Microsoft plug-in for Firefox patched
Hidden in the record-breaking batch of security bulletins released by Microsoft earlier this week was one that addressed a vulnerability not in Microsoft's own product, but that of the rival Firefox browser from Mozilla. To put it bluntly, the critical bug that opened Firefox users to a critical risk is the result of Microsoft quietly pushing out an update via Windows Update eight months back.
The affected component would be the "Windows Presentation Foundation plug-in in Firefox" which typically comes via the .NET Framework 3.5 SP1. The problem is that this plug-in can be installed without the user's approval, according to Susan Bradley, a contributor to the Windows Secrets newsletter.
The danger is real, and Firefox users with the vulnerable plug-in only need to visit a rigged site to get compromised.
In addition, reports indicate that the original version of the plug-in was next to impossible to remove. This is because the "Uninstall" and "Disable" buttons for this particular plug-in are disabled by default, and removing them is complicated. The inability to easily uninstall it was later rectified in a May update.
While the latest update should resolve the issue, I would personally advocate removing the plug-in from computers you own or manage. Do a quick check of your Firefox; do you have this plug-in installed?
For more on this story:
- check out this article at Computerworld