If you have recently opened your Firefox web browser you may have noticed a notification from the web browser that the Windows Presentation Foundation plugin was disabled to protect the user and the web browser.
Many users who received the message were a bit puzzled as they did not install the plugin in first place. Remember the Microsoft .net Framework Assistant incident earlier this year when Microsoft installed the plugin in the Firefox web browser without notifying the user? The installation of the Windows Presentation Foundation plugin uses the same method as it.
The Windows Presentation Foundation Plugin gets installed when the Microsoft .net Framework 3.5 SP1 gets installed on a Windows operating system. Users who noticed the installation also noticed that they were not able to uninstall the plugin, only disable it in the Firefox plugin manager.
Mozilla today blacklisted the Windows Presentation Foundation Plugin. Not because of the silent install but because of a security vulnerability, or to be precise a remote code execution vulnerability. The vulnerability was reported on October 16 and measures to block the plugin were initiated today. Interested users can read up on the vulnerability at the Bug listing on the Mozilla website.
This raises several interesting questions. Could Microsoft be held accountable if computer systems are successfully attacked? Microsoft is not the only developer that isadding plugins to Firefox without asking users of the browser first if they want those plugins to be installed.
Mozilla developers should consider implementing a security control to block unwanted plugins from being installed silently in the background.
Users who have not received the message in Firefox yet should check in the plugin section if the plugin is installed and if it is enabled or disabled. It should be disabled immediately if it is not already to prevent that attacks exploit it successfully.
Update: Fast forward a couple of years. Most web browsers use click to play nowadays by default or block most plugins outright which reduces the likelihood that plugins get installed that are ready for use without the user knowing about them.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.