Disable MS09-054 patch, or Firefox Plugin?
The .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox. That in of itself may be cause for concern. But wait, there is more. MS09-054 was issued to address an IE vulnerability (CVE-2009-2529). As it turns out the vulnerability could also be exploited via Firefox. If you could launch XBAP using a browser the vulnerability could be exploited. For users of either browser it is recommended to disable XBAP. So essentially a security fix introduced additional issues? The irony is, well...
More information from Microsoft is available here.
So, if you use Windows, install patches, and also have Firefox, oddly enough you will want to read the following Microsoft KB article entitled "How to remove the .NET Framework Assistant for Firefox"
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Comments
Eremita
Oct 17th 2009
1 decade ago
So your statement, "So, essentially a security fix introduced additional issues?" is really only true as it regards 3.5 SP1, which while it may contain undocumented security fixes, is a service pack that primarily contains reliability and functionality improvements. One of those functionality improvements is the Firefox plugin, and there has been a lot of discussion about the ethics and reasonableness of Microsoft's decision to develop and deploy that plugin through this mechanism, but I don't think that's what you were referring to in this post.
As I understand the situation (independent of Mozilla's blocklist update), your last line should read, "So, if you use Windows, installed .NET Framework 3.5 SP1, but aren't planning on installing MS09-054, and also have Firefox, in addition to carrying out the workaround to disable XBAP for IE, oddly enough you'll want to read . . ."
In your defense, the SRD posting says at the bottom, "Updated October 16, 2009 - updated blog post to clarify that Firefox users are protected from CVE-2009-2529 if they install the MS09-054 update". So perhaps the original posting was not worded very clearly, which helped fuel this whole firestorm!
:-)
Anonymous
Oct 17th 2009
1 decade ago