![]() ![]() In response to the serious security vulnerabilities that have been found in Adobe Flash and other popular plugins, Mozilla launched a new plugin check service earlier this month that will help users determine when they need to update. These bugs are especially tempting as exploit targets because they often affect multiple browsers and provide a bigger audience of potential victims. ![]() Plugin security vulnerabilities are a major problem for browser vendors. Although it's likely that it will go out soon in a Firefox update, users may have to wait for its arrival (or dive into about:config and disable the entire blocklist mechanism) if they want to use the WPF plugin. Mozilla has implemented a feature in Firefox that will allow users to manually override the block for individual plugins, but it's unclear when this feature will be deployed. One of our readers submitted a report in Mozilla's bug tracking system requesting that the plugin be restored for users who are fully patched, but there's currently no way to accomplish this. This means that the block will affect users who have already updated to a safe version of the plugin. Microsoft apparently doesn't properly maintain version numbers in the plugin, so Mozilla has no way to selectively target the block to the insecure version. In response to criticism from Firefox users and concerns expressed by Mozilla itself, Microsoft released a tool in June that users could run to uninstall the plugin.Īdding the plugin to a blocklist seems reasonable in light of the risk that this security vulnerability poses to users, but it's a very blunt weapon. The plugin generated controversy earlier this year because Microsoft surreptitiously injected it into Firefox via a Windows Update, without prompting or notifying users. "Microsoft agreed with the plan, and we put the blocklist entry live immediately." Advertisement "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," he wrote. NET Framework Assistant add-on was initially blocked too, but Mozilla removed it from the blocklist when Microsoft later confirmed that it was not vulnerable. He explains that Mozilla decided to block the plugin when Microsoft suggested that users should consider turning it off until the efficacy of the fix has been fully confirmed. Mike Shaver, Mozilla's vice president of engineering, described the security problem in a blog entry posted Friday in the official Mozilla security blog. In order to protect users who are not yet patched, Mozilla has added Microsoft's plugin to its add-on blocklist, causing it to be automatically disabled by the browser. Mozilla is concerned, however, that not all users have performed the Windows update yet. The IE patch is said to fully resolve the vulnerability for Firefox users in addition to users of Microsoft's own browser. Microsoft issued an Internet Explorer patch to fix the vulnerability through its Windows Update mechanism on Tuesday. The vulnerability can be exploited when users visit malicious Web pages that contain specially crafted XAML content. Mozilla has temporarily disabled Microsoft's WPF plugin for Firefox in order to protect users from a security vulnerability that was recently uncovered in the component. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |