• United States



gregg keizer
Senior Reporter

Mozilla Unblocks One Sneaky Microsoft Add-in

Oct 19, 20095 mins
AppleData and Information SecurityEnterprise Applications

Mozilla has unblocked one of the two Microsoft-made add-ons that put Firefox users at risk from attack and will probably unblock the second in the next 48 hours, the company's head of engineering said today.

Mozilla has unblocked one of the two Microsoft-made add-ons that put Firefox users at risk from attack and will probably unblock the second in the next 48 hours, the company’s head of engineering said today.

“We’ve unblocked the .NET Framework Assistant,” said Mike Shaver, Mozilla’s vice president of engineering, on Monday morning. Shaver was referring to one of the two Microsoft components that Mozilla automatically disabled late Friday after deciding it needed to protect Firefox users from a critical vulnerability Microsoft disclosed, and patched, last week. “We got confirmation from Microsoft over the weekend that the add-on wasn’t a[n attack] vector for the vulnerability in question,” said Shaver.

Late on Friday, Mozilla added .Net Framework Assistant and the accompanying Windows Presentation Foundation plug-in to its rarely-used blocking list , which then threw up a warning to users notifying them that the pair was being barred from Firefox.

Mozilla has also pushed out a change that will let users running Firefox 3.5 override the block, added Shaver. That change came out of discussions with enterprise Firefox users who said that they needed the two components to run their .NET-based software within the browser.

The block of Windows Presentation Foundation will likely be lifted in the next two days. “Microsoft is watching the patch deployment numbers, and sharing them with us,” said Shaver. “At some point, we’ll take the [Windows Presentation Foundation] plug-in off the blocker. I expect that to happen in the next 48 hours.”

Last week, Microsoft’s security team acknowledged that its software — which had been silently installed in Firefox as far back as February 2009 — contained a critical vulnerability that could be used by hackers to hijack Windows PCs through Firefox . The vulnerability also affected all versions of Internet Explorer (IE), including IE8.

However, the MS09-054 bulletin, which provided details on the vulnerability, said nothing about Firefox. Later last Tuesday, Microsoft expanded on MS09-054 in a blog post, and confirmed that Firefox users were in danger .

Microsoft maintained that Firefox users who applied the patches would be safe from attack, but Mozilla felt that was not enough. Friday, Shaver cited the severity of the vulnerability and the difficulty some users have had in removing Microsoft’s software as Mozilla’s reasons for engaging the blocking list.

Removing the Microsoft add-on and plug-in have been a contentious issue since Microsoft first slipped them into Firefox without users’ permission last February as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update.

Users were also furious that the software was impossible to uninstall without editing the Windows registry. Later, Microsoft issued a follow-on update that made it possible to uninstall the components without a registry edit.

Shaver denied that there was miscommunication between Microsoft and Mozilla, and instead characterized it as a “lack of clarity.”

“We’re going to be in better communication,” he promised, “especially about things like the version number of the [affected] plug-in.” One of the problems Mozilla had last week was determining what — .NET Framework Assistant or Windows Presentation Foundation, or both — was vulnerable, and specifically what versions were at risk to attack.

“This was an unusual case of using the blocker,” Shaver said. “Version information was not available to us at first, and since [the software] was installed by many users, many of them were unaware they even had it, and the add-on and plug-in were difficult to uninstall, we thought it best to block them, at least for a time. Microsoft agreed.”

Mozilla has used its add-on/plug-in blocking tool only nine times, including last week’s incident, since it first deployed it in 2007.

In the future, Firefox will include built-in tools that check whether components have been added by third-party software, then disable the add-on or plug-in by default and notify the user and allow him or her to enable the component(s). That kind of check, if it had existed earlier this year, would have kept the Microsoft software from being installed without Firefox users noticing.

“We’re big believers in informed user choice,” said Shaver. “So we’re going to improve notifications to users when plug-ins are installed. We do that with add-ons in Firefox now, which checks for those added since the last time you ran the browser. We will do the same thing for plug-ins, likely in Firefox 3.7.”

That version of Firefox, the second of two minor upgrades scheduled for the next six months, is currently slated to ship in March 2010.

Since Version 3.0, Firefox has notified users when any new add-ons, called “extensions” by Mozilla, have been installed since the last time the browser was launched. That notification, however, is “poor,” acknowledged Shaver, since it simply highlights the new add-ons in a window and most importantly, does so after the add-on has already been installed.

The plan now is to make those notifications clearer, and also to warn about system-installed items before they’re running, Shaver said.

“We’re also building our plug-in check into the product for Firefox 3.6,” added Shaver, referring to the outdated plug-in campaign that Mozilla kicked off last month, and bolstered last week when it launched a plug-in checking service . Firefox 3.6 will warn users of outdated third-party plug-ins, like Adobe’s Flash or Apple ‘s QuickTime, when the browser reaches a site that calls upon such software.

“We’ve learned a lot from this,” concluded Shaver. “We’re not trying to get into an adversarial model, but this was more visible than most [blocks in the past] because of the size of the company involved and the history of the plug-in.

“I would call the communication between us and Microsoft ‘greatly clarified’ as of now,” Shaver said.