updating the update, as it were

I made an update to my WPF timeline post, but I wanted to make sure that the correction was seen by people who may not revisit that post.

The SRD blog post which revealed that Firefox users were also exposed to the IE vulnerability was published on Tuesday, not Monday. The post is labelled as having been published Monday, and the timeline including that survived review by Microsoft, but nonetheless it was an error that I published, so I’ll own it. To the best of my knowledge, the SRD post which informed us and the world of the Firefox exposure was published on Tuesday after the patch and bulletins were first made available to Windows users.

You guys all about ready to have this thing entirely behind us? Yeah, me too. Me too.

update on the .NET Framework Assistant and Windows Presentation Foundation plugin blocking from this weekend

There’s a fair bit of confusion circulating about what happened, and what’s going to happen next, which is understandable — it’s been confusing! I’ll summarize here what happened, and what’s next.

Timeline

The add-on and plugin in question have a long and storied history, but for the events of this weekend the timeline basically starts this summer:

July 2009: Mark Dowd, Ryan Smith, and David Dewey present a paper at Black Hat detailing vulnerabilities in Internet Explorer and other software (including some Firefox plugins, such as Google’s Native Client, but not including Firefox itself or the Windows Presentation Foundation plugin).

Tuesday, October 13: Microsoft’s Security Research & Development team posts on their blog revealing that one of the Internet Explorer vulnerabilities in the Dowd and co. paper can be used to attack Firefox users through the use of this IE component in the Windows Presentation Foundation plugin. This plugin was and is distributed as part of Windows .NET Framework 3.5. As part of Patch Tuesday, Microsoft releases MS09-054 and its associated cumulative update, labeled as an Internet Explorer patch. (The bulletin has subsequently been updated to mention Firefox, see below.)

Friday, October 16: Mozilla contacted Microsoft to learn more about the exposure of our shared users. We discussed the nature of the vulnerability as well as the difficulty of uninstalling the plugin and add-on, and agreed that Mozilla should blocklist the add-on and plugin while we sorted out how best to ensure that Firefox users on Windows were protected. The SRP blog post was updated to indicate that Firefox users who applied the patch were protected from the vulnerability.

Saturday, October 17: Based on feedback from users (chiefly enterprise users), our web team began work on mechanisms for an overridable block (“soft block”) capability for Firefox 3.5 users. Discussions with Microsoft indicated that the add-on was a possible vector for the exploit, so it remained blocked.

Sunday, October 18: Microsoft informed us that the add-on (.NET Framework Assistant) was NOT a means for exploiting the vulnerability, and we removed it from the blocklist. The Windows Presentation Foundation plugin was confirmed to be exploitable unless the patch was applied, and remained on the blocklist. The MS09-054 bulletin was updated by Microsoft to include text about Firefox users.

Monday, October 19: We updated our blocklist management system to permit “soft blocks”, and adjusted the blocklist entry for the Windows Presentation Foundation plugin so that users who know they have the appropriate IE patch installed can re-enable the plugin.

Next Steps

Microsoft is monitoring patch adoption rates for the relevant patch, and when it reaches a high level of deployment we will remove the remaining blocklist item. I expect that will be in the next 48 hours at the outside.

Users of Windows 7 RTM are not affected, as the add-on and plugin are not distributed as part of Windows 7. Microsoft is working with Mozilla to make the functionality available to Firefox users in a user-controlled way for all operating systems in the future.

Stephanie Boesch, Director of Program Management at Microsoft, coordinated with Mozilla on this issue, and I want to thank her for her responsiveness and help throughout. She says: “Security is a top priority for all Microsoft customers, and we jointly decided the best course of action was to temporarily block the plugin and add-on while Firefox customers applied the Internet Explorer Security Update. We appreciate Mozilla’s shared commitment to protecting our mutual customers and look forward to working more closely with them in the future on such issues.”

Updated (Wed, Oct 21): fixed a timeline error caused by the SRD blog post having an incorrect publishing date on it, which even survived MSFT review of the timeline. The SRD post was published on Tuesday, not Monday.

[Comments are closed on my blog, but you can leave comments at the Mozilla Security Blog post on the topic if you'd like.]

update: .NET Framework Assistant (ClickOnce support) unblocked

We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we’ve removed it from the blocklist. As the blocklist update propagates to clients, the add-on should be re-enabled for users who had it previously enabled.

We’re hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist, and I’m working on a post to clarify the events of the past few days. We (especially I) appreciate your patience and support as we work to keep our users safe and comfortable with all the tools at our disposal.

.NET Framework Assistant blocked to disarm security vulnerability

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that users disable the add-on if they have not installed IE patch MS09-054.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Updated to reflect updates to Microsoft blog post. Also, the add-on was confirmed to not be a vector for the vulnerabilites, so it was removed from the blocklist. The plugin is still blocked pending more information about patch deployment rates; work is underway to make the blocking overridable to accommodate enterprises and sophisticated users who know they have installed the IE patch.

thoughts on chrome frame

Last week, Google announced Chrome Frame — a plugin for running their Chrome browser inside Internet Explorer. Early response from web developers has been predictably positive: they’ve been suffering under the reign of Internet Explorer for years, and even in 2009 they have to deal with Internet Explorer 6. I certainly share that longing for a web in which the vast majority of web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox and Opera. Unfortunately, I don’t think that Chrome Frame gets us closer to that web.

Users who wish to render sites with Chrome can already use Chrome, of course, and should. If they want to keep using IE for sites that the site’s developers agree work better with Chrome — and we agree that the majority of sites are much better with a more modern browser than Internet Explorer — it is likely because of application behaviour. Running Chrome Frame within IE makes many of the browser application’s features non-functional, or less effective. These include private browsing mode or their other security controls, features like accelerators or add-ons that operate on the content area, or even accessibility support.

