If you have recently opened your Firefox web browser you might have noticed a notification from the web browser that the Windows Presentation Foundation plugin was disabled to protect the user and the web browser. Many users who received the message were a bit puzzled as they did not install the plugin in first place. Remember the Microsoft .net Framework Assistant incident earlier this year when Microsoft installed the plugin in the Firefox web browser without notifying the user? The installation of the Windows Presentation Foundation plugin is basically the same deal.
The Windows Presentation Foundation Plugin gets installed when the Microsoft .net Framework 3.5 SP1 gets installed in the Windows operating system. Users who noticed the installation also noticed that they were not able to uninstall the plugin, only disable it in the Firefox plugin manager.
Mozilla today blacklisted the Windows Presentation Foundation Plugin. Not because of the silent install but because of a security vulnerability, or to be precise a remote code execution vulnerability. The vulnerability was reported on October 16 and measures to block the plugin were initiated today. Interested users can read up on the vulnerability at the Bug listing at the Mozilla website.
This raises several interesting questions. Could Microsoft be held accountable if computer systems are successfully attacked? Microsoft is not the only developer that is adding plugins to Firefox without asking the user. The Mozilla developers should consider implementing a security control to block unwanted plugins from being installed. Users who have not received the message in Firefox yet should check in the plugin section if the plugin is installed and if it is enabled or disabled. It should be disabled immediately if it is not already.
Related posts:
- How To Uninstall Windows Presentation Foundation Plugin In Firefox
- How To Stop Automatic Plugin Installations In Firefox
- Thunderbird And Firefox Plugin Checker
- Check and Remove Plugins in Firefox
- Firefox Locks Components Directory For Third Parties
- Manage Firefox Plugins
- Remove Microsoft .Net Framework Assistant From Firefox
- Mozilla Plugin Check
I’ve just received this notification from Firefox and I’m going to disable this plugin.
I’ve just received this but I have’nt installed Microsoft .net Framework 3.5 SP1 or anything from Micro$oft lately.
“This raises several interesting questions. Could Microsoft be held accountable if computer systems are successfully attacked?”
Well it allso raises the question if Mozilla could be held accountable if the automatic disableling causes applications to fail?
-/Michael
That is different. The user has chosen to use Mozilla Firefox and is therefore accepting its foibles. The Microsoft add-on has been installed without warning and is therefore liable for its own actions.
Interesting question though: Is the fact that 3rd party software can be installed without the users knowledge or consent written in to Mozilla’s T&Cs??
I find this the most concerning aspect of this issue.
Why didn’t you tell us how to disable this crap!!! So annoying when the most important info. is withheld!
Thanks!!
I’m sorry for not posting the information in first place but I was in a hurry. You can find out about the plugins by going to Tools > Addons and switching to the plugins section there.
Where is the plugin section? Please don’t assume people know this kind of stuff.
Thanks!
If you are asking this question, you probably should have stayed with IE.
Hi Cheryl,
in case You’re asking such fundamental questions – ghacks maybe is the wrong website to fulfill Your needs.
To answer Your question: If You follow the shown path (tools -> addons) You just have to open Your eyes and find the ‘plugins’-section. Everything You need is written down already, please do not assume to get it served as a comfortable breakfast in the morning bed.
Greetings, Chris
Perhaps you Chris and bf should learn not to respond like such jerks! Don’t assume people aren’t capable of learning! Websites are not listed on a scale of peoples learning abilities or even grade level so to make the following suggestions just shows your arrogance and how asinine you are!
Bf suggested:
“If you are asking this question, you probably should have stayed with IE”
Then Chris said:
“in case You’re asking such fundamental questions – ghacks maybe is the wrong website to fulfill Your needs.”
Now the time you spent being jerks you could have just answered the question!
Thanks Martin for your assistance you have class! Thanks for the info.
I really hate when microsoft do this, i have never install this shit, and now i need to disable ??? WTF !!
Surely it is illegal to modify a third party application without notifying the publisher and the users first.
Yet Microsoft are quite happy to chase anybody that uses their stuff. Looks like one rule for them and another rule for other people!
So, it sounds like it has something to do with Silverlight, so they’re silently trying to push that out onto everyone’s computer? I’ve intentionally NOT installed Silverlight because I don’t want it on my computer.
This add-on had disable and uninstall dialogue two days ago(7 RC), I disabled it and was going to see what(if any) loss of functionality I was losing before I uninstalled it. First thing this morn I got the FF(3.5.2) pop-up saying restart to disable this add-on? Before and after the restart the remove dialogue was removed. Huh.
I got this message and did some research instead of just reacting automatically.
=====================
Updated October 16, 2009 – updated blog post to clarify that Firefox users are protected from CVE-2009-2529 if they install the MS09-054 update.
Published Monday, October 12, 2009 7:36 AM by swiblog
Filed under: Workarounds, Attack Vector, XBAP, MS09-054
http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx
=====================
Read the full MS09-054 bulletin here:
http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
=====================
So IF you install the fix referred to in bulletin MS09-054, you will be safe. The actual fix# is KB974455
NirSoft has a program that will list Windows updates on your system:
http://www.nirsoft.net/utils/wul.html
Or you can use Windows Update to get a list.
