Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment ClickOnce add-on unblocked (Score 1) 448

We just got confirmation from Microsoft this evening that the .NET Framework Assistant add-on (used to provide ClickOnce stuffs) was NOT a vector for this vulnerability, so we've removed it from the blocklist. The WPF plugin is still there, though we're working on a way to let sophisticated users and enterprises override the block if they know that they have applied the relevant IE patch to their system.

o/~ the more you know o/~

Comment Re:Wait, its okay for Firefox to have a kill switc (Score 2, Informative) 448

We have interest in determining if the Firefox user in question has applied the IE patch in question, but we do not have the means.

It is related to IE, because the patch in question is explicitly labelled as affecting Internet Explorer, and makes no mention of the fact that it can impact Firefox users who have not gone out of their way to disable part of .NET Framework 3.5 SP1. (That's one of the things we're working on getting fixed, as it happens.)

Comment Re:Ha ha (Score 4, Informative) 448

I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.

(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)

Comment Re:Ha ha (Score 5, Interesting) 448

I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.

Comment Re:Inconsistent logic (Score 3, Interesting) 448

That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.

Comment Re:Inconsistent logic (Score 5, Informative) 448

Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.

Slashdot Top Deals

It is now pitch dark. If you proceed, you will likely fall into a pit.