you reckon the "password sniffers" accessed the systems?  RedVeg | 10/19/09
He he he...... yeah, right!  Ole Man | 10/23/09
Sure!  Feduke | 10/19/09
Which position?  DNSB | 10/19/09
Linux sucks  Tony R. | 10/19/09
Some people get it and some people don't...  Wintel BSOD | 10/19/09
Yep, and some of them get  Ole Man | 10/23/09
When it comes to the M$ borg collective...  Wintel BSOD | 10/23/09
FUD against Linux doesn't change the fact that MS code sucks  Renifer | 10/20/09
You're a freaking Moron.  apostate | 10/20/09
And it's just that language and attitude that accomplishes what?  frankinks | 10/21/09
Tony should have been more polite  Wintel BSOD | 10/21/09
Some say the users should be giving their consent to updates:  RicD_ | 10/16/09
Corporate world  DNSB | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  Badgered | 10/16/09
We could hope it is...  ignatz_z | 10/16/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  ecortese | 10/16/09
Add Apple  gnesterenko | 10/16/09
Add Apple for Quicktime.  rtk | 10/16/09
Malicious XPS Documents?  WarhavenSC | 10/16/09
MS proves again it can't be trusted  Uralbas | 10/16/09
No, because other people do this same thing  Lerianis10 | 10/16/09
Which is one of the many reasons  akulkis | 10/16/09
Hi, don't see this Microsoft plugin on Windows 7  Pyrotech_z | 10/16/09
Same with me  Lerianis10 | 10/16/09
Microsoft screws ops because it can!  Randalllind | 10/16/09
OH LoveRock, come out and play  kyn_67@... | 10/16/09
CallingID Toolbar blocks the malware fixing the problem  yoramnis | 10/16/09
nice bloatware plug  gnesterenko | 10/16/09
Immune?  Ceridan | 10/16/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  JRude | 10/16/09
Master Joe Says...  MasterJoe | 10/16/09
Silence Kills Golden Consent  DannyO_0x98 | 10/16/09
Master Joe Says...Again  MasterJoe | 10/17/09
Master Joe Says...One Final Note  MasterJoe | 10/19/09
You blame Mozilla?  Ole Man | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  joetron2030 | 10/16/09
Looks like deliberate sabotage to me.  CPPDEV | 10/16/09
and  mrdt | 10/16/09
I think MS is a big dumb OX...  JCitizen | 10/16/09
Considering that the sense of  akulkis | 10/16/09
I'm not refuting that...  JCitizen | 10/17/09
We need to enforce anti-trust laws and regulate businesses again  Renifer | 10/20/09
I'm not disagreeing with you except..  JCitizen | 10/21/09
Right . . .  sporkfighter | 10/19/09
More like malicious stupidity...  JCitizen | 10/19/09
That was my first thought, too.  akulkis | 10/16/09
Secret malicious code?  LiquidLearner | 10/17/09
Once bitten, twice shy  Ole Man | 10/17/09
You could say Netscape did turn around..  JCitizen | 10/17/09
Old news I guess  Ceridan | 10/16/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  gabrielbear@... | 10/16/09
Why can't MS and everyone else leave well enough alone?  kd5auq | 10/16/09
No, it is not  Lerianis10 | 10/16/09
Microsoft=Idjits  MaxLaw | 10/16/09
Yup! A big dumb galoot - that M$! ...(nt)  JCitizen | 10/16/09
Ummm...  LiquidLearner | 10/17/09
Windows Presentation Foundation  rgeiken@... | 10/16/09
Only one add-on  DNSB | 10/16/09
Windows Presentation Foundation Plugin  Greenknight_z | 10/17/09
You have to have installed .net and that's optional.  frankinks | 10/16/09
I don't have any choice on .Net...  JCitizen | 10/17/09
"there doesn't seem to be enough information in this article"  Ole Man | 10/17/09
Everyone does it  GuidingLight | 10/16/09
Really?  sporkfighter | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  DanTB | 10/16/09
Does this affect Chrome?  DanTB | 10/20/09
same old bias  jiangsheng | 10/16/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  MrRickle | 10/16/09
Read up on Moneydance . . .  sporkfighter | 10/19/09
Terrorists?  The Management consultant | 10/16/09
competition  jiangsheng | 10/16/09
Excuses are good  Ole Man | 10/17/09
done deliberately  walkerjian@... | 10/16/09
Total Bull...  Narg | 10/16/09
Ummm....  DNSB | 10/16/09
So that gives Microsoft the right to attack it?  Ole Man | 10/17/09
I think you may have misinterpreted him.  jbroche18 | 10/17/09
Wouldn't be the first time  Ole Man | 10/17/09
Google updater, Java, Shockwave, Quicktime, Acrobat, Realplayer  rtk | 10/16/09
How is it different?  DNSB | 10/16/09
you made a choice about installing .net as well.  rtk | 10/16/09
@rtk rationalizes...  Wintel BSOD | 10/19/09
Typical bx2345, a day late and wrong as usual.  rtk | 10/19/09
Mozilla devs protected you from a MS screw up. Ungrateful much?  Renifer | 10/20/09
Mozilla didn't protect us from anything  rtk | 10/20/09
What mistake, rtk...  Wintel BSOD | 10/20/09
The usual one  rtk | 10/20/09
Your paranoid favoritism gives you away  Wintel BSOD | 10/21/09
I don't have to guess.  rtk | 10/21/09
I asked you a direct question, rtk  Wintel BSOD | 10/22/09
You mean your strawman failed?  rtk | 10/22/09
Why can't you answer the question, rtk?  Wintel BSOD | 10/23/09
Around and around you spin.  rtk | 10/23/09
