Not for Tom, this may be too much of a clear thinking post for him to handle.
There seems to be a lot of mis-information and hype being spread around about this. See: http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html Is this truly a vulnerability? Can software run from a single click on a website without the user's knowledge? Is this a bad MS design? The MS developer at: http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspxtalks about the problem of not being able to uninstall it which now MS has fixed with a download which can be manually installed. So there is a fix to the uninstall, but if it is NOT uninstalled does this make Firefox vulnerable? I further found a previous version of this extension written as a legitimate FF extension at: https://addons.mozilla.org/en-US/firefox/addon/1608 The developer provided a way to test his extension at: http://www.softwarepunk.com/ffclickonce/testing.html I tested the MS version of this extension which is installed by default automatically (not the updated one from MS which was referred to in the blog site above, nor the FF developers version) by clicking on the link at: http://www.softwarepunk.com/clickonce/tester/deploy/publish.htm and you still get a dialogue that you are about to run an application with the ability to choose to cancel the operation. With that I can't see how this is a vulnerability unless there is a way to bypass this dialogue. I also did a search in Secuia's database and found this software but there are no vulnerability reports. I have sent a request to Secunia to ask if this is a vulnerability or at least has serious potential. I'm not saying that there isn't at least the potential for a vulnerability here but until someone can create a proof of concept of this vulnerability I'm not convinced. Also my test above does not confirm this vulnerability. Let's not create more hype about this without getting additional facts. There are plenty of real threats out there that we should focus on as well. On Sun, Jun 7, 2009 at 3:15 PM, t.piwowar <[email protected]> wrote: > On Jun 7, 2009, at 4:23 PM, mike wrote: > >> I was thinking...great lengths seems to be hitting the 'uninstall' button >> in >> the extensions of firefox for that extension. Whew...I'm tuckered out >> after >> that ordeal. I had to *restart* firefox too. >> > > If you had bothered to check before posting you would know that M$ disabled > that uninstall button. The URL cited even included a screen shot to > illustrate this. > > Of course we all know that WFBs don't have to check anything, they already > know everything. > > > > ************************************************************************* > ** List info, subscription management, list rules, archives, privacy ** > ** policy, calmness, a member map, and more at http://www.cguys.org/ ** > ************************************************************************* > ************************************************************************* ** List info, subscription management, list rules, archives, privacy ** ** policy, calmness, a member map, and more at http://www.cguys.org/ ** *************************************************************************
