Adobe Fixes Flash Player

June 10, 2010

As promised earlier this week, Adobe Systems has released a new version of its Flash Player,, which fixes the vulnerability that I have written about before (most recently yesterday).  Adobe has issued a new Security Bulletin [APSB 10-14] with more information about the vulnerability and the new version.  The new version is available from the Flash Player download page, for Windows, Linux, and Mac OS X.   Solaris users should note that the new version is not yet available for their platform; they should continue to use the Release Candidate version I mentioned in my previous post.

Adobe is still saying that they expect to release a fix for the related vulnerabilities in Acrobat and Reader by June 29.

Microsoft Updates Firefox — Again

June 10, 2010

Last year, first in May and then in October, I posted about one of Microsoft’s software security patches that, without the knowledge of the user, installed an extension to the Mozilla Firefox browser.  Not only was it rude, at the very least, to modify another vendor’s software without the user’s knowledge, but the extension also introduced a security vulnerability to Firefox, as Microsoft itself admitted:

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox, as shown below…

Having a vulnerability “feature” introduced by a Microsoft security patch is simultaneously ironic and outrageous, because avoiding Internet Explorer’s horribly broken security model is a significant reason many people switched to Firefox in the first place.

Well, they’re at it again.  Ars Technica is reporting that a recent Microsoft update for its “Search Enhancement Pack”, marked Important, installs — without notifying the user, never mind getting permission — a Firefox extension called “Search Helper Extension v 1.0”.  (Confusingly, there is an existing “Search Helper” extension for Firefox, listed at the Mozilla Add-Ons site, which is designed to “enhance Google searches.  Needless to say, this is a different animal entirely.   For more information, you can look at this discussion thread in the MozillaZine forums.)    Apparently this update is scheduled to be installed by default if the user has any Microsoft toolbars installed, even if they are disabled.  As the Ars Technica article reports:

Additional testing determined that the update is only being offered to those with one of the Microsoft toolbars installed, regardless of whether they are enabled or disabled. It’s unknown how many users fall into that scenario, but the toolbars often come bundled with new PCs and popular Microsoft downloads.

There is a Microsoft Knowledge Base article (KB 982217) that ostensibly describes the purpose of this update.  The description is a bit vague, but it apparently is supposed to fix a bug in the toolbar(s) related to home page classification — which is done so Microsoft can “improve” its service.

As I have said before, it is not difficult to imagine the howls of outrage and epidemic of chair throwing that would emanate from Microsoft HQ in Redmond were a Firefox update to silently install a modification to Windows.   The folks at Microsoft really don’t get it: the PC belongs to the user, not to them.   That’s a big reason why I use Linux.

%d bloggers like this: