Microsoft shipped the Firefox add-on as part of a .Net software update last February, causing outrage among some Firefox users, who complained that the software was sneaked onto their systems without their knowledge or approval and was

On Tuesday, Microsoft that Firefox users who have not applied a recent Internet Explorer patch were vulnerable to a "browse-and-get-owned attack" because of a bug in the Microsoft .Net Framework Assistant add-on.

"All that is needed is for a user to be lured to a malicious website," Microsoft said. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application).

The flaw is a nasty one, but users who have installed the MS09-054 IE update, released Tuesday are protected from this attack, "regardless of the attack vector," Microsoft said.

To protect users who may not have installed Microsoft's patch, Mozilla is automatically blocking two add-ons: the Microsoft .Net Framework Assistant and a related plugin called the Windows Presentation Foundation. The open-source browser started blocking the software late Friday night.