Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Comment: ClickOnce add-on unblocked (Score 1) 448

by Mike Shaver (#29788721) Attached to: Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon

We just got confirmation from Microsoft this evening that the .NET Framework Assistant add-on (used to provide ClickOnce stuffs) was NOT a vector for this vulnerability, so we've removed it from the blocklist. The WPF plugin is still there, though we're working on a way to let sophisticated users and enterprises override the block if they know that they have applied the relevant IE patch to their system.

o/~ the more you know o/~

Comment: Re:Wait, its okay for Firefox to have a kill switc (Score 1) 448

by Mike Shaver (#29788247) Attached to: Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon

http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx says pretty clearly that it's an IE vulnerability: "While the vulnerability is in an IE component", which fits with the information I have. I think perhaps the WPF plugin uses that IE component?

Comment: Re:Great (Score 4, Informative) 448

by Mike Shaver (#29786719) Attached to: Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon

There is no version difference for the plugin or add-on between patched and unpatched systems. That's one reason that this is so messy right now; if we had known about the Firefox aspect of the vulnerability before the SRD blog post, we would have suggested just that sort of version bump.

Comment: Re:Wait, its okay for Firefox to have a kill switc (Score 2, Informative) 448

by Mike Shaver (#29786259) Attached to: Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon

We have interest in determining if the Firefox user in question has applied the IE patch in question, but we do not have the means.

It is related to IE, because the patch in question is explicitly labelled as affecting Internet Explorer, and makes no mention of the fact that it can impact Firefox users who have not gone out of their way to disable part of .NET Framework 3.5 SP1. (That's one of the things we're working on getting fixed, as it happens.)

Comment: Re:Ha ha (Score 4, Informative) 448

by Mike Shaver (#29785939) Attached to: Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon

I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.

(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)

Comment: Re:Ha ha (Score 5, Interesting) 448

by Mike Shaver (#29783993) Attached to: Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon
I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.

Comment: Re:Inconsistent logic (Score 3, Interesting) 448

by Mike Shaver (#29783895) Attached to: Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon
That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.

Comment: Re:Inconsistent logic (Score 5, Informative) 448

by Mike Shaver (#29783773) Attached to: Firefox Disables Microsoft<nobr> <wbr></nobr>.NET Addon
Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.

"Life sucks, but it's better than the alternative." -- Peter da Silva

Working...