A .NET Security Vulnerability Has Affected Firefox
A security vulnerability that has hit Internet Explorer through .NET has also hit Firefox. The culprit for Firefox, a .NET add-on, has been put on Mozilla’s blocked list.
XBAP, short for XAML Browser Application, is a technology used to create RIA applications for Windows. While it is similar with Silverlight in its purpose, XBAP can be used to create heavy applications, ones that access the entire power of .NET and XAML, applications that are targeted to be run in a browser. XBAP applications have the extension .xbap and they run inside a sandbox, being loaded in IE from the local system or from the Internet with a single click. XBAP came with .NET 3.0 and was available only for IE 6-8, but .NET 3.5 installs a plug-in for Firefox called “Windows Presentation Foundation” (WPF) allowing Firefox users to run XBAP applications.
According to Mike Shaver, VP of Engineering at Mozilla, a security vulnerability in .NET, the XABP component, was discovered and reported in July. The same vulnerability was later detailed by Microsoft in bulletin MS09-054, deemed as Critical, with some extra details on Microsoft’ Security Research and Defense blog. According to Microsoft, the vulnerability allows a malicious web site to run code on a client’s machine. While many such security vulnerabilities have been discovered in the past, this one is different because it does not affect only IE but also Firefox.
Microsoft has been working with Mozilla to address this issue. In order to protect its users, Mozilla has placed the WPF plug-in on a blocked list along with other problematic plug-ins. Firefox automatically checks for such banned add-ons, informing the user when finding one, as shown below:
The user can choose to disable the add-on, but he can choose to ignore the threat.
Microsoft has issued a cumulative security update for IE, KB 974455, that started to be delivered to the users via automatic updates more than a week ago. While many users have already applied this patch, Mozilla said they are keeping the WPF add-on on the blocked list until the number of system without the patch is reasonably small. This image shows the WPF add-on on the blocked list:
We should mention that another important add-on is on Firefox’s blocked list, Apple QuickTime Plugin, v7.1.*. The reason is similar: remote code execution (bug 430826).
This approach made some users question Mozilla’s approach. For example, Bertrand Le Roy asked:
This looks all very nice but you have to wonder: is Mozilla going to disable Flash next time they have a security issue?
Mike Shaver answered:
We might if Adobe agreed that it was the best way to deal with a vulnerability, or to provide "safe cover" for an update to get deployed.
According to Shaver, this approach was decided by Mozilla working closely on the issue with Microsoft.