Mozilla and Microsoft tangle on Firefox plug-in security
Monday, October 19, 2009
Microsoft and Mozilla got their signals crossed last week over a Windows plug-in called .NET Framework Assistant included by Microsoft in the Firefox browser for activation of add-on programs. Mozilla is blocking one vulnerable Microsoft add-on and blocked then unblocked another.
On Friday, Mozilla blocked the .NET Framework Assistant add-on for Firefox 3.5, citing difficulties some users had entirely removing the add-on, "and because of the severity of the risk it represents if not disabled," according to Mike Shaver, Mozilla's vice president of engineering, on the Mozilla security blog.
Shaver said Mozilla contacted Microsoft "to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," according to the blog post. But on Sunday, Mozilla was trying to unblock the add-on for .NET Framework Assistant, as Shaver said the add-on did not pose a security vulnerability.
"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we've removed it from the blocklist," Shaver said in his blog.
But a separate vulnerability exists for a Microsoft add-on that Mozilla said needs blocking for Firefox users. The vulnerability exists in the Windows Presentation Foundation (WPF), which is included in the .NET Framework Service Pack 1. Shaver said via Twitter that the "WPF plugin is the vector for the XBAP vuln via Firefox."
Related News:
UK cops arrest two in Zbot Trojan case - 11.19.2009
The British Metropolitan Police took two suspected cyber criminals into custody earlier this month in connection with an investigation into the Zbot banking Trojan.
Facebook shakes up privacy policy in response to criticism - 11.19.2009
After a week-long comment period in which 7,000 Facebook users voiced their opinions, the giant social media network announced that it would overhaul and simplify its privacy policy.
Domain registrar VeriSign will receive "major security update" by 2011 - 11.19.2009
A well-known security vulnerability in the way .com and .net websites process DNS values - the way alphanumeric website names are translated into numeric web addresses - will be fixed, but not until 2011, according to a report from tech news website ZDNet.
Malware attack targeting fans of Twilight series - 11.18.2009
As with many recent hot news trends, the upcoming release of the second movie based on Stephenie Meyer's Twilight books has attracted the attention not just of the vampire wannabes, but of actual cyber criminals as well.
Giant black-hat SEO campaign funnels victims to scareware sites - 11.18.2009
Security researchers say that cyber criminals have conducted a large-scale campaign to influence Google results, pushing malware-spreading sites higher on the list and dropping legitimate results to the bottom.
|
