Close X
Log In
If you are not a member,
register now
Email
Password
Forgot Your Password?
New User? Register now
to gain member-only access to all of IT World Canada's premium content & community portals.
Log in for Full Access |
Log In
|
Subscribe Now!
Follow
IT World Canada
Knowledge Centres
Community
Publications
Events
Services
Media
Communications Infrastructure
•
Carriers and Cellular
•
Networking
•
Voice, Data, and IP
Security
•
Alerts, Patches and Fixes
•
Disaster Recovery
•
Hacking and Viruses
Enterprise Business Applications
•
Business Intelligence
•
Enterprise Resource Planning
•
Open Source and Linux
Enterprise Infrastructure
•
Data Centre
•
Servers and Mainframes
•
Virtualization
Government
•
Case Studies and Best Practices
•
Collaboration
•
Policy
Leadership
•
Budgeting / IT Alignment
•
Industry News
•
Issues for CIOs
Information Architecture
•
Data Warehousing
•
Databases
•
Messaging and Collaboration
Integrating IT
•
Development Environments
•
Middleware - Utilities
•
Project Management
Green IT
•
E-Waste and Recycling
•
Green thinking
IT Workplace
•
Careers and the Job Market
•
Consulting and Contracting
•
Human Resources Issues
•
Women in IT
Departmental and End User Computing
•
Future Technology
•
Help Desk and End-User Support
•
Mobile Applications
Featured Blogs
•
All things Android
•
Enterprise Insights
•
Network World
•
Industry Watch
•
CDN Varbose
Computing Canada Blogs
•
World Wide Webb
•
Blogosphere
•
Techbuzz
Wikis
•
IT job Descriptions
Most Recent
All IT World Blogs
Click Here to Subscribe Now!
Job and Career Resources
•
Canadian IT Jobs
•
IT Sales Jobs
•
Salary Calculator
Knowledge Services
•
CDN ProFIT - Turnkey Marketing solutions
•
Visability
Subscribe Now- Register
Content
•
Slide Shows
•
Videos
•
White Papers
•
Webinars
Social
Facebook:
facebook.com/ITWorldCa
Twitter:
@itworldca
Linkedin:
IT World Canada Live
YouTube:
ITWorldCanada
More
brands and Accounts
Digital Media
•
Media Guide
•
Digital Publications Media Guide
•
Latest Digital Editions
Hot Topics:
U.S government
•
Cisco
•
Canadian government
•
Citrix
•
Edmonton
•
privacy
•
BYOD
•
mobile apps
•
security strategies
•
Search
SHARE
Home
>>
Security
>>
Alerts, Patches and Fixes
Microsoft plug-in puts Firefox users at risk
By:
Greg Keizer
On:
16 Oct 2009
For:
ComputerWorld (US)
Tweet
Microsoft add-on leaves Firefox users open to attack ...
An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves that browser open to
attack
, Microsoft's
security
engineers acknowledged earlier this week.
One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.
"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's
Security Research & Defense
blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."
The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site.
Numerous users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley, a contributor to the popular
Windows Secrets
newsletter.
"The .NET Framework Assistant [the name of the add-on slipped into Firefox] that results can be installed inside Firefox without your approval," Bradley noted in a Feb. 12 story. "Although it was first installed with Microsoft's Visual Studio development program, I've seen this .NET component added to Firefox as part of the .NET Family patch."
What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including
Annoyances.org
.
Annoyances also said the threat to Firefox users is serious. "This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC," said the hints and tips site. "Since this design flaw is one of the reasons [why] you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste."
Specifically, the.NET plug-in switched on a Microsoft technology dubbed ClickOnce, which lets .NET apps automatically download and run inside other browsers.
Microsoft reacted to criticism about the method it used to install the Firefox add-on by
issuing another update
in early May that made it possible to uninstall or disable the .NET Framework Assistant. It did not, however, apologize to Firefox users for slipping the add-on into their browsers without their explicit permission -- as is the case for other Firefox add-ons, or extensions.
