|
|
|
Important update and workaround
Thursday, June 4, 2009 at 7:09 pm
Posted by lbecque
(8 messages posted)
I just discovered that before I ran the tests mentioned in my message above that
I had already changed the default setting in Firefox for this extension under Tools,
Add ons, .NET...., options to turn ON the 'prompt before running ClickOnce applications'.
By default, this option is turned off and that is unsafe.
Everyone should at least turn on the prompt as a precaution if you haven't already
uninstalled or disabled the extension. With the prompt turned on it is just like
any other link that asks 'do you want to run this application'. So the real problem
here is that MS installed this update silently and left this option turned off, but
it is easy to correct.
Furthermore, I tested this with IE and it also runs by default. I can't see how
to turn it off in IE. This is another problem.
[Reply or follow-up to this message]
|
re: Important update and workaround
Thursday, June 4, 2009 at 7:50 pm
Posted by Steve
(23810 messages posted)
Most Clueless Users don't need net Framework 3.5 anyway, so I just suggest those
to not install it.
[Reply or follow-up to this message]
|
re: Important update and workaround
Friday, June 5, 2009 at 5:33 am
Posted by Charlie Hadden
(1338 messages posted)
I guess if a person isn't worried about buffer overflow attacks or have any need
for CRL (runtime) environment and a loot of other stuff including much of the updating
ability, you wouldn't need it. Of course that person probably could get by without
using an operating system and never miss it.
On Thursday, June 4, 2009 at 7:50 pm, Steve wrote:
>Most Clueless Users don't need net Framework 3.5 anyway, so I just suggest those
>to not install it.
[Reply or follow-up to this message]
|
re: Important update and workaround
Friday, June 5, 2009 at 6:20 am
Posted by Steve
(23810 messages posted)
The point is Clueless Users aren't worried about buffer overflow attacks and don't
have a need
for CRL (runtime) environment and a loot of other stuff, and updating
ability still works fine.
[Reply or follow-up to this message]
|
re: Is this really a vulnerability or just hype? Results of my tests, check the facts.
Sunday, June 7, 2009 at 6:13 am
Posted by Daniel Weinreb
(2 messages posted)
Even if it asks the user first (which, as you point out, is NOT the default), it's
still a security vulnerability in practice. Consider how this works for an ordinary
person (my Dad). He is offered a useful service, if he clicks on some link. So
he clicks. A message comes up saying "blah, blah, incomprehensible techie stuff,
blah, blah: do you want to get the nice service that you asked for, or do you want
to not get it?" Of course, he answers yes.
(Same for the messages that Firefox pops up when there is a PKI problem such as an
expired certificate, or a totally bogus certificate, or no certificate, at a server.)
[Reply or follow-up to this message]
|
re: Is this really a vulnerability or just hype? Results of my tests, check the facts.
Sunday, June 7, 2009 at 8:26 am
Posted by lbecque
(8 messages posted)
I agree with you Daniel that this is still a threat to the clueless who click yes
to everything. But no OS, security package, firewall or anti-virus is going to make
things completely safe for people who ignore these warnings and don't know what they
are doing. Ignorance aside, if the option to prompt you is turned on with this FF
extension then it is no worse than the many other ways in Windows that you can click
on something and it warns you that you are about to run an application or do something
that affects the security of your PC.
The fault that I see is that MS installed this extension with the prompt option turned
off, which is easily changed but many people won't know to do this. Also, IE has
the same problem and I don't see a way to correct this.
On Sunday, June 7, 2009 at 6:13 am, Daniel Weinreb wrote:
>Even if it asks the user first (which, as you point out, is NOT the default), it's
>still a security vulnerability in practice. Consider how this works for an ordinary
>person (my Dad). He is offered a useful service, if he clicks on some link. So
>he clicks. A message comes up saying "blah, blah, incomprehensible techie stuff,
>blah, blah: do you want to get the nice service that you asked for, or do you want
>to not get it?" Of course, he answers yes.
>
>(Same for the messages that Firefox pops up when there is a PKI problem such as
an
>expired certificate, or a totally bogus certificate, or no certificate, at a server.)
[Reply or follow-up to this message]
|
re: Is this really a vulnerability or just hype? Results of my tests, check the facts.
Sunday, June 7, 2009 at 11:40 am
Posted by Daniel Weinreb
(2 messages posted)
Yes, I agree completely.
[Reply or follow-up to this message]
|
re: Is this really a vulnerability or just hype? Results of my tests, check the facts.
Monday, June 8, 2009 at 8:49 pm
Posted by dmex
(1 messages posted)
According to this article, Clickonce has less access than a traditional installer:
http://msdn.microsoft.com/en-us/vbasic/ms789088.aspx
ClickOnce Can Not:
Install/Modify System Files
Install Drivers
Install Global Assembly Cache extensions
Install for Multiple Users
StartUp Automatically
Register/Modify FileTypes
Access/Modify the Registry
Patch/Modify any System Files other Application Files or your Files
Install itself anywhere other than the ClickOnce application cache.
How is ClickOnce a security Issue even in the slightest?
On Thursday, June 4, 2009 at 4:04 pm, lbecque wrote:
>There seems to be a lot of mis-information and hype being spread around about this.
