Results 1 to 3 of 3

Thread: FYI potential threat to firefox users

  1. #1
    Outside The Box Cash67's Avatar
    Join Date
    May 2009

    Default FYI potential threat to firefox users

    MS uses patch channel to install Firefox add-on

    It's been widely blogged that Microsoft can silently add an extension to Firefox when users install .NET Framework 3.5 Service Pack 1 and certain other updates. Readers asked us about this last week because of a May 29 article by Brian Krebs of the Washington Post.

    I enjoy Krebs's writing, but in this case he was apologizing for telling his readers earlier this year to install the .NET service pack. He didn't realize until later that Microsoft's Assistant 1.0 extension exposes Firefox to any .NET security holes that may be discovered. Even worse, Microsoft wrote the add-in in such a way that its Uninstall button was grayed out and unusable in Firefox.

    WS contributing editor Susan Bradley warned our paying subscribers on Feb. 5 and Feb. 12 not to install .NET 3.5 SP1 (and explained, if need be, how to uninstall it). I tip my hat to her excellent advice.

    No holes currently affect the latest .NET software, according to's .NET Framework 3.x advisory and Assistant 1.x advisory. But the security firm published in 2006, 2007, and 2008 four security warnings about flaws in the earlier .NET Framework 2.x. The most severe hole was rated "highly critical." A weakness that's currently undiscovered in .NET Framework 3.x might be exploited in the future.

    The extension that MS adds to Firefox implements a technology called ClickOnce. It allows .NET apps to be downloaded and executed within browsers other than Internet Explorer. Unfortunately, this technology can also allow hacked Web sites to infect PCs.

    Many Windows Secrets readers use Firefox because it suffers from fewer security holes than IE — and most people don't need .NET features — so I'm publishing in my free column today the following steps to remove Assistant 1.0 from Firefox:

    Step 1. Check whether the .NET Framework Assistant is installed. You may or may not have Assistant 1.0, even if you installed .NET Framework 3.5 SP1, so check this first. In Firefox, pull down the Tools menu and select Add-ons. In the Add-ons dialog box that appears (as shown in Figure 1), if you don't see .NET Framework Assistant, the add-on is not installed. In that case, you don't need to do anything further (except close the dialog box).

    Figure 1. The Uninstall button is grayed out and unusable due to the way Microsoft implemented the original version of Assistant 1.0.

    Step 2. Remove or disable the add-on. If you do find the extension, I recommend that you remove it to reduce your vulnerability to possible security flaws. Choose one of the options shown below.

    • Best option: Install the Microsoft fix. On May 6, with little publicity, Microsoft posted an update for .NET Framework 3.5 SP1. Installing this update enables Firefox's Uninstall button for the add-on. To install the official update, visit Microsoft's download page.

    • Another option: Temporarily disable the extension. Using the Add-ons dialog box to disable the extension prevents it from running and protects Firefox from potential security flaws. You might disable the extension instead of uninstalling it if your company insists that you use Firefox to run a .NET app, but you don't wish to be vulnerable when visiting random Web sites. To disable Assistant 1.0 (or any Firefox extension), pull down Firefox's Tools menu and select Add-ons. In the Add-ons dialog box that appears, select the unwanted extension and click the Disable button. Close the dialog box.

    • Not recommended: Edit the Registry. Before Microsoft's official patch was released, several sites published a procedure to manually delete entries from the Windows Registry to disable the Firefox extension. I don't recommend this, because it's easier and safer to use the options shown above. But if you need the full details, .NET Framework product unit manager Brad Abrams posted the Registry procedure in an MSDN blog entry.

    Step 3. Install the third-party extension FFClickOnce, but only if necessary. If you really need ClickOnce functionality in Firefox, consider installing FFClickOnce, a Mozilla-approved extension developed by James Dobson. This third-party extension poses some of the same risks as Microsoft's add-on. But at least Dobson's extension prevents downloaded apps from running without first making the user click OK twice. For more info, see Dobson's SoftwarePunk site and the extension's Mozilla Add-ons page.

    here's the link to the microsoft download site:

    Government (noun) Latin: Govern (control) Mente (mind) = Mind Control, Have a nice day.

  2. #2
    woooooooo Hoopymo's Avatar
    Join Date
    May 2009
    I do stuff. Mod stuff. Sometimes on fire.

    Default Re: FYI potential threat to firefox users

    Phew i never had it, but i'll be checking for this every few days.

  3. #3
    Semi-Benevolent Dictator Euskadi's Avatar
    Join Date
    May 2009
    I wasnt born, so much as I fell out

    Default Re: FYI potential threat to firefox users

    I have it but I've had it disabled since I first installed. I think I just disabled it cause I didn't need it though...

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts