Mozilla blocks Microsoft plug-ins
Yesterday, Mozilla added two of Microsoft’s browser plug-ins to its blocklist. Introduced in 2007, the blocklist automatically prevents malicious software from being used in Firefox.
The Microsoft .NET Framework Assistant and Windows Presentation Foundation were added, for reasons of their vulnerability to remote code execution. All versions for all applications have been blocked.
Mike Shaver, Mozilla’s Vice President of Engineering, stated in a blog post, that because of the difficulty in removing the plug-ins and the severity of the security risk, Mozilla decided to blocklist them. “Microsoft agreed with the plan, and we put the blocklist entry live immediately.”
It has since been confirmed by Microsoft that the Framework Assistant is not a mechanism for an exploit and Shaver says it has been removed from the blocklist, although the entry still appears on the blocklist page.
Last week, Microsoft admitted that the plug-ins, which have been quietly installed alongside Firefox since February, opened up a critical security exploit to both IE and Firefox users.
Known as a browse-and-get-owned exploit, by simply visiting a malicious website, users open themselves up to having 3rd party software installed on their system. The Windows Presentation Foundation plug-in is the culprit allowing such attacks to take place in the browser.
The vulnerability was addressed with the record setting security patch issued last week, but there was no mention of Firefox. The executive summary was revised yesterday to include reference to the Firefox fix, but clearly this isn’t good enough for Mozilla.
Firefox & Microsoft plug-ins: comments and views
Loading ...