RSSMicrosoft and Mozilla leave Web users tangled over 'variant' vulnerability
By Scott M. Fulton, III | Published October 19, 2009, 12:02 PM
In what is now indisputably the most important vulnerability addressed during last Tuesday's record round of Windows patches, the two companies most affected by the problem -- Microsoft and, to a lesser extent, Mozilla -- could not help but be caught in a tangle of miscommunication exacerbated to a large extent by overhype from a sea of blogs. As a result, it's everyday users who are left confused and bewildered, even though no known exploit for the vulnerability exists.
The problem involves both the ".NET Framework Assistant" add-on and "Windows Presentation Manager" plug-in made by Microsoft for Mozilla Firefox, both of which are installed automatically -- and without warning -- by Microsoft's .NET Framework 3.5 Service Pack 1. One of Microsoft's patches last week, as explained in a Microsoft bulletin, addresses the functionality of 3.5 SP1 that's made available through these Firefox extensions.
Meanwhile, on its end, Mozilla opted to disable these extensions at the browser level, for reasons explained by its vice president of engineering, Mike Shaver, as, "because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled." The move was made only after having contacted Microsoft first; and Microsoft agreed with the decision, Shaver said.
This contradicts a multitude of reports over the weekend saying that Mozilla had taken action in defiance of Microsoft's extensions.
But this morning, Microsoft issued a clarification to Mozilla, apparently correcting its own misunderstanding of the matter (or rather, when the weekday crew came in to relieve the weekend crew): The extensions themselves actually have nothing whatsoever to do with the Patch Tuesday vulnerability. This despite having been referenced in Microsoft's own security bulletin last Tuesday: "Firefox users who are running the Windows Presentation Foundation (WPF) plug-in and do not have it disabled should also apply this security update."
Upon realizing this news, Shaver announced this morning that Mozilla is un-blocking the two extensions [CORRECTION] the .NET Framework Assistant add-on, leaving the WPF plug-in blocked.
Yet that creates an entirely new problem, as Betanews discovered this morning: For the same reasons folks had trouble trying to uninstall these extensions before, they'll have trouble now re-installing them -- though .NET Framework Assistant appears in Firefox's Extensions list, the "Enable" button is greyed out, and the same goes for "Windows Presentation Foundation" in Firefox's Plug-ins list.
In an effort to shed some light on this wild subject, here now are some clarifying facts:
- .NET Framework 3.5 SP1 was not one of the patches presented by Microsoft last Tuesday. When users noticed the two Firefox extensions for the first time this week, it was probably because they ended up installing SP1 at the same time they installed the critical and important Patch Tuesday updates. One of those updates was the Microsoft patch that temporarily disables the extensions' functionality.
- ClickOnce functionality was not the subject of the vulnerability in question. ClickOnce is Microsoft's now extremely ironic brand name for a technology designed to enable .NET applications to update themselves over the Web, a process which requires elevated privilege since installed code is being replaced. While the possibility that .NET code could find itself running with elevated privileges as a result of the ClickOnce problem, the attack vector in question here involves something quite different -- a broad level of possible attack vector that's thus far unexploited (it takes some intelligence), for which .NET Framework was only a case-in-point.
- It's not the extensions that are vulnerable in this instance, but rather the .NET Framework functionality which they enable through the browser.
- Microsoft was not silent about having released its Firefox extensions. In fact, its engineers were quite proud of them, although few independent sources bothered to cover their existence until they became an annoyance (and we're guilty as charged here too). Granted, the world doesn't flock to Scott Hanselman's blog, though engineers can only do so much to tout their efforts. What Microsoft had neglected to do, in hindsight, was provide users with a way to opt out of changing their Firefox settings, or to uninstall these extensions once they appeared there. This has now morphed into a new problem: the lack of any direct ability to re-enable the plug-ins once they've been turned off. Betanews is still experimenting with finding a way to do this (it does not involve editing
about:config, unfortunately), and we'll report it to you once we find it.
