Last May, Microsoft silently installed two add-on components in every Firefox browser running on Windows, leading some angry users to claim that the company had weakened the browser's security.
Turns out, they had a point.
A week ago, Microsoft shuttered a critical flaw in how Internet Explorer handles the processing of certain types of HTML, repairing the same vulnerability in one of the two add-on components silently installed on Firefox users' systems. The components, known as the Framework Assistant and the Windows Presentation Framework, allow .NET programmers to create applications that run across different browsers. The vulnerability fixed by the patch enables attackers to compromise a user's system when the victim visits a malicious Web site.
"An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer (or the Firefox add-on) and then convince a user to view the Web site," Microsoft stated in its advisory. "The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability."
The Mozilla Foundation scrambled over the weekend to head off potential security problems, adding both components to the browser's block list. Components added to Firefox will not run if they are included on the block list. Yet, by Sunday, Microsoft confirmed that the first add-on component, the Framework Assistant, could not be a vector for the attack, and Mozilla removed it from the list.
The weekend efforts caused consternation among some corporate users. At the behest of enterprise developers, Mozilla added a way on Monday to remove add-on components from the block list, so that companies that rely on the functionality can enable the component, the company stated on its blog.
"Microsoft is monitoring patch adoption rates for the relevant patch, and when it reaches a high level of deployment we will remove the remaining block-list item," Mike Shaver, vice president of engineering for Mozilla, said in a blog post on Monday. "I expect that will be in the next 48 hours at the outside."
The weekend's efforts left Mozilla's engineering team exhausted, Shaver said.
"I'm going to need a weekend after this weekend," Shaver stated Sunday on Twitter.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos