Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Disable MS09-054 patch, or Firefox Plugin? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Disable MS09-054 patch, or Firefox Plugin?

The .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox. That in of itself may be cause for concern. But wait, there is more. MS09-054 was issued to address an IE vulnerability (CVE-2009-2529). As it turns out the vulnerability could also be exploited via Firefox. If you could launch XBAP using a browser the vulnerability could be exploited. For users of either browser it is recommended to disable XBAP. So essentially a security fix introduced additional issues? The irony is, well...

More information from Microsoft is available here.

So, if you use Windows, install patches, and also have Firefox, oddly enough you will want to read the following Microsoft KB article entitled "How to remove the .NET Framework Assistant for Firefox"

Adrien de Beaupré Inc.

Adrien de Beaupre

353 Posts
ISC Handler
Jan 25th 2011
Just before I read this, Firefox informed it was blocking "Windows Presentation Foundation" as unreliable and unstable. I agreed. Does that mean I do not need to remove NET Framework? It does not show up in my list of addons.
The MS SRD blog post says, "Customers should apply MS09-054 as this addresses the underlying vulnerability for all users, both IE and Firefox. While you’re evaluating and testing your deployment of MS09-054, you may want to consider the following workarounds."

So your statement, "So, essentially a security fix introduced additional issues?" is really only true as it regards 3.5 SP1, which while it may contain undocumented security fixes, is a service pack that primarily contains reliability and functionality improvements. One of those functionality improvements is the Firefox plugin, and there has been a lot of discussion about the ethics and reasonableness of Microsoft's decision to develop and deploy that plugin through this mechanism, but I don't think that's what you were referring to in this post.

As I understand the situation (independent of Mozilla's blocklist update), your last line should read, "So, if you use Windows, installed .NET Framework 3.5 SP1, but aren't planning on installing MS09-054, and also have Firefox, in addition to carrying out the workaround to disable XBAP for IE, oddly enough you'll want to read . . ."

In your defense, the SRD posting says at the bottom, "Updated October 16, 2009 - updated blog post to clarify that Firefox users are protected from CVE-2009-2529 if they install the MS09-054 update". So perhaps the original posting was not worded very clearly, which helped fuel this whole firestorm!


Sign Up for Free or Log In to start participating in the conversation!