During a July presentation at the Black Hat conference by security engineers at Hustle Labs, a Microsoft mechanism called XBAP was used as a case-in-point for a demonstration of a much larger problem: the likelihood of vulnerabilities whenever interoperable code components use so-called variant data types to exchange information. Soon afterward, Microsoft began addressing the possibility of an exploit using an attack vector they feared could be inspired by the Hustle Labs demo.
XBAP is a facilitator for XAML, the XML-based layout language that substitutes for HTML for building Web apps. Microsoft began rolling out XBAP in August 2008, with Service Pack 1 to .NET Framework 3.5. Responding at the time to criticism that the company tends to release Web-based functionality for Internet Explorer only, it produced a ".NET Framework Assistant" add-on to Firefox as well, along with a plug-in that enabled XBAP in Firefox.
But neither extension gave Firefox users an option not for uninstallation. So when it was revealed that .NET's "ClickOnce" technology was potentially vulnerable, Firefox users were compelled to uninstall it manually. When users learned last weekend that Mozilla was blocking these add-ons, some bloggers assumed it was because of the ClickOnce matter, and reported it as such; ClickOnce is actually unrelated here.
Now, the problem going forward could be a number of Firefox users whose browsers are in need of some repair.
5:35 pm EDT October 19, 2009 · Responding to our story from earlier this morning, Mozilla Vice President for Engineering Mike Shaver told Betanews that this morning's unblocking action freed just the .NET Framework Assistant add-on for Firefox, not the Windows Presentation Foundation plug-in. It is Mozilla's belief, Shaver said, that this plug-in may still expose Firefox users to the principal vulnerability addressed in last Tuesday's Microsoft patch, as long as that plug-in remains enabled.
"We were told by Microsoft that the [.NET Assistant] add-on was vulnerable (and in fact at one point that the WPF plug-in was not, but we corrected that in conversation), and waited for confirmation from them that it wasn't before unblocking it," Shaver told Betanews. "We were not correcting ourselves; we were updating based on a Microsoft correction."
Microsoft should be embarrassed. Again, somebody has come along and fixed their work. Microsoft should have also asked the user if they wanted to install the plugin. Pretty much the only updates that Microsoft actually asks for are for Service Packs or major upgrades like IE7 to IE8. Other stuff gets installed behind the scenes.
Personally, I use Firefox on Linux where something is installed only when I ask it to be. Nothing is installed automatically. Linux gives you complete freedom where Windows will never give you this same freedom.
http://members.apex-internet.com/sa/windowslinux
Score: -1
|Mozilla done the right thing here. Even if it wasn't a security vunerability with the extension itself, Microsoft should have been more clear about the problem. It's a sad age we live in if Microsoft can't even write its own programs to run on its own operating system [take windows xp for instance]. 3 service packs later. Then theres the "most secure" Vista OS http://www.betanews.com/...cure-OS-Ever/1150366131... 2 service packs later.
Score: -3
|"It's a sad age we live in if Microsoft can't even write its own programs to run on its own operating system [take windows xp for instance]. 3 service packs later. "
So where's the "Perfect, unpatached" OS? Apparently, if it *ever* gets patches, it's a horrible OS, right?
"Then theres the "most secure" Vista OS http://www.betanews.com/...cure-OS-Ever/1150366131... 2 service packs later.""
So security doesn't evolve? Wow... time to call the 11 o'clock news! They're gonna be blown away by this one! So where's that perfect OS that has been 100% secure since day 1?
Mac and Linux both get patched and get new versions. There does not exist an OS that meets your requirements. I am sure the next version of Mac OS X will be it's most secure version yet, and the next Linux kernel patch will likely do the same for it.
For your next troll, may I suggest a good catch-22? You definitely seem to have the strawman arguments down pat now.
Score: 1
|lets look at it this way...
Mozilla applauded for blocking MS plug-in's, possible security risk, with this, i see no reason Microsoft shouldn't ban Googles Chrome Frame when a security issue comes up ;)
unless there is some sort or double standard
Score: -2
|Funny how Microsoft says you should not use plug-ins because they are insecure, yet pushes all its insecure plug-ins on people and is pushing their proprietary Silverturd down every ones throat.
Score: 0
|Bravo for them pushing Silverlight down everyone's throat. Maybe if we're lucky it will kill off the horrendously bloated Flash.
