Saturday, October 17, 2009

MS Stealth Install Exposes Firefox Users to Vulnerability

Earlier this year, Microsoft released the .NET Framework 3.5 update. At the same time, as an added bonus, end users would get an extra Firefox extension, the "Microsoft .NET Framework Assistant (ClickOnce)," without being asked. That's bad enough, but at the same time the extension made Firefox vulnerable to attack.

This sort of behavior is what I call a stealth install. Sometimes what's installed is spyware, or adware, and sometimes you can't get rid of it. That was the case with the original version of the extension: it could not be disabled or uninstalled, unlike most Firefox extensions, without some registry editing, not something most people are comfortable with.

Later versions added the ability to uninstall and delete the extension. That doesn't make the stealth install any more forgivable, however. And the fact that it added a vulnerability to Firefox adds insult to injury.

In a post on Microsoft's Security Research and Defense site, the company said:
While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox [...]
Nice. My recommendation? Uninstall the darn thing. It's not like you can't live without the functionality it adds to Firefox.
ClickOnce enables the user to install and run a Windows application by clicking a link in a web page. The core principle of ClickOnce is to bring the ease of deployment of web applications to the Windows user. In addition, ClickOnce aims to solve three other problems with conventional deployment models: the difficulty in updating a deployed application, the impact of an application to the user's computer, and the need for administrator permissions to install applications.
The vulnerability was patched by Microsoft in its Patch Tuesday release for October. According to Microsoft, the vulnerability is "critical," and can be exploited against any version of IE, including IE8.
Ads by AdGenta.com


No comments: