Microsoft will deliver six security bulletins on April 10, 2012 as part of its monthly security update, the Redmond-based company said in an advance notification Thursday. The six security bulletins will, between them, address 11 vulnerabilities in Windows, Office, Internet Explorer, SQL Server. .NET Framework and Forefront Unified Access Gateway. Hit the jump for more.
You can step into the new year feeling more secure, thanks to an important security update from Microsoft. The Redmond company on Thursday issued an out-of-band security update that addresses a “critical” denial-of-service (DoS) vulnerability (CVE-2011-3414) that affects Microsoft’s ASP.NET, among other web application platforms. Hit the jump for more.
In a blog post on Friday, Mike Shaver, Mozilla's VP of Engineering, explained why his company had decided to block Microsoft's .NET Framework Assistant add-on to the Firefox browser.
"It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on," Shaver wrote. "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism."
And so Mozilla did just that, as you may have noticed over the weekend if you're a Firefox user. But as it turns out, the add-on may not be so harmful after all.
"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we've removed it from the blocklist," Mozilla said.
Mozilla went on to say that the blocklist update propagates to clients, so if the add-on was previously disabled, it should automatically re-enable, though you'll need to restart your browser for it to take effect.
Microsoft’s .NET Framework 3.5 Service Pack 1 (SP1) update, which came out last February, seems to have slipped a roofie to both Internet Explorer (IE) and Firefox in the form of a “browse-and-get-owned attack vector.” The issue with Firefox is a point of contention with some users because Microsoft never made clear the update would affect Firefox, and users weren’t made aware that Firefox was being modified.
The security weakness was introduced through the Windows Presentation Foundation plug-in, which was installed both in IE and Firefox. According to Annoyances.org, the update made Firefox susceptible to one of IE’s biggest weaknesses: “the ability for websites to easily and quietly install software on your PC.”
If you are a Firefox user and have .NET Framework 3.5 installed you might want to check for the Windows Presentation Foundation plug-in and, if it is present, disable it. Microsoft’s security bulletin provides these instructions: “Tools”-> “Add-ons” -> “Plugins”, select “Windows Presentation Foundation”, and click “Disable”.