This week, Microsoft did not revisit the origin of the .NET add-on, but simply told Firefox users that they should uninstall the component if they weren't able to deploy the patches provided in the
MS09-054
update.
According to Microsoft, the vulnerability is "critical," and also can be exploited against users running any version of IE, including IE8
Sign up for our
Newsletters
Tags:
patches
,
browser
,
Internet Explorer
,
vulnerability
,
Firefox
,
Microsoft
,
Windows
Tweet
Close X
Your Name:
Your E-mail:
Friend's Name:
Friend's E-mail:
Close X
|
Views:
2278 |
Rating:
(0 votes)
Rate this article on a scale of
1 to 5 stars,5 being the best.
Close X
Page
1
Quick Access
Video Conferencing
Cloud Computing Resource Centre
CIO Canada's Brainstorm Centre
CIO Canada Debate
IdeaCity Conference June 18-20 - Toronto
Greg Keizer
is a contributor to the International Data Group (IDG) News Service, which publishes global technology stories from bureaus around the world to more than 300 publications in more than 60 countries.
Recent Canadian IT Jobs
more:
IT Jobs
,
Post A Job
Please enable JavaScript to view the
comments powered by Disqus.
blog comments powered by
Disqus
Related Videos
Security lessons learned from the Boston tragedy
Security lessons learned from the Boston tragedy
-
IT World editor-at-large Shane Schick and guests Theresa Payton, former White House CIO, Joseph Schuldhaus, VP of IT with Triple Five Group, and John Stanton, CEO of Running Room, discuss what IT can learn from the Boston Marathon bombing
Security lessons learned from the Boston tragedy
Security lessons learned from the Boston tragedy
-
IT World editor-at-large Shane Schick and guests Theresa Payton, former White House CIO, Joseph Schuldhaus, VP of IT ith Triple Five Group, and John Stanton, CEO of Running Room, discuss what IT can learn from the Boston Marathon bombing
Ce qu'il faut savoir avant d'adhérer au bureau virtuel
Ce qu'il faut savoir avant d'adhérer au bureau virtuel
-
La virtualisation des postes de travail est une tendance en progression, mais elle ne vise pas nécessairement tous les travailleurs. Jean-Steve Shaker, de Microsoft, a profité du salon Datacenter Dynamics pour faire le point sur la question.
All Hands on Tech: Microsoft Surface Pro
All Hands on Tech: Microsoft Surface Pro
-
The big brother to Microsoft's Surface RT tablet is here. It's thicker, faster, more flexible, and more expensive. Is it worth it? http://www.itbusiness.ca
All Hands on Tech: Asus VivoTab RT
All Hands on Tech: Asus VivoTab RT
-
This Windows RT tablet has a lot of perks, but a few flaws and shotcomings might have you looking for an alternative instead.
more from the:
Video Library
Computing Canada Poll
What topic would you like to see covered in the next issue?
Read the Computing Canada articles you made happen.
•
Democratizing Business Continuity
•
Agility and efficiency through virtual switching
* Sponsored by Microsoft
Most Popular
Articles
Most Viewed
Most Emailed
Top Rated
Most Viewed
Most Emailed
Top Rated
BlackBerry is on a roll
By: Howard Solomon (14 May 2013)
ORLANDO – Research In Motion officially opens its annual BlackBerry conference here today on a roll with the launch of a new keyboard-equipped s ...
Dell board wants more details on Icahn bid
By: Nestor E. Arellano (13 May 2013)
Dell Inc.’s board of directors wants more information on investor Car Icahn and Southeastern Asset Management’s $21 billion cash offer for ...
Adobe’s subscription-only plan meets backlash
By: Nestor E. Arellano (10 May 2013)
Thousands of users of Adobe Systems Inc.’s software are taking to the Internet their displeasure over the company’s decision to adopt a su ...