>See:
>http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html
>
>
>Is this truly a vulnerability? Can software run from a single click on a website
>without the user's knowledge? Is this a bad MS design?
>
>The MS developer at:
>http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx
>talks about the problem of not being able to uninstall it which now MS has fixed
>with a download which can be manually installed. So there is a fix to the uninstall,
>but if it is NOT uninstalled does this make Firefox vulnerable?
>
>I further found a previous version of this extension written as a legitimate FF
extension
>at:
>https://addons.mozilla.org/en-US/firefox/addon/1608
>The developer provided a way to test his extension at:
>http://www.softwarepunk.com/ffclickonce/testing.html
>
>I tested the MS version of this extension which is installed by default automatically
>(not the updated one from MS which was referred to in the blog site above, nor the
>FF developers version) by clicking on the link at:
>http://www.softwarepunk.com/clickonce/tester/deploy/publish.htm
>and you still get a dialogue that you are about to run an application with the ability
>to choose to cancel the operation. With that I can't see how this is a vulnerability
>unless there is a way to bypass this dialogue.
>
>I also did a search in Secuia's database and found this software but there are no
>vulnerability reports. I have sent a request to Secunia to ask if this is a vulnerability
>or at least has serious potential.
>
>I'm not saying that there isn't at least the potential for a vulnerability here
but
>until someone can create a proof of concept of this vulnerability I'm not convinced.
> Also my test above does not confirm this vulnerability. Let's not create more
hype
>about this without getting additional facts. There are plenty of real threats out
>there that we should focus on as well.
[Reply or follow-up to this message]
|
re: Is this really a vulnerability or just hype? Results of my tests, check the facts.
Tuesday, June 9, 2009 at 10:28 am
Posted by lbecque
(8 messages posted)
It is true that MS has implemented a number of security procedures around ClickOnce,
which is maybe why we haven't heard about a rash of malware based on ClickOnce....yet.
ClickOnce technology appears to be very similar to executing code within a Java
VM which is a fairly secure environment.
But I think you are wrong on one point, ClickOnce applications can indeed startup
automatically with no warning to the user. I tested this myself with the links I
mentioned provided by the previous FF extension developer. Furthermore, MS security
is based on the IE security zones. The test I mentioned is in the Internet security
zone which is set to 'prompt before downloading potentially unsafe content'. Yet
when I click it just runs with no prompt or warning. It doesn't seem that MS has
delivered what they said. It would only take the slightest amount of social engineering
to get naive users to click on a link. Something like 'Click this for FREE [music,
money, sex, drugs, etc.]'
Since there are no reports of massive malware attacks using ClickOnce technology
and no warnings on the Secunia database I'm still not convinced that this is a big
threat. However, it is not a bad idea to turn on the 'prompt before running ClickOnce
applications' option in the FireFox extension. Can anyone figure out how to do the
same for IE?
[Reply or follow-up to this message]
|
re: Is this really a vulnerability or just hype? Results of my tests, check the facts.
Wednesday, June 10, 2009 at 10:32 pm
Posted by Hayes Whitt
(2 messages posted)
Daniel Weinreb "gets it" 100%. I laughed out loud, thinking about my dad. There
are so many click yes or no pop-ups these days, especially in Vista, you cant just
call someone a moron because they click "yes". We are conditioned do so. Also there
is so much good product out there now no one can know all the names that may pop-up.
I have to look them up all the time.
After all, its not like the yes or no pop-up says "Would you like to install this
service with the spyware key-logger?" Its just another jibberish name like Google
or Ubuntu. We all click yes and hope for the best. You do it, i do it.
The issue is giving a (not even Msoft mind you!) browser machine level access. A
click yes or no isn't enough and not uber secure anyway since the spyware would just
need some type of "click yes" script built in. Its not like you need to enter a
admin password or anything... The browsers and machine level software installer
integration of IE is why it is considered less secure than Firefox.. But I use IE
everyday to check for and install Windows updates. It works great. But i never
browse with IE for the same reason. Dont be a fanboy or a hater, the right tool
for the right job.
At this point i am accepting that any client desktop machine that i use will one
day be compromised. Just wipe the drive and load a Vista backup or drive image.
Takes less time than a virus scan and its like it never happened. I am starting
to wonder why i still bother with a virus scanner.
My servers are where the security is. Key based log in attempts don't even get a
connection without the encryption key which i keep on a flash drive.
Hi, can i log in?
Whats your key?
Huh?
FAIL
On Sunday, June 7, 2009 at 11:40 am, Daniel Weinreb wrote:
>Yes, I agree completely.
[Reply or follow-up to this message]
|
re: Is this really a vulnerability or just hype? Results of my tests, check the facts.
Thursday, June 11, 2009 at 2:14 pm
Posted by Hayes Whitt
(2 messages posted)
Timely regarding the just click Yes or No problem. (pardon the Time pun.)
http://www.time.com/time/business/article/0,8599,1903810,00.html?xid=rss-topstories
[Reply or follow-up to this message]
| |
| |
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
| |
Return to the Windows Vista Discussion Forum
|
|
|
|
