posted by Kroc Camen on Sat 17th Oct 2009 05:27 UTC
IconWhilst it's not okay in Microsoft's eyes for Google to install a plugin into Internet Explorer, increasing the potential surface area of attack, when Microsoft do it to Firefox, it's a different matter. Now a security hole has been found in a plugin that Microsoft have been silently installing into Firefox.

Along with .NET Framework 3.5 SP1, Microsoft have been silently installing a Windows Presentation Foundation Plugin that allows the embedding of XAML applications (an XML-based UI technology) in web pages, called XBAP (XAML Web App).

The exploit is drive-by, meaning that the victim only needs to be lured onto a web-page for the attack to be effective. The only safe thing to do until a patch is issued, is to open Firefox’s AddOn Manager and disable the WPF plugin.

Microsoft were caught earlier this year silently installing a “.NET Framework Assistant” plugin into Firefox, which could not initially be uninstalled. After some pressure from the press, Microsoft relented and provided an update to enable the uninstall button. That update then broke a number of other Firefox extensions.

The only thing that surprises me more, is that I’m not surprised that Microsoft could be this incompetent when it comes to the safety of all users of the web using Windows, regardless if they’re using IE or not.

With greater marketshare than ever before, and a firm position in the mainstream, every software vendor and their dog are wanting to integrate with Firefox. This has led to numerous unwanted, irritating and often uninstallable plugins to add themselves to Firefox. WPF is really only the tip of the iceberg.

Silently installing software on your computer that you are unaware of, is called malware in my book. Mozilla have the capability to blacklist plugins and addons if they misbehave or pose a threat. Frankly, if I were Mozilla, I would ban Microsoft’s plugins from Firefox until they provide an opt-in interface.

This also raises concerns with how Mozilla handle extensions and plugins being installed into the browser without the user’s permission. Whilst Firefox will bring up the AddOns Manager when a new extension is installed, the new extension is not disabled by default until you permit it (Mozilla are working on a proposal for this). External programs on the computer can install extensions into Firefox with nothing more than a registry key, and plugins that are added outside of Firefox itself will not be reported to the user (as in the case with WPF).

With good timing, Mozilla have been working on a Plugin Check system to ensure that users are kept up to date with plugins, which pose a security threat and are a part of the browser users are often unaware of. This follows Mozilla alerting users to an out of date Flash Player version on their landing page for updated Firefox versions.

HTML5 promises to reduce the need for plugins by providing much of the same functionality natively, in the browser via SVG, JavaScript and native video and audio elements. In my opinion, Mozilla need to take a hard stance and stop this plight of plugins as it may turn people off of using Firefox, not least lead to bad press as more plugins are used as exploit vectors in the face of growing Firefox marketshare.

e p (10)    47 Comment(s)

Technology White Papers

See More