[LINK] Microsoft exposes Firefox users to drive-by malware downloads

Alan Auzins aga at webone.com.au
Tue Oct 20 16:06:53 AEDT 2009


Bernard's mail said in part:

>This introduction of vulnerabilities in a competing browser is a
>colossal embarrassment for Microsoft

and it's also, perhaps, somewhat of an embarrassment for some of the folks 
at Bugzilla, who may initially have been a little less thorough or prudent 
than the situation required.

Unless I've got it wrong the auto fix applied by Mozilla to the browser was 
for what seems to be an OS bug of long standing, the patch for which was 
provided by MS auto updates on the previous Tuesday. The apparently hasty 
action by Bug/Mozilla has created a little unrest for some large scale 
Firefox users as a quick skim through the following posts shows:

https://bugzilla.mozilla.org/show_bug.cgi?id=522777

At the end of this quite long and passionately discussed thread is the 
following:

>------- Comment #136 From <mailto:shaver at mozilla.org>Mike Shaver 
>2009-10-18 18:02:23 PDT -------
>We received confirmation a couple of hours ago from Microsoft that the add-on
>itself is not a vector for these vulnerabilities, so we've removed it from the
>blocklist.  You may revel in your clickonce-ing again, apologies for the
>inconvenience and thank you for your patience.

My reading is that if .Net 3.5 SP1 is installed on your XP system *and* you 
have applied patch KB

974455 through auto updates or otherwise then the vulnerability has been 
fixed at the OS level so no blocking or removal of the plug-in is required.

I'm happy to stand corrected, but if what I have surmised is correct it may 
save a hassle for some Link readers.

The above Bugzilla thread also does raise the issue of who, and under what 
circumstance, has the authority to change things on your PC without 
providing informed notice to and consent by the user/administrator.

But that is a different Link chestnut of long standing.

Alan




More information about the Link mailing list