It's not just me - Firefox doesn't like Windows Presentation Foundation either

You may have seen this "Add-ons may be causing problems" window recently.

It seems that there's plenty of evidence to suggest that Microsoft's .NET Framework Assistant and WPF add-ons cause serious instability and can leave your computer vulnerable to remote code execution.

If I'd installed these add-ons, I'd say fair enough - uninstall them for now, wait until MS patch them, and install the patched versions.

I suppose I happened to visit a site with some (or lots) of Silverlight content. I was told that I needed these add-ons to allow the content to be displayed properly. I allowed them, restarted and the content was loaded. Presumably. To be honest, I don't even really remember doing it. Perhaps I didn't.

It seems that these pesky parasites latched on to my lovely browser when I installed .NET Framework 3.5 SP1. They are slipped in the back door, without so much as a by your leave. For most of us that have these add-ons, they were installed around February this year. That's eight months of risk.

So, there they were, and they were leaving our browsers vulnerable to crashes, and worse.
They're disabled now, and I'll be uninstalling them shortly. I'm not impressed that the warning came from Mozilla and not from Microsoft. I imagine that Mozilla noticed them in user-submitted crash reports and opened a ticket with Microsoft's security team to say that their .NET / WPF add-on / plugin was causing crashes. MS probably said it was a browser issue, for Mozilla to sort out, and so on...

You might like to take a look at Mozilla's list of dodgy add-ons - you'll also see the Apple QuickTime Plugin, v7.1.*, which also can allow remote code to be executed on your machine. I have version 7.6, so I guess that's safe, for now.

You can also view the details on these add-ons, and the .NET / WPF add-on thread on Bugzilla is especially illuminating. It pretty much says that Microsoft advised Mozilla to just go ahead and block the plug-in, probably because they missed it in the Patch Tuesday roll-up, and the next one is still some way away.

David Baron [:dbaron]  says:

It does show up in
http://people.mozilla.org/~dbaron/crash-stats/20090929-interesting-addons ,
although the correlations that show up aren't necessarily signs of causation. 
However, that shows that it's quite common in the wild: it's installed for the
users submitting 48% of our Windows crash reports on Firefox 3.5.3.

If Microsoft is recommending disabling it (all versions, or just some?) because
of security vulnerabilities, then I'd strongly support adding it to the
blocklist.

I'm was not too impressed that MS didn't quickly release a patch themselves - but reading further down in that thread, you can see that there is some doubt creeping in - perhaps they did?

George Robert said:

Is there a particular reason why these are being blocked two days after
Microsoft released a fix for this issue?

MS09-054 was released on 10/14/2009, which the linked technet article in
comment #23 very clearly states resolves this issue for both IE and Firefox

Yay! So I'm safe and I can enable it again? Well, no:

Matthias "matti" Versen said:

Read
http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/
MS agreed to the plan to blocklist it according to the security post.

It seems that the reason they had to put a blanket ban on all versions of the WPF plugin, is because:
a) There is presently no way for Firefox to hook into the OS list of installed MS patches
b) MS don't bother putting version numbers on their WPF libraries - they are just called NPWPF.dll
c) MS didn't put a new version # on the WPF plugin or .NET add-on to indicate that it was downloaded / installed after the patch was applied

Ultimately, this decision to add them to the blocklist was arrived at by mutual consent, which is clearly stated by Mozilla's Mike Shaver. This is the final word on the matter, and I'm satisfied that Mozilla did the best they could in the situation, even if some administrators in the field who got Firefox approved as the browser of choice in their company, and use some of the affected technologies will be very put out.

So, tough luck for MS.  Now most Firefox users will have a slightly lower opinion of them than they did before and this is another setback for WPF, its advocates and users.

Oh, and while all you Firefox on Linux users are welcome to have a little chuckle about it, you'd better check if you have Moonlight 2.0 (BETA) installed first.