How can you disable a plugin if you have lost all of your data?  Renifer | 10/20/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  frankinks | 10/16/09
Ah yes, the old...  akulkis | 10/16/09
No routine just the facts....  frankinks | 10/17/09
Just let your wallet do your talking  Ole Man | 10/17/09
Here's an Update...  eMJayy | 10/16/09
M$ = Key$tone Kop$  Tech99_z | 10/16/09
Windows Presentation Foundation  concrete lamposts | 10/17/09
Was that the download Firefox removed today?  arq1 | 10/17/09
Yes, Mozilla blocked them  Greenknight_z | 10/17/09
Yes, it happened to me last night as well and MORE info  edchuy | 10/17/09
Where is Ed Bott's outrage at Microsoft on this one???  Bruizer | 10/17/09
You don't bite the hand that feeds you!  Ole Man | 10/17/09
Good intentions gone wrong  LiquidLearner | 10/17/09
That's silly!  rathersailawa@... | 10/17/09
Taint necessarily so  Ole Man | 10/17/09
Excellent, and such a fitting demise  Narr vi | 10/17/09
Here's another update: It's not just FF  eMJayy | 10/17/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  michael leopard | 10/18/09
I'd say this is a "by design" action from MS to damage FF's reputation.  CounterEthicsCommissioner-23034636492738337469105860790963 | 10/18/09
It definitely stinks like poopoo!...  JCitizen | 10/21/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  znetlol | 10/18/09
Why can't Firefox build their own OS? Linux is free, right?  transposeIT | 10/18/09
Wishful thinking gets you nowhere...  eMJayy | 10/19/09
Unsubstantiated opinions like yours are worthless  richj@... | 10/19/09
They're not interested - and what would be the point?  Greenknight_z | 10/20/09
Mozilla built Firefox  Ole Man | 10/24/09
Yet another reason to use Linux for browsing  rbsjrx | 10/19/09
This is not just a Microsoft issue  jscott418 | 10/19/09
What is this addon supposed to do?  flhu | 10/19/09
remote kill switch  magallanes | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  blisseyegg2343@... | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  newgolddream@... | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  anthony@... | 10/19/09
Yeh....  pedroroque | 10/19/09
Sooo, Firefox can deactive software on MY desktop  rwgreene | 10/19/09
Mozilla protects you and you cry foul. Shame on you.  Renifer | 10/20/09
Making this up as you go along?  rtk | 10/20/09
MS agreed with Mozilla to protect users from this vulnerability  Renifer | 10/20/09
According to Mike Shaver, who won't even tell us who  rtk | 10/20/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  Dan_P | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  tim.pedersen@... | 10/19/09
ZD should get its facts straight  azrazel@... | 10/19/09
ZD should get its facts straight  Dan_P | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  3weekend | 10/19/09
Suggest everyone read the Mozilla bug report comments  AbbyD@... | 10/19/09
Mozilla adding .Net support back  jiangsheng | 10/19/09
Where was the Article on Adobe Acrobat  DocNasty | 10/19/09
Where was the Article on Adobe Acrobat  Dan_P | 10/19/09
How hard is it to bash Microsoft? Not hard...  Renifer | 10/20/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  john_gillespie@... | 10/19/09
Microsoft screws up yet again  ca1ic0cat | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  jackie40d@... | 10/19/09
That sygate is great ain't it?...  JCitizen | 10/21/09
Firefox has fixed this by disabling it  marks055@... | 10/19/09
If you can't compete fair, sabotage!!!  bbneo | 10/19/09
Questionable purposes listed  blarman_z | 10/19/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  racinggreat48 | 10/19/09
Microsoft Business Foundation...  edcoyle | 10/19/09
This is new how?  mikey0f777 | 10/19/09
Linux doomed  bklooste | 10/19/09
What rot.  sporkfighter | 10/19/09
On the other hand....  DNSB | 10/19/09
Solaris is doomed, while Linux gains market share  Renifer | 10/20/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  aep.bethel7 | 10/20/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  boyd_talavera@... | 10/20/09
I wonder if this is what nailed my laptop  royalef | 10/20/09
More likely Acrobat  rtk | 10/20/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  geum | 10/20/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  j_richter50@... | 10/20/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  davidrix@... | 10/21/09
Shame on Microsoft  TWBurger | 10/22/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  Bachelor of Science - Information Technology | 11/04/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  gennx30 | 11/13/09
It's just an OS  Answerfactory | 12/15/09
RE: Microsoft exposes Firefox users to drive-by malware downloads  gwhaler | 01/19/10
RE: Microsoft exposes Firefox users to drive-by malware downloads  gwhaler | 01/19/10
you ever try to run all of your software on linux?  dougogd@... | 02/04/10

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here