The KB974455 is available on Windows update.
I would also recommend running a CUSTOM list on Windows Update as otherwise only critical updates get installed automatically (at least under WinXP). I found 13 other non-critical updates that I thought needed installation also!
This is pretty serious. I wasn’t even aware that someone could install a plugin in my Firefox without my explicit permission. I think I am more angered by knowing this, and not from Microsoft installing this plugin. Microsoft is using a feature that is provided by Mozilla.
Regarding Microsoft being held accountable for any security vulnerabilities, we know that thousands of system are subjected to virus, trojans, and malware everyday because of vulnerabilities in Windows. Shouldn’t Microsoft be held accountable for all of those too?
Exactly when is Msoft officially evil? Thanks for the explanation.
How will disabling this plugin effect FireFox performance on asp.net websites? I mean does some websites entirely depend on this plugin being enabled in order to work properly?
Firefox should never allow a plugin to be installed without explicit user permission! If a plugin is installed by another program then Firefox should prompt a dialog asking the user whether to enable/disable it. I’m so pissed off that Firefox would allow plugins to be installed without the user’s knowledge – I can see Microsoft doing this but Mozilla should know better…
It seems that since the plugin is blocked by Mozilla, you can no longer remove it from the Tools / Addons / Plugins window.
I found this removal document… May help.
http://ffextensionguru.wordpress.com/2009/02/08/how-to-remove-microsoft-net-spyware-extension/
Easy steps…
Exit Firefox first, then go to this folder in Windows, and archive it all to RAR or ZIP. Then delete everything you archived.
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation
You should remain with one archive, no other files or folders.
Restart Firefox, exit and start it again (there are harder ways, but that works for most users).
That should remove it. And you have a backup in case.
Today after receiving FF notification about that Microsoft crap-I uninstalled it on the spot.
I received this message and did some research instead of just reacting automatically.
=====================
Updated October 16, 2009 – updated blog post to clarify that Firefox users are protected from CVE-2009-2529 if they install the MS09-054 update.
Published Monday, October 12, 2009 7:36 AM by swiblog
Filed under: Workarounds, Attack Vector, XBAP, MS09-054
http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx
=====================
Read the full MS09-054 bulletin here:
http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
=====================
So IF you install the fix referred to in bulletin MS09-054, you will be safe. The actual fix# is KB974455
NirSoft has a program that will list Windows updates on your system:
http://www.nirsoft.net/utils/wul.html
Or you can use Windows Update to get a list.
The KB974455 is available on Windows update.
I would also recommend running a CUSTOM list on Windows Update as otherwise only critical updates get installed automatically (at least under WinXP). I found 13 other non-critical updates that I thought needed installation also!
———————
Now, regardless of the above, NO ONE should be able to install add-in’s to FF UNLESS the user approves! PERIOD!!!!
I knew this was like deja vu, but couldn’t put my finger on it.
To beat the dead horse, let me ask a question:
Why didn’t Mozilla block this add-on back 4 1/2 months ago when it was first announced / discovered? Timing for their new a-o check feature? Perhaps it was the muse for such a feature?
http://www.theregister.co.uk/2009/06/01/ms_firefox_extension_row/
It is my understanding that Mozilla does not have anything against the plugin per se and blocked the plugin only because of the remote exploit that was discovered.
It would make more sense NOT to be running that crappy Firefox to begin with…
This just happened to me and that’s how i found this page.
Thanks for the useful info, Thankfully good old firefox recognized the problem and told me to restart firefox so it can disable the dodgy plug in.
What is it with sh**ty microsoft? are they doing this out of spite because firefox is used by people who realise firefox is better than IE? Either way i don’t think it’s right that they install something on my computer without permission. tut tut as if the whole net framework assistant plug in cock up wasn’t bad enough. Talk about shooting yourselves in the foot…
I’m even less likely to switch back to Internet Explorer now than ever.
To me187:
No, MS is doing this because they recognize people are using FF and want sites that used only work in IE to work in FF. Contrary to popular belief, MS is not entirely evil.
Why is Firefox silently monitoring my system?
THANKS A BUNCH
Oh damn… now wonder my presentation application not worked in Firefox. Anybody knows how to enable it? Because I want my applications to also work in other browser besides IE. Anyway, what’s wrong with running WPF. I think microsoft will use this WPF a lot in windows 7.
Since Firefox blocked the windows presentation Foundation, my interface has changed. Everything is blurred and the font is dark and fuzzy….has my driver been affected…..anyone else having this problem and any suggestion on how to fix it??
Thanks
STD
Well then, anyone who has installed iTunes should see the Quicktime plugin added to Firefox. I wasn’t asked by Apple’s installer if I wanted that. My point is, MS is not the only one doing this. Apple has done this on the last several installs of iTunes.