Microsoft breaks Firefox
Mozilla vice president for engineering Mike Shaver is being polite about it, but basically Microsoft pushed some software into Firefox last week that left users vulnerable to attack.
(Wise guys might confuse this Three Stooges bit with a recent Microsoft security meeting.)
Windows Presentation Foundation (which those with a sense of humor now call Windows Thepresentation Foundation or WTF), along with .NET Framework 3.5 (which is now OK), were originally pushed as part of Windows in February, and their problems within Windows were fixed in May.
On Tuesday Microsoft pushed a patch to fix the problem within Internet Explorer. So if you’re patching your Microsoft browser your Firefox is safe. Let me repeat that. Microsoft insists its MS09-054 patch made even Firefox users safe.
But if you’re not following Microsoft directions then WTF you may now be vulnerable to exploit. So Mozilla told Microsoft it would “blocklist” both WTF and the .NET Framework, backing off on the latter after discussions with Microsoft.
The WTF plug-in supports an XML-based user interface called XBAP, and lets its XAML applications run. But the technology was vulnerable to a “drive-by” exploit, in which your hitting a specific Web page would download malware.
I’m reading a lot of blog posts calling this deliberate, even malicious. I don’t think it is. I suspect Microsoft is confusing its convenience with users’ security desires, rationalizing that this power lets it fix security holes automatically.
But its technology makes Microsoft the potential source of great big security holes, which can leave it with egg on its collective face. The kindest thing one can say is that this is vaudeville comedy. Others will call it burlesque or, perhaps, a horror show.
What’s your view?