Score: -1
|Erm...horrendously bloated flash?, what are you talking about...my flash player is installed as an addon with firefox. No need to download silverlight..so which ones the bloatware now?, silverlight is good though but web designers and code developers alike still prefer to make websites using flash and adobe's flash player is still on top. (Hey if theres nothing wrong, don't fix it or remake it in Microsoft's case).
Score: -2
|"my flash player is installed as an addon with firefox. No need to download silverlight..so which ones the bloatware now?,"
So silverlight isn't a browser add-on? That's really strange considering I have this thing in my Firefox Add-on plugin window that says it is version 3.0.40818.0 of the sliverlight plug-in for Firefox.
...interestingly enough, it is right below the Shockwave Flash plugin version 10.0.22.87.
Score: 0
|Try playing flash video on a netbook one day, then try playing silverlight video. The sky will split open and truth shall rain down upon thee.
Score: 0
|Yes you may have the plugin PC_Tool but you dont need it as a flash plugin is already provided and does the same thing.
Score: -1
|Oh and btw PC_Tool while we are on the subject, the version of the flash player plugin I have is Shockwave Flash 10.0.32.18 under tools>addons>plugins and no I dont have silverlight as a plugin, you know why...because I didn't INSTALL it. ^^
Sorry for double posting guys edit time run out.
Score: -1
|@Min:
NetFlix.
Kinda hard to stream from them without Silverlight. Since I watch shows/movies on my Netflix account daily, I kinda need Silverlight...and I am glad I do. I had Netflix back when it was Flash-based. CPU usage, RAM usage...way down. Funny that.
Score: -1
|I'm a web developer (in addition to other IT things) and I'll take Silverlight and XAML over Flash every time. At least, I can convert XAML in any other form of XML, not to mention things like PDFs.
Score: 0
|Geesh, Scott M. Fulton, III, how about a little hyperventilating! "Could not help but be caught in a tangle.." You mean it was inevitable this time? What's your evidence? "..It's everyday users who are left confused and bewildered.." Gee, I don't recall being confused and bewildered, and I really haven't read about anyone else feeling that way. But then you don't present any evidence for that, either.
By your own admission, you were caught out. No reason to project the hysteria in your own mind onto others.
Score: -1
|Hysteria? Let's not get dramatic, please. Perhaps you haven't seen me when I'm hysterical; usually, it takes a little more than another security scuffle to drive me to that level. Confusion, bewilderment -- um, yes, and I think the evidence of that is out there in the world outside your door.
-SF "Leaves the Hyperventilating to Blogs" 3
Score: -2
|heh, downvoted on your own blog.
And yes, this site is 100% betablog.
Score: 0
|I run FF on several systems and its the most awful crashing and resource hogging piece of crap. The only reason I keep it is the AdBlock plugin - once Chrome has something comparable (understandable Google is in no hurry for that) I will drop this junk. I see how it is clogging up the I/O on a netbook like nothing else for example. This things popularity is based on mindless resentment against MSFT and childish acts like force-disabling MSFT extensions are pathetic and unprofessional. It really made me angry when it happened to my system the other day.
Score: -8
|Did you even read the article?
quote:
Meanwhile, on its end, Mozilla opted to disable these extensions at the browser level, for reasons explained by its vice president of engineering, Mike Shaver, as, "because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled." The move was made only after having contacted Microsoft first; and Microsoft agreed with the decision, Shaver said.
Score: 3
|Misunderstanding or crossed information does not fall into the "could not help but" category unless something more basically wrong is operating within one or the other company, or between the two. The article presents no evidence of that, and is to carried away with himself to think it necessary.
Score: 1
|The entire industry needs to come up with a solution, standardized method of adding functionality to their base products. Add-ons like Norton free scans, yahoo toolbar, .net blahdeblah need to be clearly identified as not required, not checked as installable by default, and easily removable.
Score: 1
|Mozilla is in your browser, disablin your addons, next its AB Plus, whats to stop them?
extensions.blocklist.enabled | false
Score: -4
|So what is the problem here?
Software vendors routinely fix security issues and offer an update.
Mozilla basically did the same thing.
Score: 1
|