Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sneaky Microsoft Add-On Put Firefox Users At Risk

Posted by ScuttleMonkey on from the bad-microsoft-no-donut dept.

CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."

3 of 333 comments (clear)

  1. Sabotage? by Reyendo · · Score: 5, Insightful

    Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

    1. Re:Sabotage? by FlyingBishop · · Score: 5, Insightful

      This is a .NET vulnerability, on MS Windows. Firefox being the vehicle is entirely Microsoft's fault as the maintainer of the .NET plugin.

    2. Re:Sabotage? by shutdown+-p+now · · Score: 5, Insightful

      Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

      I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional - the vulnerability itself is a fairly obscure corner case in .NET bytecode validator/verifier, and, so far as I can tell, it has been there for a very long time, seemingly before WPF was even released. All in all, it looks like a genuine bug.

      A testament to its obscurity is the way I encountered it - I was designing an Algol-60 compiler targetting .NET, and was looking for an efficient way to pass Algol function-type function arguments (which are effectively vararg on the caller side) without having to lift outer locals used by captured functions to heap. Only after coming up with an efficient design and testing that it works, I realized the implications of what I had just done to the verifier.

      I cannot comment on CVE-2009-2529 (the second Firefox-affecting vulnerability), but I don't see how it would be any different. Really, the idea of MS deliberately adding vulnerabilities to its products in hope of marginally affecting Firefox by them (remember that IE is hit much worse...) is pretty absurd - even if you disregard the notion of business reputation when it comes to MS, it poses a very high legal liability. No-one in a sane mind would even contemplate doing such a thing.

      Disclaimer: I do work for Microsoft at present, though not on the affected products. I did not work for Microsoft when I discovered and reported that vulnerability.