re: Is this really a vulnerability or just hype? Results of my tests, check the facts. Tuesday, June 9, 2009 at 10:28 am Windows Vista Annoyances Discussion Forum Posted by lbecque (8 messages posted) It is true that MS has implemented a number of security procedures around ClickOnce, which is maybe why we haven't heard about a rash of malware based on ClickOnce....yet. ClickOnce technology appears to be very similar to executing code within a Java VM which is a fairly secure environment. But I think you are wrong on one point, ClickOnce applications can indeed startup automatically with no warning to the user. I tested this myself with the links I mentioned provided by the previous FF extension developer. Furthermore, MS security is based on the IE security zones. The test I mentioned is in the Internet security zone which is set to 'prompt before downloading potentially unsafe content'. Yet when I click it just runs with no prompt or warning. It doesn't seem that MS has delivered what they said. It would only take the slightest amount of social engineering to get naive users to click on a link. Something like 'Click this for FREE [music, money, sex, drugs, etc.]' Since there are no reports of massive malware attacks using ClickOnce technology and no warnings on the Secunia database I'm still not convinced that this is a big threat. However, it is not a bad idea to turn on the 'prompt before running ClickOnce applications' option in the FireFox extension. Can anyone figure out how to do the same for IE? Written in response to: re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (dmex: Monday, June 8, 2009 at 8:49 pm) Responses to this message: re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Hayes Whitt: Thursday, June 11, 2009 at 2:14 pm) All messages in this thread [show all] Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Thu, Jun 4, 2009, 4:04 pm) Important update and workaround (lbecque: Thu, Jun 4, 2009, 7:09 pm) re: Important update and workaround (Steve: Thu, Jun 4, 2009, 7:50 pm) re: Important update and workaround (Charlie Hadden: Fri, Jun 5, 2009, 5:33 am) re: Important update and workaround (Steve: Fri, Jun 5, 2009, 6:20 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Daniel Weinreb: Sun, Jun 7, 2009, 6:13 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Sun, Jun 7, 2009, 8:26 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Daniel Weinreb: Sun, Jun 7, 2009, 11:40 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Hayes Whitt: Wed, Jun 10, 2009, 10:32 pm) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (dmex: Mon, Jun 8, 2009, 8:49 pm) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (lbecque: Tue, Jun 9, 2009, 10:28 am) re: Is this really a vulnerability or just hype? Results of my tests, check the facts. (Hayes Whitt: Thu, Jun 11, 2009, 2:14 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows Vista Discussion Forum