If you use Firefox, you may have already seen a pop-up from your browser alerting you that it is blocking the Microsoft .NET Framework Assistant and Windows Presentation Foundation add-ons. It’s for good reason.
As of today, Mozilla’s browser will automatically disable Microsoft’s addon and plugin because of a gaping security hole that allows for drive-by-download attacks. The flaw lies in the Windows Presentation Foundation plug-in that is installed by the .NET add-on.
According to a Microsoft Security Research & Defense blog post, anyone who has applied the MS09-054 security patch (available via Windows Update) is safe from a potential attack against ths flaw, regardless of whether the attack comes via IE or the WPF plug-in. But since Microsoft automatically installed the add-on earlier this year without asking the user’s permission, Redmond should be red-faced after this fiasco.