re: Is this really a vulnerability or just hype? Results of my tests, check the facts. Monday, June 8, 2009 at 8:49 pm Windows Vista Annoyances Discussion Forum Posted by dmex (1 messages posted) According to this article, Clickonce has less access than a traditional installer: http://msdn.microsoft.com/en-us/vbasic/ms789088.aspx ClickOnce Can Not: Install/Modify System Files Install Drivers Install Global Assembly Cache extensions Install for Multiple Users StartUp Automatically Register/Modify FileTypes Access/Modify the Registry Patch/Modify any System Files other Application Files or your Files Install itself anywhere other than the ClickOnce application cache. How is ClickOnce a security Issue even in the slightest? On Thursday, June 4, 2009 at 4:04 pm, lbecque wrote: >There seems to be a lot of mis-information and hype being spread around about this. >See: >http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html > > >Is this truly a vulnerability? Can software run from a single click on a website >without the user's knowledge? Is this a bad MS design? > >The MS developer at: >http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx >talks about the problem of not being able to uninstall it which now MS has fixed >with a download which can be manually installed. So there is a fix to the uninstall, >but if it is NOT uninstalled does this make Firefox vulnerable? > >I further found a previous version of this extension written as a legitimate FF extension >at: >https://addons.mozilla.org/en-US/firefox/addon/1608 >The developer provided a way to test his extension at: >http://www.softwarepunk.com/ffclickonce/testing.html > >I tested the MS version of this extension which is installed by default automatically >(not the updated one from MS which was referred to in the blog site above, nor the >FF developers version) by clicking on the link at: >http://www.softwarepunk.com/clickonce/tester/deploy/publish.htm >and you still get a dialogue that you are about to run an application with the ability >to choose to cancel the operation. With that I can't see how this is a vulnerability >unless there is a way to bypass this dialogue. > >I also did a search in Secuia's database and found this software but there are no >vulnerability reports. I have sent a request to Secunia to ask if this is a vulnerability >or at least has serious potential. > >I'm not saying that there isn't at least the potential for a vulnerability here but >until someone can create a proof of concept of this vulnerability I'm not convinced. > Also my test above does not confirm this vulnerability. Let's not create more hype >about this without getting additional facts. There are plenty of real threats out >there that we should focus on as well. Written in response to: Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Thursday, June 4, 2009 at 4:04 pm) Responses to this message: re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Tuesday, June 9, 2009 at 10:28 am) All messages in this thread [show all] Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Thu, Jun 4, 2009, 4:04 pm) Important update and workaround (lbecque: Thu, Jun 4, 2009, 7:09 pm) re: Important update and workaround (Steve: Thu, Jun 4, 2009, 7:50 pm) re: Important update and workaround (Charlie Hadden: Fri, Jun 5, 2009, 5:33 am) re: Important update and workaround (Steve: Fri, Jun 5, 2009, 6:20 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Daniel Weinreb: Sun, Jun 7, 2009, 6:13 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Sun, Jun 7, 2009, 8:26 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Daniel Weinreb: Sun, Jun 7, 2009, 11:40 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Hayes Whitt: Wed, Jun 10, 2009, 10:32 pm) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (dmex: Mon, Jun 8, 2009, 8:49 pm) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Tue, Jun 9, 2009, 10:28 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Hayes Whitt: Thu, Jun 11, 2009, 2:14 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows Vista Discussion Forum