MS09-054: Extra info on the attack surface for the IE security bulletin

MS09-054  addresses an IE vulnerability (CVE-2009-2529), which was discovered and presented by Mark Dowd, Ryan Smith, and David Dewey at the BlackHat conference in July.

First we’d like to make it clear that any customers that have applied the update associated with MS09-054 are protected, regardless of the attack vector.  And most customers need not take any action as they’ll receive this update automatically through Automatic Updates.

For those customers that are evaluating whether or not to deploy this update, and want more information on how to protect themselves until they do, we’ve provided more details in this blog post to help understand this vulnerability.

What’s the attack vector?

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different.  Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox, as shown below.


Via this plug-in it is possible to launch XBAP, and reach this vulnerability, from within Firefox.

How can I protect myself?

Customers should apply MS09-054 as this addresses the underlying vulnerability for all users, both IE and Firefox.  While you’re evaluating and testing your deployment of MS09-054, you may want to consider the following workarounds.

For IE users, our recommended workaround is to disable XBAP in the Internet zone. By default, IE8 on Win2k8 and Win2k3 already has XBAP disabled in the internet zone. For others, you can disable XBAP via the following security setting in IE.

For Firefox users with .NET Framework 3.5 installed, you may use “Tools”-> “Add-ons” -> “Plugins”, select “Windows Presentation Foundation”, and click “Disable”.

Big thanks to David Ross, Fermin J. Serna, and Andrew Roths from the MSRC Engineering Team, Eric Lawrence and Jeremy Reed from IE team, and Jennifer Lee from WPF team.

Updated October 16, 2009 – updated blog post to clarify that Firefox users are protected from CVE-2009-2529 if they install the MS09-054 update.