Further reading

• Sneaky Microsoft Add-on Put Firefox Users At Risk (it.slashdot.org)
• Dear Microsoft, please keep your lousy mitts off my Firefox install (downloadsquad.com)
• Object Lesson: Use Firefox? Don't Let Microsoft Install Anything In It! (lockergnome.com)
• Shady Microsoft Plugin Pokes "Critical" Hole In Firefox Security [Firefox] (gizmodo.com)
• Researcher sees Patch Tuesday nightmare (infoworld.com)
• Moonlight 2.0 goes beta (thaibrother.com)

Windows Presentation Foundation has some serious issues

All is not well in Microsoft's attempt to improve the Windows user experience for Vista, Windows 7 and subsequent releases.
I still don't have Silverlight installed on my home PC (No! It can't be so!) - I need to use it for collaborative work with Microsoft on my computers at the office, but I can't say it enriches my experience as a user.

If I was a .NET developer, dependent on MS for new SDKs and APIs, I'm not sure I'd be too happy to read this, but InfoQ are going around and saying it has some serious problems, the biggest hitter probably being the fact that it memory leaks like a big bucket full of memory with a massive hole in the bottom.

Other members of the blog-o-sphere spotted this issue before, so I'm not sure why it took so long for the InfoQ guys to sniff it out. The point is that they eventually did, and they even identified some major areas where it was leaking.

Read more about the basics of WPF, Microsoft's own WPF library, a site for its fanboys, and the Windows Presentation Foundation SDK.

Slow Firefox Startup

Image via Wikipedia

It doesn't seem to matter what version of Firefox you're likely to still have, they are all slow to start up.
In this old post, I gushed about the greatly improved performance with Firefox 3.5, which I stand by.
However, the startup is really poor. Once it gets going, it's great, but there's very little noticeable improvement in startup times for FF 3.5 over FF 3 once you have a load of add-ons installed.
You can tweak as per this old post all you want, but the /Prefetch:n switch doesn't really do it.

As much as I hate preloaders, in the end, I had to capitulate.
The FirefoxPreloader, hosted on Sourceforge, really works and has cut down start times from 30 seconds to about 3 seconds. It loads during startup, and by the time your PC is up and running and you click on old Foxy, you'll be on your home page in no time.
I think this is well worth it if you browse for much more than 50% of your total time at the PC.

Further reading

• Install Firefox 3.6 Beta1Pre In Ubuntu For A Huge Speed Boost (slumpedoverkeyboarddead.com)
• Future Firefox 4.0 Could Feature App Tabs (slumpedoverkeyboarddead.com)
• Go Straight to Your Unread Gmail Messages with a Shortcut [Shortcuts] (lifehacker.com)
• Firefox 3.5 Reviewed; Draws Praise For HTML5, Speed (tech.slashdot.org)
• Turn your head and cough, Firefox! Mozilla's plugin check is live (downloadsquad.com)

Search for Software Vulnerabilities

While stumbling around the internets I came across this darkReading article titled:
"FBI: Your Social Networking 'Friend' Really Isn't In Trouble Overseas"

It was worth reading, but not really anything we didn't all know already. However, the links to the right of the article in the "BUGS Enterprise Vulnerabilities" section were very interesting, not least because most of the ones showing at the time happened to be WebSphere Application Server 6.1 related, which I work with day-to-day.

Clicking from there to the originating website brought me to this excellent resource, which until today, I didn't even know existed.
The vulnerability search is the main draw, as far as I can see, and I was able to find innumerous hits (well, not strictly true, since it says exactly how many hits you got from a query) for several applications I use, or hate.

This is no reflection on Apple, but I did a little search on "Apple Safari", and got 192 hits. That's not bad, and there were only 18 vulnerabilities in Safari listed here for the last 3 months.
What puts this into context is that a search on Apache Tomcat got just 63 hits (all time), with the last on listed on June 16th this year (so none in the last 3 months), while a search on "Windows_Vista" (you need to use _ to do a phrase search, not quotes as with most searches - or you can use the advanced search instead) produces 209 hits. This is lower than I expected, but when I checked a few I could see that some of them were compound threats, with links leading to KB articles and rollups.

If you have any software you'd like to check for holes, this is a good place to look. The vendor might be brilliant at keeping you informed and warned (like Drupal, for example, who send me vulnerability warnings by mail regularly), but they might also not be very forthcoming like, I don't know, Symantec for example.

Don't wait for the vendor to tell you about it, I guess that's what I'm trying to say.

Since it doesn't look like the National Vulnerability Database lists everything, I'd appreciate any links to other sites that provide a similar search facility (and don't say google.com either!).