This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
from: Brad Abrams
Recently some friends mentioned that they saw Firefox had block-listed some Microsoft WPF\ClickOnce add-ons. As Mike Shaver (VP Engineering for the Mozilla) noted in his blog post , this action is the result of Mozilla and Microsoft working together to protect customers in relation to Security Update MS09-054 . I think it is very important for Microsoft and Mozilla to collaborate so actively to help protect customers… in this case we all agreed it made sense to add the Microsoft add-in to the block-list.
from: MSigeek.com
R emember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users? Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads. The flaw was addressed in the MS09-054 bulletin that covered “critical” holes in Microsoft’s Internet Explorer but, as Redmond’s Security Research & Defense team explains , the drive-by download risk extends beyond Microsoft’s browser.
from: Ares Vista 2009
p2pnet news view P2P | Security:- “Numerous” users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley on the Windows Secrets newsletter. Now, one of the flood of security bulletins Microsoft released yesterday impacts not only Internet Explorer (IE), but also Firefox with a “browse-and-get-owned” danger. And it’s all down to a Microsoft plug-in pushed to Firefox users eight months ago in a Windows Update, says Computerworld .
from: Chris Mosby at myITforum.com
Disable MS09-054 patch, or Firefox Plugin? Published: 2009-10-16, Last Updated: 2009-10-16 23:37:34 UTC by Adrien de Beaupre (Version: 1) 2 comment(s) acebook witter The .NET Framework 3.5 SP1 installs...( read more )
from: dBTechno
Boston (DbTechNo) - It is being reported that Mozilla have now unblocked a Microsoft add-on for Firefox after it was initially believed that it caused a security risk. Mozilla took steps to block the Microsoft add-on last Friday, after Microsoft warned users that if they had not upgraded using the MS09-054 IE patch then they were at risk of experiencing a software vulnerability. The add-on in question was Microsoft’s .NET Framework Assistant add-on but the company has proven it not to be a security risk, thus Mozilla have unblocked it.
from: Open Source
Mozilla vice president for engineering Mike Shaver is being polite about it , but basically Microsoft pushed some software into Firefox last week that left users vulnerable to attack . (Wise guys might confuse this Three Stooges bit with a recent Microsoft security meeting.) Windows Presentation Foundation (which those with a sense of humor now call Windows Thepresentation Foundation or WTF), along with .NET Framework 3.5 ( which is now OK) , were originally pushed as part of Windows in February, and their problems within Windows were fixed in May.
from: Cliff Hobbs - FAQShop.com and Microsoft MVP ConfigMgr/ SMS
Summary The following bulletins have undergone a minor revision increment. Please see the appropriate bulletin for more details. * MS09-054 - Critical * MS09-053 - Important Bulletin Information: * MS09-054 - Critical - http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx - Reason for Revision: V1.2 (October 19, 2009): Added a link to Microsoft Knowledge Base Article 974455 under Known Issues in the Executive
from: Rich's Random Walks
The plot thickens! Mozilla has now put Microsoft’s “stealth” Firefox plugin (that I wrote about most recently yesterday ) on its “block list”, to prevent its being installed, and to disable it for users who may have already installed it. Many Firefox users (on Windows) may have gotten a pop-up message like this: According to Microsoft, if the user has applied one of the security patches released earlier this week, the MS09-054 update for Internet Explorer, the plugin should be safe.
from: The Firefox Extension Guru's Blog
You would think Microsoft would have learned its lesson after all the negative backlash with the Microsoft .NET Spyware Extension . But this is Microsoft we are talking about. Earlier today I got an odd pop-up window from Firefox: The Windows Presentation Foundation plug-in has been disabled for your protection. Several people on Go Firefox! have reported getting the same message. From what I have read this plug-in that allows the embedding of XAML applications (an XML-based UI technology) in web pages, called XBAP and is part of the .NET Framework 3.5 SP1.
from: Tech Airlines
An “important” automatic Windows Update pushed out to all users by Microsoft last February had caused some outrage among some Firefox users. This update had added a .NET Add-on that adds ClickOnce support and also installed a plugin named “Windows Presentation Foundation” to Firefox without the user’s consent or knowledge. Not only that, but without doing some registry digging which is dangerous, it was impossible to uninstall the add-on. It even adds an extra string to the end of your user string: “(.NET CLR 3.5.30729)”.
from: shaver
I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability , and Microsoft is recommending that users disable the add-on if they have not installed IE patch MS09-054 . Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism .
