MS09-054 patch zaps Firefox

Now it looks like this round of patches includes one, MS09-054, that messes up Firefox.

If you have .NET Framework 3.5 SP1 installed, and you use Firefox, you’re opening up your system to all sorts of mayhem. The mayhem was supposed to be plugged by MS09-054, but it only made the situation worse. The problem? A Firefox plug-in that Microsoft installs called the Windows Presentation Foundation.

Just in from the SANS Internet Storm Center:

if you use Windows, install patches, and also have Firefox, oddly enough you will want to read the following Microsoft KB article entitled “How to remove the .NET Framework Assistant for Firefox“

UPDATE: Ryan Naraine at ZDNet has the details. Yes, Microsoft installed a “patch” with a security hole that affects Firefox. If you have automatic updates turned on, or you got fooled into installing MS09-054, you have to go into Firefox and manually turn off the bleeding add-on that Microsoft surreptitiously put on your computer.

REALLY COOL UPDATE:

I just re-started Firefox and it caught the two suckers. “Firefox has determined that the following add-ons are known to cause stability or security problems.” The culprits: .NET Framework Assistant and Windows Presentation Foundation. Both are blocked by default. Restart Firefox and you’ll be rid of the pests.

Take THAT Microsoft…

ANOTHER UPDATE: One reader left a comment about this patch, and I wanted to clarify. Yes, indeed, this patch was supposed to fix the earlier security hole created when Microsoft took it upon itself to install the .NET Framework Assistant in Firefox. (I cried about that patch in a blog entry four months ago.) While MS09-054 was supposed to fix the hole in Firefox introduced by Microsoft, it’s much smarter to simply disable Microsoft’s .NET Framework Assistant for Firefox. That’s exactly what Firefox has done. (Indeed, it’s what Microsoft recommended!) It isn’t clear, at this point, if MS09-054 makes the problem worse or not – thus the markthrough edits to the beginning of this post.

MS-DEFCON 4: Apply all outstanding patches except 951847 and 960715, and watch out for other problems

It’s time to get patched up.

Last month’s crop of Black Tuesday patches turned out pretty good. One of them, KB 959772, is a CYA patch that lets people play music they’ve already bought from Microsoft. None of the three seems to be causing undue heartache.

I still recommend that you HOLD OFF on these patches:

KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in.

KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

That brings us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

To get patched up, click Start, All Programs. Near the top of the list you see either Windows Update or Microsoft Update. Click on that and tell Windows Update that you want to perform a “Custom” update. Be prepared to spend ten to fifteen minutes – longer, if you haven’t patched in a while. When you’re done, make sure you have Automatic Updates set to “Notify but don’t download or install” by clicking Start, Control Panel, Security Center.

My general admonition about applying hardware driver patches still applies: Ain’t broke, don’t fix. That is, unless you have a very specific reason for installing a new driver, don’t do it.

.NET Patch of a Patch of a Patch

On January 30, I talked about the problems with the .NET Framework 3.5 Service Pack 1 patch known as KB 951847. At the time I recommended you avoid applying the patch. I continue to recommend that you avoid applying the patch.

If you install the “.NET Framework 3.5 SP 1″ patch you actually get three versions of .NET Framework installed on your system, regardless of which version(s) of .NET you may already have: .NET Framework 2.0 SP2, .NET Framework 3.0 SP2, and .NET Framework 3.5 SP1.

That’s a Real Big Deal because different versions – or even different Service Packs – of .NET Framework are notorious for their incompatibilities. If you install a program, and it installs .NET Framework, you better keep that version around, if you want to continue to run the application.

Sound complicated? That ain’t the half of it.

Today Microsoft posted a patch for the .NET Framework 3.5 Service Pack 1 patch. Dubbed KB 967190, the patch fixes a problem with .NET 3.5 SP1 that makes it impossible to use the XPS document viewer on 64-bit versions of Vista.

The KB article goes on to say:

You must have .NET Framework 3.5 SP1 or .NET Framework 3.0 SP2 installed to apply this hotfix.

But there’s no separate confirmation that .NET Framework 3.0 SP2 also has the bug.

To make things even more, uh, entertaining, if you look at the patch, it doesn’t patch .NET Framework at all. It patches the XPSviewer.exe application.

Oy.