Microsoft Patches Firefox?

October 17, 2009

Well, no, not exactly.

Back in May, I posted about a Microsoft software security update that silently, without the user’s knowledge, installed a Firefox add-on called the .Net Framework Assistant.  Apart from the question of whether one software vendor should modify the way another vendor’s software works without the user’s consent, there was some considerable grumbling about the non-standard way in which the plug-in was installed, which made it difficult to remove.

However, I am glad to be able to say that Microsoft did play nicely with Firefox users in one important way: they did not deprive them of the chance to participate in one of Microsoft’s many security vulnerabilities.  As reported in a story in ComputerWorld, one of the patches Microsoft released this past Tuesday was to repair a vulnerability in Internet Explorer that was also introduced, courtesy of the unrequested plug-in, to Firefox.

One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.

The risk of this kind of thing was pointed out earlier in an article at the web site:

The Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows in February 2009, installs the Microsoft .NET Framework Assistant Firefox extension without asking your permission.

This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC. Since this design flaw is one of the reasons you may’ve originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.

The horrible design decision to have Internet Explorer allow Web sites to download and run arbitrary executable content must rank as one of the worst security blunders ever.  It has been strongly criticized since the day it was introduced, and is a major reason Microsoft has found it necessary to issue multi-megabyte security patches for Internet Explorer several times a year.

Microsoft itself acknowledged that its extension had introduced a vulnerability into Firefox, in the “Security Research & Defense” blog on its TechNet site:

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox, as shown below.

Microsoft has published a Knowledge Base article (KB 963707) on how to remove this add-on from Firefox, but the procedure is hardly straightforward.  Basically, there are two choices:

  • Download an update to the extension that installs it on a per-user basis (the normal way to install Firefox add-ons), so that Firefox’s built-in “Uninstall” mechanism for add-ons can be used.
  • Manually remove the extension, which requires deleting a Registry key, resetting an internal Firefox configuration setting (in about:config), and deleting all the files in a particular Windows system folder (subdirectory).

This kind of behavior by a software vendor is really unacceptable.  It is fine that Microsoft wishes to make using PCs easier, but it needs to remember that they belong to the user, not to Microsoft.

%d bloggers like this: