ms09-054: IE and firefox attack surface

[leofelix]

The Security Research & Defense blog provided additional information on the attack surface for the IE Security Bulletin MS09-059:

http://www.microsoft.com/technet/sec.../ms09-059.mspx

In other words, if you happen upon a malicious website, with the Windows Presentation Foundation (WPF) plug-in enabled in Firefox, your computer is vulnerable.


Recommendations:

Internet Explorer

Although XBAP is disabled in IE8 on Win2k8 and Win2k3, that is not the case for IE7 or other operating systems. To disable this setting, edit the security settings in the Internet Zone as follows:

Launch Internet Explorer --> Click Tools --> Security Tab --> in Internet, click Custom level. Under .NET Framework --> XAML browser applications, Change the setting to Disable.





Firefox:

The WPF plug-in was installed in Firefox with .NET Framework 3.5. To disable the plug-in, do the following:

Click Tools --> Add-ons --> Click the Plugins Tab.
Select “Windows Presentation Foundation”, and click “Disable”





By Corrine MVP

Credits:

http://securitygarden.blogspot.com/2...k-surface.html

[luffy]

Thanks for the Internet Explorer disable guide. M$ should be a shame of themselves. They know it is a security hole, but they did not disable it in their update. Let says there are many people do not know about this issue. They always use IE as their browser. They will get screwed eventually. I can't just stand M$ for playing with people computer. Firefox rocks because they disable it.

[noaccount]

i also tweaked IE like this - thanks - but for me this is actually MS and Mozilla's fault: MS who send you the bug AND Mozilla who didnt block it (the installation). what if all other developers start to send you sneaky patches (addons, plugins, etc) like this??? - this is a Firefox security problem Mozilla is going to HAVE to fix.

btw if anyone knows a safe way - i mean i dont want to do a full .net reinstall - to remove the Windows Presentation Foundation plugin please let me know (i dont want this crap in my box). the .NET Framework Assistant is easy to remove.

[ceyfer]

Thanks for the Internet Explorer disable guide. M$ should be a shame of themselves. They know it is a security hole, but they did not disable it in their update. Let says there are many people do not know about this issue. They always use IE as their browser. They will get screwed eventually. I can't just stand M$ for playing with people computer. Firefox rocks because they disable it.

It's already been fixed way back on Tuesday! Maybe you just forgot to turn on your Windows Automatic Updates. IE user should have always update their IE client to its latest version to ensure protection.

Patch Tuesday

Updated October 16, 2009 - updated blog post to clarify that Firefox users are protected from CVE-2009-2529 if they install the MS09-054 update.

It just so happened that FF blocked the affected plugin to ensure that all users were protected from threat ( despite MS update fix ). Which is a good move.

[noaccount]

lol this is ie7 tweak i didnt read it properly yesterday - this is not for me.
these plugins should have never gotten installed in the first place, this is a scandall!