Microsoft's recent Patch Tuesday addressed a remote code execution vulnerability affecting the Windows Presentation Foundation (WPF) hosting process. Mozilla acted to protect its users by adding the Windows Presentation Foundation plug-in for Firefox to its blocklist, along with the .NET Framework Assistant extension.
With Service Pack 1 update for Microsoft .NET Framework 3.5, released back in August 2008, Microsoft also added ClickOnce support for Firefox in the form of a Firefox extension called Microsoft .NET Framework Assistant. A related Windows Presentation Foundation plug-in has also been installed in the browser to support other .NET Framework features.
These two add-ons were installed surreptitiously at machine level, without the user's consent, an action that at the time enraged many security-conscious Firefox users. This method of deployment also caused the Uninstall button for the .NET Framework Assistant extension to be grayed out, a problem that Microsoft later fixed.
A remote code execution vulnerability discovered and presented at the Black Hat security conference by Mark Dowd, Ryan Smith, and David Dewey has been addressed as part of the
MS09-054 security bulletin released on October 13. This bug can be exploited by tricking users into visiting a page that loads a maliciously-crafted XAML Browser Application (XBAP). Microsoft
describes this as a browse-and-get-owned attack.
The Redmond software giant stresses that both IE and Firefox users are protected if they deploy the patch contained in MS09-054, but this is not enough for the maintainers of addons.mozilla.org (AMO). The AMO team has
decided to add both the Windows Presentation Foundation plug-in and the .NET Framework Assistant extension to the Add-ons Blocklist.
This service is queried at predefined intervals by Mozilla products and the add-ons listed there are automatically disabled. “Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: remote code execution vulnerability,” a new entry that was added yesterday
reads.
Firefox users who had the Microsoft .NET Framework Assistant and/or Windows Presentation Foundation installed will be prompted with a warning dialog informing them that the two add-ons will be disabled due to security problems. The process will be complete after a browser restart, at which time clicking on their respective entries in the Add-ons window will read that they have been “Disabled for your protection.”
Users who have not yet received the warning dialog and still have these add-ons enabled, can force the check manually. This is done by opening the Error Console (Tools > Error Console from the Firefox menu or Ctrl+Shift+J), pasting
Components.classes['@mozilla.org/extensions/blocklist;1'].getService(Components.interfaces.nsITimerCallback).notify(null) into the console's Code field and pressing Evaluate.
In addition, the Microsoft .NET Framework Assistant has also been removed from the official add-ons repository. The https://addons.mozilla.org/en-US/firefox/addon/9449 now says “Add-on not found” and redirects to the main page. The page is still accessible in search engine caches though.
Update: Mozilla has unblocked the .NET Framework Assistant extension and has restored its entry on the official add-ons repository. Read more on the debate caused by the incident
here.
