Is this really a vulnerability or just hype? Results of my tests, check the facts. Thursday, June 4, 2009 at 4:04 pm Windows Vista Annoyances Discussion Forum Posted by lbecque (8 messages posted) There seems to be a lot of mis-information and hype being spread around about this. See: http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html Is this truly a vulnerability? Can software run from a single click on a website without the user's knowledge? Is this a bad MS design? The MS developer at: http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx talks about the problem of not being able to uninstall it which now MS has fixed with a download which can be manually installed. So there is a fix to the uninstall, but if it is NOT uninstalled does this make Firefox vulnerable? I further found a previous version of this extension written as a legitimate FF extension at: https://addons.mozilla.org/en-US/firefox/addon/1608 The developer provided a way to test his extension at: http://www.softwarepunk.com/ffclickonce/testing.html I tested the MS version of this extension which is installed by default automatically (not the updated one from MS which was referred to in the blog site above, nor the FF developers version) by clicking on the link at: http://www.softwarepunk.com/clickonce/tester/deploy/publish.htm and you still get a dialogue that you are about to run an application with the ability to choose to cancel the operation. With that I can't see how this is a vulnerability unless there is a way to bypass this dialogue. I also did a search in Secuia's database and found this software but there are no vulnerability reports. I have sent a request to Secunia to ask if this is a vulnerability or at least has serious potential. I'm not saying that there isn't at least the potential for a vulnerability here but until someone can create a proof of concept of this vulnerability I'm not convinced. Also my test above does not confirm this vulnerability. Let's not create more hype about this without getting additional facts. There are plenty of real threats out there that we should focus on as well. Responses to this message: Important update and workaround (lbecque: Thursday, June 4, 2009 at 7:09 pm) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Daniel Weinreb: Sunday, June 7, 2009 at 6:13 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (dmex: Monday, June 8, 2009 at 8:49 pm) All messages in this thread [show all] Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Thu, Jun 4, 2009, 4:04 pm) Important update and workaround (lbecque: Thu, Jun 4, 2009, 7:09 pm) re: Important update and workaround (Steve: Thu, Jun 4, 2009, 7:50 pm) re: Important update and workaround (Charlie Hadden: Fri, Jun 5, 2009, 5:33 am) re: Important update and workaround (Steve: Fri, Jun 5, 2009, 6:20 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Daniel Weinreb: Sun, Jun 7, 2009, 6:13 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Sun, Jun 7, 2009, 8:26 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Daniel Weinreb: Sun, Jun 7, 2009, 11:40 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Hayes Whitt: Wed, Jun 10, 2009, 10:32 pm) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (dmex: Mon, Jun 8, 2009, 8:49 pm) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Tue, Jun 9, 2009, 10:28 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Hayes Whitt: Thu, Jun 11, 2009, 2:14 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows Vista Discussion Forum