Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Microsoft exposes Firefox users to drive-by malware downloads
10-16-2009, 08:47 PM,
#1
Microsoft exposes Firefox users to drive-by malware downloads
Quote:Microsoft exposes Firefox users to drive-by malware downloads

Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?

Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads.

The flaw was addressed in the MS09-054 bulletin that covered “critical” holes in Microsoft’s Internet Explorer but, as Redmond’s Security Research & Defense team explains, the drive-by download risk extends beyond Microsoft’s browser.

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different. Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.

Now, Microsoft’s security folks are actually recommending that Firefox users uninstall the buggy add-on:

For Firefox users with .NET Framework 3.5 installed, you may use “Tools”-> “Add-ons” -> “Plugins”, select “Windows Presentation Foundation”, and click “Disable”.

This introduction of vulnerabilities in a competing browser is a colossal embarrassment for Microsoft. At the time of the surreptitious installs, there were prescient warnings from many in the community about the security implications of introducing new code into browsers without the knowledge — and consent — of end users.

This episode also underscores some of the hypocrisy that has risen to the surface in the new browser wars. When Google announced it would introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer, Microsoft whipped out the security card and warned that Google’s move increased IE’s attack surface.

“Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.”


Of course, when it’s Microsoft introducing the security risk to other browsers (Silverlight, anyone?), we should all just grin and take it.
Source
“Today’s scientists have substituted mathematics for experiments, and they wander off through equation after
equation, and eventually build a structure which has no relation to reality. ” -Nikola Tesla

"When the power of love overcomes the love of power the world will know peace." -Jimi Hendrix
Reply
10-16-2009, 09:56 PM, (This post was last modified: 10-16-2009, 09:57 PM by yeti.)
#2
Microsoft exposes Firefox users to drive-by malware downloads
Quote:This introduction of vulnerabilities in a competing browser is a colossal embarrassment for Microsoft.
In order to feel embarrassment, one must feel shame. Microsoft has no shame.
[Image: randquote.png]
Reply
10-16-2009, 10:19 PM,
#3
Microsoft exposes Firefox users to drive-by malware downloads
Quote:
Quote:This introduction of vulnerabilities in a competing browser is a colossal embarrassment for Microsoft.
In order to feel embarrassment, one must feel shame. Microsoft has no shame.

The only shame they feel is that the exploits have become noticed and their attempt to sabotage Firefox has been discovered!:LOL:
“Today’s scientists have substituted mathematics for experiments, and they wander off through equation after
equation, and eventually build a structure which has no relation to reality. ” -Nikola Tesla

"When the power of love overcomes the love of power the world will know peace." -Jimi Hendrix
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
Thumbs Down Firefox 29 Trying to Look Like Chrome and Sucks! bristopen 11 711 06-06-2014, 09:02 PM
Last Post: Easy Skanking
  Firefox: Disabling Mixed Content Warnings (v18+), download 17ESR thokling 0 409 01-13-2014, 12:52 PM
Last Post: thokling
  Linux Mint: Shipped with "Prism" Firefox profile Doomsticks 6 1,071 07-26-2013, 04:41 AM
Last Post: Doomsticks
  Microsoft says Windows 8 is a Failure! shortwave 14 1,608 05-15-2013, 09:56 PM
Last Post: ComradeRed
  Pale Moon: The Firefox Alternative thokling 9 1,672 04-06-2013, 07:11 PM
Last Post: thokling
  Linux users targeted by password-stealing 'Wirenet' Trojan Easy Skanking 1 585 09-02-2012, 09:22 AM
Last Post: h3rm35
  Malware may knock thousands off the internet on Monday zoverload 0 449 07-06-2012, 04:03 PM
Last Post: zoverload
  Firefox 'new tab' feature exposes users' secured info: Fix promised h3rm35 0 441 06-23-2012, 01:33 AM
Last Post: h3rm35
  Facebook founder called trusting users dumb f*cks drummer 20 5,471 06-23-2012, 01:20 AM
Last Post: h3rm35
Thumbs Up Wow! if you use firefox and have broadband, you MUST try this! h3rm35 22 4,826 07-01-2011, 12:20 AM
Last Post: pax681

Forum Jump:


Users browsing this thread: 1 Guest(s)