Firefox .NET Susceptable to Malware Attacks

An add-on Microsoft slipped into Mozilla Firefox last February now leaves the browser subject to an attack. The threat is being categorized as a "browse-and-get-owned" situation in which hackers lure users to a compromised website.

While Microsoft and Mozilla have been browser rivals for years now, their respective agendas have never been to cause any direct harm to one another. The two companies have an unspoken understanding that marketing campaigns and external advertisements used to lure potential users is the most ethical way to win the battle.

Now, Microsoft is being made to look dishonest after it was learned that one of their 13 security bulletins not only concerned Internet Explorer, but also Firefox. The vulnerability was due to a Microsoft-made plug-in that was marketed to Firefox users eight months ago and was delivered via a Windows Update. (Source: computerworld.com)

Return of Browse-and-Get-Owned

The "browse-and-get-owned" issue is the result of a .NET Framework 3.5 SP1 installation of a "Windows Presentation Foundation" plug-in in Firefox. Numerous experts have complained that their initial warnings of such a compromise fell on deaf ears back in February of this year.

According to Susan Bradley, contributor to the Windows Secrets newsletter, the dangers of the .Net Framework are severe. "The .NET Framework Assistant [the name of the add-on slipped into Firefox] that results can be installed inside Firefox without your approval. Although it was first installed with Microsoft's Visual Studio development program, the .NET component was also seen to have been added to Firefox as part of the .NET Family patch." (Source: infoworld.com)

It should be noted that the above excerpt was taken from her February 12th story.

How to Disable .NET Framework in Firefox

Microsoft has acknowledged the error, claiming that the vulnerability should be treated as a "critical" situation. Microsoft also said that the .Net add-on could be exploited against users running all versions of Internet Explorer, including IE8.

Microsoft says that Firefox users with .NET Framework 3.5 installed can disable the add-ons by going to Tools-> Add-ons -> Plugins, and then select 'Windows Presentation Foundation,' and click Disable. Those who have downloaded the Microsoft patch are protected against the vulnerability as well. (Source: dailytech.com)