Pretty sure it's XBAP's use of mshtml that's the problem for 09-054; 09-061 is a different vuln that is also exposed through some .NET widget.

We just got confirmation from Microsoft this evening that the .NET Framework Assistant add-on (used to provide ClickOnce stuffs) was NOT a vector for this vulnerability, so we've removed it from the blocklist. The WPF plugin is still there, though we're working on a way to let sophisticated users and enterprises override the block if they know that they have applied the relevant IE patch to their system.

o/~ the more you know o/~

http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx says pretty clearly that it's an IE vulnerability: "While the vulnerability is in an IE component", which fits with the information I have. I think perhaps the WPF plugin uses that IE component?

There is no version difference for the plugin or add-on between patched and unpatched systems. That's one reason that this is so messy right now; if we had known about the Firefox aspect of the vulnerability before the SRD blog post, we would have suggested just that sort of version bump.

We have interest in determining if the Firefox user in question has applied the IE patch in question, but we do not have the means.

It is related to IE, because the patch in question is explicitly labelled as affecting Internet Explorer, and makes no mention of the fact that it can impact Firefox users who have not gone out of their way to disable part of .NET Framework 3.5 SP1. (That's one of the things we're working on getting fixed, as it happens.)

I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.

(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)

There is no war. We decided together that this was the right step to take right now to protect our mutual users, based on our understanding of the problem and outcomes.

We're working on it (today) -- I'm very sorry for the inconvenience!

I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.

Yes, sorry, I should have said that we can't distinguish it without custom code pushed through a patch, because it doesn't affect any files that we load or touch.

The plugin in question was installed via a Windows Update _security_ update, it wasn't something that people really chose to install. I agree, though, that this really, really isn't malware. That's a ridiculous misuse of the term.

That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.

If Microsoft or Apple asked us about such a kill-switch for a version of Firefox that we put onto their users' systems via a security update, and we agreed that it was the right thing to do, I would hope there wouldn't be a shitstorm at all.

I applaud your commitment to understanding ahead of commenting. I wish such commitment were as widespread as the plugin in question!

Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.