A Microsoft add-on that was installed silently into Mozilla Firefox last February has now made Firefox, deemed to be one of the safer alternatives for Windows computers, open to an attack. The security hole also leaves Internet Explorer open to the same attack.
The threat, according to its Security Research and Defence blog, is a “browse-and-get-owned” attack, with a user being lured to open a malicious website and exploits the XAML Browser Application component in the Windows Presentation Foundation.
The add-on for Firefox, known as the “Windows Presentation Foundation” plug-in in Firefox was pushed through Firefox users without any consent after a user installs an update to its .NET Framework 3.5 Service Pack 1 (SP1). Once installed, however, it was impossible to remove as the Disable and Uninstall buttons were grayed out on all versions of Windows, with the exception of Windows 7 – leaving the user to do an edit to the Windows registry.
It should also be noted that editing in the Windows registry could be a dangerous task as you could cripple your PC if you make a mistake. Microsoft, however, has relented and provided a way to disable and remove the software after releasing another update in May.
Users should disable the plug-in from Firefox by going to Tools > Add-ons > Plugins and select the “Windows Presentation Foundation” add-on. You should also refer to this article by Microsoft to remove the add-on from Firefox. Internet Explorer users should go to their Internet Zone’s Security Settings, go to the .NET Framework option, go to XAML browser applications and switch it from Enable to Disable.