Canadian health care lags in mobile adoption: IDC
By: Nestor E. Arellano (09 May 2013)
The prevalence of mobile technology is being felt in most in many industries but its adoption is lagging in health care where its implementation are l ...
Fairmont Raffles uses analytics to boost profits
By: Jeff Jedras (10 May 2013)
SAN FRANCISCO – As Fairmont Raffles’ executive director of customer relationship marketing, Andrea Johnson is helping to lead the charge a ...
Edmonton agrees to expand Shaw Wi-Fi network
By: Howard Solomon (5/23/2013 3:43:00 PM)
Edmonton’s city council has agreed to allow Shaw Communication’s Wi-Fi network to expand to public areas across the city. The planned ex ...
Why Washington's lead on open data is worth following
By: Howard Solomon (5/23/2013 3:14:00 PM)
The open data movement is gaining acceleration in a number of governments around the world, including Washington where President Barack Obama earlier ...
Debtholders okay Telus offer to buy Mobilicity
By: Howard Solomon (5/23/2013 12:54:00 PM)
Debtholders of financially troubled wireless carrier Mobilicity have approved the proposed sale to Telus Corp., putting more pressure on the federal g ...
HP profit down again, but results beat estimates
By: Dave Webb (5/23/2013 10:25:00 AM)
Hewlett-Packard CEO Meg Whitman told financial analysts on a conference call that "you can feel the turnaround taking hold" at the struggling tec ...
Time to beef up federal privacy law, says Stoddart
By: Howard Solomon (5/23/2013 10:36:00 AM)
Canada’s federal privacy law is only 12 years old but it needs to be overhauled, says the country’s privacy commissioner. “As organ ...
Think internationally, Kobo CEO says
By: Dave Webb (16 May 2013)
It's important for Canadian digital media companies to think big -- think internationally -- right out of the box, Michael Serbinis, co-founder of Can ...
BlackBerry is on a roll
By: Howard Solomon (14 May 2013)
ORLANDO – Research In Motion officially opens its annual BlackBerry conference here today on a roll with the launch of a new keyboard-equipped s ...
No fee for Windows Blue update: Analysts
By: Nestor E. Arellano (13 May 2013)
Microsoft Corp. will likely not charge Windows 8 users for the operating system's upgrade codenamed “Blue,” according to technology indust ...
Pirate Bay co-founder to run for EU parliament
By: Nestor E. Arellano (15 May 2013)
Peter Sunde, co-founder of the file sharing site Pirate Bay, says he plans to run for the European Parliament in 2014 under the banner of the Finnish ...
Ottawa nurses cut out middle man with UC system
By: Nestor E. Arellano (09 May 2013)
The University of Ottawa Heart Institute (UOHI) has been able to significantly shorten the time it takes for its nurses to receive call backs from doc ...
Related White Papers
The Check Point Open Performance Architecture
-
The shift from network-layer attacks to dynamically changing application-layer threats has dramatically increased security performance needs. To address them requires an architecture that can quickly evolve to guarantee performance yet maintain a high level of security. While closed, ASIC-based architectures have not been able to make an efficient shift to protecting against application-layer threats. The Check Point Open Performance Architecture provides the foundation needed by large campuses and data centers to gain high performance while maintaining a high level of security.
The Path to Active Directory-Based Identity and Policy Management
-
This white paper from Centrify examines the business and technical case for centralizing identity and policy management in Microsoft's Active Directory.
Security Threats to Business, the Digital Lifestyle, and the Cloud
-
In 2013 and beyond, consumerization, virtualization and cloud are creating new opportunities for cybercriminals and others to attack businesses.
Manufacturer Simplifies Security Across All Platforms
-
B.C. based manufacturer simplifies security, eliminates admin and better fights threats. Learn more here.
Countering Advanced Persistent Threats with Cyber Forensics
-
The Future of Cybercrime Forensics Don’t be unprepared by targeted attacks – Click here to read.
more:
White Papers
Close X