Firefox Alerts

Dick H Box


I just found this article at:

Microsoft may be Firefox's worst vulnerability.
* Date: June 2nd, 2009 * Author: Chad Perrin *
In a surprise move this year, Microsoft has decided to quietly install what amounts to a massive security vulnerability in Firefox without informing the user. Find out what Microsoft has to say about it, and how you can undo the damage.

Microsoft pushed out its .NET Framework 3.5 Service Pack 1 update this February. The “List of changes and fixes†article about this update says:
'The .NET Framework 3.5 SP1 is a full cumulative update that contains many new features. These new features build incrementally upon the .NET Framework 2.0, the .NET Framework 3.0, and the .NET Framework 3.5. It also includes cumulative servicing updates to the dependent .NET Framework 2.0 and .NET Framework 3.0 subcomponents. This update should be applied as an important update for the .NET Framework 2.0 and later versions, and it is recommended for all other supported operating systems'.
The article then goes on to list a dizzying array of changes delivered by the update.

According to, however, it does something that isn’t listed there — it installs the Microsoft .NET Framework Assistant extension for Firefox, silently, without informing the user. If you had Firefox on your computer when this update was installed, you may be subject to some dire consequences. In Remove the Microsoft .NET Framework Assistant (ClickOnce) Firefox Extension, says: This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC.

Since this design flaw is one of the reasons you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste. Yes, that’s right — the long-time, well known security hole present in Internet Explorer that consists of essentially letting Websites install dangerous, untrusted code on your computer willy-nilly has now been shoehorned into your MS Windows install of Firefox without your knowledge or permission. Worse yet, Microsoft isn’t satisfied with just giving you vulnerabilities without your permission or even you knowledge. It has also gone out of its way to ensure that you’ll have a difficult time removing the vulnerability from your system if you should happen to become aware of it. The Uninstall button for this extension in Firefox has been deactivated. In Uninstalling the Clickonce Support for Firefox, Microsoft employee Brad Abrams says: 'We added this support at the machine level in order to enable the feature for all users on the machine'. Seems reasonable right? Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the “Uninstall†button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components. Brad Abrams explains that an update has been produced, in response to a lot of negative reaction from people who realized that MS was monkeying around with their Firefox installs without permission or notification, that turns the extension into a “per-user componentâ€.

Of course, he thoroughly downplays the negative reaction, saying: 'Clearly this is a bit frustrating for some users that wanted an easy way to uninstall the Clickonce Support for Firefox'. Reading some of the Slashdot commentary, I’d say it was far worse than “a bit frustrating†for some user. It was downright enraging for some, and I don’t blame them. He claims turning the .NET Framework Assistant into a per-user component makes uninstalling it “a LOT cleanerâ€. In some respects, this is true. The process for a full uninstall that was necessary to get it out of your hair as a standard system user can be pretty scary for someone who isn’t a bona-fide expert computer user. Even most so-called Power Users should be vary leery of following those instructions.

Those of us who have actually gotten to the point where we edited registry keys for a living (yes, I had a job a few years back that included that unenviable task, and I got quite good at doing so quickly and safely), on the other hand, should find it pretty simple. On the other hand, making it a per-user component means that when one user uninstalls it, another can still have it. If you’re uninstalling it for security reasons, this should set off a warning klaxon in your head, complete with flashing red lights. If you’re the only person who ever uses your computer, this might mitigate the problem somewhat, but anyone who manages to remotely exploit your system as another unprivileged user account may then be able to make use of the security hole represented by the .NET Framework Assistant to increase his or her hold on the system (among other nightmare scenarios that may spring to mind).

I guess you have to admire the sheer chutzpah of someone like Brad Abrams trying to put a bright, happy face on this situation. It takes real courage to stand out front telling users about this major hose-job and try to find a way to spin it so the users won’t turn into a lynch mob. At least he has the decency to tell us how to do the work necessary to remove the unwanted Firefox extension. Go read his Weblog post (linked above) now, and make the necessary changes, if you’re using Firefox on MS Windows. I recommend you do the registry hacking necessary to carve this thing out of the guts of your system, get rid of Firefox entirely and use one of the other third-party Web browsers that isn’t known for screwing its users, or just get rid of MS Windows entirely, at this point. Do you remember when I listed 5 characteristics of security policy I can trust? Yeah. Anything that Microsoft can modify from afar like this doesn’t even begin to satisfy my criteria, and this incident is an excellent example of that. It looks like the biggest security vulnerability in Mozilla Firefox this year is Microsoft.

Dick H Box

Firefox Memory Corruption Vulnerability

Firefox Memory Corruption Vulnerability

Secunia Advisory: SA35798
Release Date: 2009-07-14
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Mozilla Firefox 3.5

Do not browse untrusted websites or follow untrusted links.
Go here for more details.

Mozilla will be making a patch for this, so keep an eye on the updates.
Last edited:

Dick H Box

Workaround for the Firefox 3.5 memory vulnerability...

July 15, 2009 9:08 AM PDT
Zero-day flaw found in Firefox 3.5
by Tom Espiner

There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned.

The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog on Wednesday. Security company Secunia rated the vulnerability as "highly critical" on Wednesday.

The hole could allow a hacker to launch a "drive-by" attack, according to Mozilla. That means an attacker may be able to execute malicious code on a target machine, if the victim visits a Web site containing an exploit.

No patch is currently available, but Mozilla developers are working on a fix. A workaround suggested in the blog post is to disable the Firefox 3.5 JIT compiler. However, Mozilla warned this would result in decreased JavaScript performance in Firefox.

The JIT compiler is part of TraceMonkey, which was added to Firefox for its 3.5 update released at the end of June. TraceMonkey is meant to optimise the browser, which is faster than previous iterations of Firefox, according to Mozilla.

On Wednesday, the United States Computer Emergency Response Team said users and administrators should completely disable JavaScript functionality in Firefox 3.5.

The Sans Institute also said people could disable JavaScript, and suggested using NoScript, an open-source Firefox plug-in that only allows script to be executed by trusted Web sites.
I always run NoScript, & have been monitoring it very closely in light of this warning, & have restricted it even more than I normally do.
Good luck.

Last edited:


I'm running Mozilla FF 3.0, is this part of the warning?

How do I go about removing the unwanted registry entries and software? Or should I just wait for the "fix" to come out? I know those come fairly fast once the problem is identified.

Friggin windows

Dick H Box

Sorry, I should have highlighted it.

Thanks, Ivana.
Sorry if I confused anyone. It's only Firefox 3.5 that's affected, AFIK.

The updates are controlled from Edit>Preferences>Advanced>Updates tab. I have them all set to install without bothering me, unless there's a problem. (Some earlier versions of Firefox have them under the Tools menu, I think.)

You should run NoScript anyway. It's one of the best security features going.
Go to the Mozilla add-ons page, search for NoScript, & download it.
(I have reverted to Firefox 3.0. until Mozilla get it sorted:))
Last edited:

De Master Yoda


A new web page, claiming to be update for the latest version of Mozilla Firefox (57.0) has been reported to harass online users. Once the scam pop-ups in the browser it asks targets to authenticate themselves by typing a username and a password. The scam may obtain the entered login details. Even though, the pop-up provides a CANCEL button, a click on it triggers another notification window that urges users to add suspicious browser add-on to Firefox. More details that will help you to recognize “Firefox requires a manual update” scam message find here >