[LINK] Microsoft exposes Firefox users to drive-by malware downloads
Alan Auzins
aga at webone.com.au
Tue Oct 20 16:06:53 AEDT 2009
Bernard's mail said in part:
>This introduction of vulnerabilities in a competing browser is a
>colossal embarrassment for Microsoft
and it's also, perhaps, somewhat of an embarrassment for some of the folks
at Bugzilla, who may initially have been a little less thorough or prudent
than the situation required.
Unless I've got it wrong the auto fix applied by Mozilla to the browser was
for what seems to be an OS bug of long standing, the patch for which was
provided by MS auto updates on the previous Tuesday. The apparently hasty
action by Bug/Mozilla has created a little unrest for some large scale
Firefox users as a quick skim through the following posts shows:
https://bugzilla.mozilla.org/show_bug.cgi?id=522777
At the end of this quite long and passionately discussed thread is the
following:
>------- Comment #136 From <mailto:shaver at mozilla.org>Mike Shaver
>2009-10-18 18:02:23 PDT -------
>We received confirmation a couple of hours ago from Microsoft that the add-on
>itself is not a vector for these vulnerabilities, so we've removed it from the
>blocklist. You may revel in your clickonce-ing again, apologies for the
>inconvenience and thank you for your patience.
My reading is that if .Net 3.5 SP1 is installed on your XP system *and* you
have applied patch KB
974455 through auto updates or otherwise then the vulnerability has been
fixed at the OS level so no blocking or removal of the plug-in is required.
I'm happy to stand corrected, but if what I have surmised is correct it may
save a hassle for some Link readers.
The above Bugzilla thread also does raise the issue of who, and under what
circumstance, has the authority to change things on your PC without
providing informed notice to and consent by the user/administrator.
But that is a different Link chestnut of long standing.
Alan
More information about the Link
mailing list