A .NET Security Vulnerability Has Affected Firefox

by Abel Avram on Oct 22, 2009 |

A security vulnerability that has hit Internet Explorer through .NET has also hit Firefox. The culprit for Firefox, a .NET add-on, has been put on Mozilla’s blocked list.

XBAP, short for XAML Browser Application, is a technology used to create RIA applications for Windows. While it is similar with Silverlight in its purpose, XBAP can be used to create heavy applications, ones that access the entire power of .NET and XAML, applications that are targeted to be run in a browser. XBAP applications have the extension .xbap and they run inside a sandbox, being loaded in IE from the local system or from the Internet with a single click. XBAP came with .NET 3.0 and was available only for IE 6-8, but .NET 3.5 installs a plug-in for Firefox called “Windows Presentation Foundation” (WPF) allowing Firefox users to run XBAP applications.

According to Mike Shaver, VP of Engineering at Mozilla, a security vulnerability in .NET, the XABP component, was discovered and reported in July. The same vulnerability was later detailed by Microsoft in bulletin MS09-054, deemed as Critical, with some extra details on Microsoft’ Security Research and Defense blog. According to Microsoft, the vulnerability allows a malicious web site to run code on a client’s machine. While many such security vulnerabilities have been discovered in the past, this one is different because it does not affect only IE but also Firefox.

Microsoft has been working with Mozilla to address this issue. In order to protect its users, Mozilla has placed the WPF plug-in on a blocked list along with other problematic plug-ins. Firefox automatically checks for such banned add-ons, informing the user when finding one, as shown below:


The user can choose to disable the add-on, but he can choose to ignore the threat.

Microsoft has issued a cumulative security update for IE, KB 974455, that started to be delivered to the users via automatic updates more than a week ago. While many users have already applied this patch, Mozilla said they are keeping the WPF add-on on the blocked list until the number of system without the patch is reasonably small. This image shows the WPF add-on on the blocked list:


We should mention that another important add-on is on Firefox’s blocked list, Apple QuickTime Plugin, v7.1.*. The reason is similar: remote code execution (bug 430826).

This approach made some users question Mozilla’s approach. For example, Bertrand Le Roy asked:

This looks all very nice but you have to wonder: is Mozilla going to disable Flash next time they have a security issue?

Mike Shaver answered:

We might if Adobe agreed that it was the best way to deal with a vulnerability, or to provide "safe cover" for an update to get deployed.

According to Shaver, this approach was decided by Mozilla working closely on the issue with Microsoft.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

General Feedback
Marketing and all content copyright © 2006-2016 C4Media Inc. hosted at Contegix, the best ISP we've ever worked with.
Privacy policy

We notice you're using an ad blocker

We understand why you use ad blockers. However to keep InfoQ free we need your support. InfoQ will not provide your data to third parties without individual opt-in consent. We only work with advertisers relevant to our readers. Please consider whitelisting us.