Get Firefox updated now

If you run Firefox 24 hours a day (in other words, if you leave it on while you’re sleeping), there’s an update waiting for you that you should apply. Click Help, Apply Downloaded Update Now.

Mozilla released a big chunk of patches, creating Firefox 3.5.6. Get it.

If you don’t use Firefox 24 hours a day, your copy will update itself the next time you start Firefox.

Details, and a separately downloadable copy of 3.5.6, are on the Firefox site.

MS09-054 patch zaps Firefox

Now it looks like this round of patches includes one, MS09-054, that messes up Firefox.

If you have .NET Framework 3.5 SP1 installed, and you use Firefox, you’re opening up your system to all sorts of mayhem. The mayhem was supposed to be plugged by MS09-054, but it only made the situation worse. The problem? A Firefox plug-in that Microsoft installs called the Windows Presentation Foundation.

Just in from the SANS Internet Storm Center:

if you use Windows, install patches, and also have Firefox, oddly enough you will want to read the following Microsoft KB article entitled “How to remove the .NET Framework Assistant for Firefox“

UPDATE: Ryan Naraine at ZDNet has the details. Yes, Microsoft installed a “patch” with a security hole that affects Firefox. If you have automatic updates turned on, or you got fooled into installing MS09-054, you have to go into Firefox and manually turn off the bleeding add-on that Microsoft surreptitiously put on your computer.

REALLY COOL UPDATE:

I just re-started Firefox and it caught the two suckers. “Firefox has determined that the following add-ons are known to cause stability or security problems.” The culprits: .NET Framework Assistant and Windows Presentation Foundation. Both are blocked by default. Restart Firefox and you’ll be rid of the pests.

Take THAT Microsoft…

ANOTHER UPDATE: One reader left a comment about this patch, and I wanted to clarify. Yes, indeed, this patch was supposed to fix the earlier security hole created when Microsoft took it upon itself to install the .NET Framework Assistant in Firefox. (I cried about that patch in a blog entry four months ago.) While MS09-054 was supposed to fix the hole in Firefox introduced by Microsoft, it’s much smarter to simply disable Microsoft’s .NET Framework Assistant for Firefox. That’s exactly what Firefox has done. (Indeed, it’s what Microsoft recommended!) It isn’t clear, at this point, if MS09-054 makes the problem worse or not – thus the markthrough edits to the beginning of this post.

Should I delete Internet Explorer?

Reader Ted wrote in with an interesting question that I hear frequently:

I have followed your advice and started using Firefox instead of IE, and I sometimes use Google Chrome. What I don’t understand is if IE is part of the Windows operating system won’t it just kick-in anyway and be used by various programs even in Firefox and Google? Or, if you don’t use it at all, is it just taking up space on the computer? I’m really confused as you can tell. Should IE be deleted, or even can it? If it can’t and it’s not used, should it still be updated, following the advice in your MS-Defcon system?

Thanks so much for helping because like I said, I’m confused!

Ted, IE does lurk in the background sometimes and, depending on the version of Windows you’re using, the lurking can be more or less intrusive.

You can remove it completely in Windows 7, but in XP and Vista, it’s pretty much baked in. Even if you want to remove it, though, there are some times when you really need IE – for example, Windows Update and Microsoft Update require it.

Your best bet is to update IE, but use Firefox.

Windows Secrets: get rid of the drive-by .NET Framework Firefox add-on

The new Windows Secrets Newsletter is out.

Nice lead article about the Windows 7 Starter Edition and what it means for the future of netbooks, at least in the near term.

In the same issue, also in the free content, Brian Livingston has dissected that nasty patch Microsoft applied to Firefox, without your knowledge or consent. Brian shows you how to tell if you have the add-on, and if you do, how to get rid of it.

Check out the article, then check out your system.

More .NET Framework patch stupidities

Several of you have written, pointing to an article by Brian Krebs in the Washington Post, adding yet more fuel to the pyre that is known as the .NET Framework patch or KB 951847.

Quoth Brian:

[T]he .NET update automatically installs its own Firefox add-on that is difficult — if not dangerous — to remove, once installed.

The so-called .NET Framework Assistant for Firefox is difficult, but not impossible to uninstall. Details appear on Brad Abrams blog.

Thie particular piece of Microsoft “support” shouldn’t come as a big surprise to anyone who follows .NET Framework updates religiously. Microsoft employees have been blogging about it since May 12, at least.

Still, it’s a bit disconcerting to have Microsoft install a drive-by Firefox add-in as part of a “security update.”

I hope that the folks at Microsoft return the favor. I would love to see Firefox 3.0.11 – the next security update to Firefox – automatically, silently install a hard-to-remove add-on to Internet Explorer that makes IE infinitely more secure by, oh, disabling ActiveX controls.

The fact that Microsoft released such a patch – and installs it silently as part of a “security” update – should give you pause. But also consider the corporate culture that allows such blatant acts of hubris to take place. Repeatedly.

The old Microsoft is with us still.

Hold off on your Microsoft patches, folks. Beware of Redmond Geeks bearing gifts. The PC you wreck may be your own.

Pwn2Own conclusion

The annual pwn2own (I pronounce it “pone to own”) contest just wrapped, with interesting results. DVLabs reports:

The contest uncovered 4 new and unique critical vulnerabilities affecting the latest and greatest versions of IE, Safari and FireFox. The Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques.

You’ve probably seen the headlines about Internet Explorer 8 – the version that just came out – getting hacked, and how Microsoft swears it has a patch, less than 12 hours after the original “pwn” but just hasn’t delivered it yet.

Interestingly, none of the mobile operating systems – Blackberry, Android, iPhone, Nokia/Symbian, or Windows Mobile – got hacked. I betcha bucks to buckaroos that’ll change next year.

Firefox on Windows hardest target to crack

Ryan Naraine just posted a fascinating interview with Charlie Miller, the guy who broke into a fully patched MacBook at the annual Pwn2Own competition at the CanSecWest security conference.

Charlie confirms what you’ve known all along:

It’s really hard to exploit Firefox on Windows… For all the browsers on operating systems, the hardest target is Firefox on Windows.

Read what he says about Chrome. I, for one, was very impressed.

Thanks to reader GE for the heads-up…

Windows Secrets Security Baseline

This week’s edition of Windows Secrets Newsletter just hit the stands, and Ryan Russel’s Top Story discusses changes in the WSN Security Baseline. (Windows Secrets Newsletter appears in both a free version and a paid version – and you get to decide how much you want to pay for the paid version. The Top Story always appears in the free version and the paid version.)

In summary:

1. Use a hardware firewall. WSN has some good recommendations. In fact, any router you buy these days has a fully functional hardware firewall.

2. Install a security suite. WSN recommends Norton Internet Security. I’m too cheap. I still use AVG Free, or Avira Antivir Free.

3. Check for updates regularly. Watch this site for the latest, particularly on Microsoft patches. Make sure you download, install, update and religiously run Secunia PSI.

4. Select a more-secure browser. WSN and I strongly recommend Firefox.

The PC you save may be your own.