(Many users who are using IE rather than a more modern browser, especially those who are using the long-suffered IE 6, are likely to be unable to use Chrome Frame due to lack of system permissions or because they are running too old an operating system.)

As a side-effect, the user’s understanding of the web’s security model and the behaviour of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack-plugins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5. It would be better for the web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome, and instructed them on how to install it. The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome’s performance would accrue to Google rather than to Microsoft.

briefly

(Is it really true that I only blog what’s too long to tweet now? Need to think about what that means, but I’m already not sure I like it.)

From John, emphasis mine:

The reason we have a vibrant, open web today is because of millions of little decisions and contributions made by thousands of people in that timeframe — people who work on browsers, people who build web sites & applications, people who evangelize for standards, people who use the web and ask/demand that it be better.

From CNET:

Other questions from the audience ranged from what computer science professors should be teaching to whether Internet Explorer would support HTML 5. Ozzie said he had nothing to announce on the latter front, but added, “It is our commitment to be a world class Web browser, what our competitors like to call a modern web browser. I think you can expect us to do the right thing.”

Very much looking forward to it.

dealing with the .NET ClickOnce add-on

As a number of people have reported, a recent update to Microsoft’s .NET Framework resulted in an add-on being installed into Firefox. Shortly after this patch was released through Windows Update, we were in contact with Microsoft to see how to resolve this issue, as we were hearing directly and indirectly from users that they wanted to uninstall the add-on, and were unable to do so through the Firefox Add-on Manager.

Until recently, removing this add-on from Firefox required that users manually edit the registry, but I’m pleased to report that Microsoft has made available a downloadable patch, and has now added it to the knowledge base article on the topic. Once this patch is applied, the add-on can be uninstalled per-user. (On Windows 7 Release Candidate, the add-on is already the fixed version, at least in my own testing.)

The add-on that was delivered through Windows Update is not compatible with Firefox 3.5, so we’re still trying to figure out how to make sure that 250M-or-so users aren’t confused or — worse — scared off of the upgrade when they are informed that this add-on will be disabled. I’ll report back when we know how that’s going to work, hopefully before Firefox 3.5 is released!

[Edit: removed reference to "disabling".]

advancing open video

Video is a big part of the modern internet, whether it’s used to communicate, educate, or entertain my daughter. We’re building robust support for video (and audio) into Firefox 3.1, making it straightforward for authors to incorporate audio and video media into their pages and applications. We believe that it’s vital to the health of the web for people to approach video on the web the same way they do images: without needing proprietary plugins or paying license fees for restricted codecs, and with the ability to fully integrate into the rest of the page.

Our commitment to the success of open video on the web requires that we select codecs for Firefox that are usable by everyone, without restriction or licensing fee. To that end, we’ve chosen Theora as the format for Firefox 3.1.

We believe that Theora is the best path available today for truly open, truly free video on the internet. We also believe that it can be improved in video quality, in performance, and in quality of implementation, and Mozilla is proud to be supporting the development of Theora software with a $100,000 (USD) grant. Administered by the Wikimedia Foundation, this grant will be used to support development of improved Theora encoders and more powerful playback libraries. These improvements will benefit future versions of Firefox, and anyone else who supports open video on the web.

[Update: Chris Blizzard, being the awesome evangelist I always hoped I'd be, has a great post with a much deeper discussion of why this all matters.]

sevening

OK, Deb, you win. I should be doing something else, but until the Dayquil kicks in I’m not likely to be able to do so.

The Rules

  • Link to your original tagger(s) and list these rules in your post. (see above)
  • Share seven facts about yourself in the post. (see below)
  • Tag seven people at the end of your post by leaving their names and the links to their blogs. (see below)
  • Let them know they’ve been tagged. (you’ll just have to trust me)

The Seven Things

  1. I, too, figure skated when I was younger, to mild success. I don’t believe there are pictures of it on the web, which is OK.
  2. I once wrote a multi-user email system on top of DOS batch files, without the use of a text editor (copy con: represent).
  3. In high school, I was an avid member of the school’s technical theatre (and assembly, and school dance, and gaffer-ball varsity) club — avid to the point that I only narrowly managed to actually graduate from high school.
  4. I married my high-school sweetheart.
  5. I do not like to eat coconut- or banana-flavoured things, with a few exceptions like coconut milk in curries because what sort of animal do you think I am anyway? For the past 18 months or so, though, I have been trying to train myself to tolerate, if not enjoy, suchly-flavoured things so that I don’t unwittingly pass my aversion on to Claire. (See also: snakes, though not in a culinary sense.)
  6. I didn’t get my driver’s license until I was 29.
  7. I have lived at 21 addresses in 10 cities.

7 people, all of whom I believe share my disdain for such things to some degree

  • Vlad, for taking care of me in Serbia.
  • Mom, for taking care of me.
  • Phil, for never disguising his contempt for the stupid.
  • Hoye, ibid.
  • Dave, for teaching me to teach.
  • Kev, for being the photographer, bbqer and responsible adult I’d like to be some day.
  • George, for being George.

claire madeline shaver, 1

Hard to believe that it was a whole year ago (only a year ago) that we met Claire for the first time. It has been an incredible, wonderful, galactically amazing adventure learning to be her daddy; I can’t wait to see what’s next.

(I’m about 6 months behind on posting pictures; I’ll try to be quicker about the ones from her birthday drop-in this Saturday, ahem.)

« previous pagenext page »