On Friday, Mozilla blacklisted two Microsoft add-ons for Firefox: the .NET Framework Assistant extension, and the Windows Presentation Foundation plug-in. The latter of the two contains a security issue that has since been fixed as part of MS09-054. As far as I can tell, there was no such issue with the former.

What are these add-ons?

The two add-ons are related in that they both ship as part of .NET Framework 3.5 SP1¹, but unrelated in their purpose.

• The .NET Framework Assistant allows ClickOnce applications to be installed (into a sandbox) and launched from Firefox. ClickOnce is comparable to Java Web Start, except that it works for applications written for .NET, not Java. Without the “assistant”, you can still download the .application manifest file (an XML-based file format including a digital signature and a URL pointing to the actual application binaries and resources) and launch it afterwards, but if the name wasn’t a giveaway, seamlessness is the very point of ClickOnce.
• Windows Presentation Foundation (WPF) is the new GUI toolkit for .NET, replacing Windows Forms. A subset of WPF wrapped inside a sandbox was originally known as WPF/e (for “everywhere”) and later on branded as Silverlight. This plug-in, however, is for the full WPF, except also for applications running in a sandbox. It’s as confusing as it sounds.

The latter is where the vulnerability occurred; due to the existence of the plug-in, it affected Firefox.

Why do I have those add-ons? Why can’t I uninstall them?

In a controversial move, they were bundled with .NET Framework 3.5 SP1. There is no way of customizing the install² such that you skip those add-ons.

As for uninstallation, the story is once again different for the two:

• The original version of the .NET Framework Assistant can’t be uninstalled from within Firefox due to its method of installation. Reasonably, it is installed system-wide (just like .NET itself is system-wide). Unfortunately, while Mozilla provides a developer-level guide for doing so (using the Windows Registry), it doesn’t provide a user-level one for undoing so. Presumably, Firefox would have to provide an external application that is launched with administrator privileges (and therefore, an user rights elevation dialog to launch it) in order to change or remove the installation. The button isn’t missing for some conspiratory reason on Microsoft’s part, but because of what is arguably a missing capability in Firefox. Uninstallation could be done by manually removing the Registry entry.

  In a later update, Microsoft changed the extension to be installed per-user. This allows uninstalling (although only for yourself!) from within Firefox.

• As Windows Presentation Foundation is a plug-in, it cannot be uninstalled from Firefox at all. Again, this is something Firefox doesn’t support, not something Microsoft went ouf ot their way to prevent.

So, what now?

The vulnerability has been fixed, but only two days before Mozilla decided to blacklist the extension. Problematically, many users are known to wait days, months or sometimes millennia³ to install patches, whether out of a (sometimes rational) fear that they will break other things, because they don’t have permission or knowledge to do so, or for other reasons.

Unfortunately, even if you do have the patch installed, the add-ons are still blacklisted. As I understand it, the add-ons’ versions⁴ haven’t changed from the patch, so Mozilla is unable to verify that you do in fact have them patched. While it is possible to query Windows Update for what patches are installed, such code would presumably require an update to Firefox itself.

Two things trouble me more: from what I can see, the first add-on did in fact not have a vulnerability at all, so ClickOnce support is currently broken in Firefox for what appears to be no actual reason. Second, Mike Shaver claims that “Microsoft is recommending that all users disable the add-on.”, but my reading of their blog entry suggests that, as long as you have the patch installed, you don’t need to disable the add-on at all.

1. Which should have been named 3.6, as it adds some completely new features, such as the ADO.NET Entity Framework. ↩
2. To my knowledge, that is. ↩
3. Hyperbole included. ↩
4. Or the UUID? ↩

I learnt something this week. Well, that’s not quite true — I had been suspecting this for a while, but as of this Wednesday, I’ve finally gathered enough evidence.

I’ve been fortunate enough to get to know a broad range of viewpoints through school and my surroundings. That becomes self-perpetuating after a while: once you realize that, in many situations of life, what you assume to be true — because your parents / teacher / friends all have been saying it is — may be far less black and white than that, you learn to leave the circle-jerkfest, gather information, analyze it and form your own thought. I know this. I try to challenge the status quo all the time. And yet, there are things so obviously true and self-evident that I don’t question them. What a mistake.

One such thing assumed to be true: that I’m not good at presenting. Why would I think such a thing? Because whenever I tried, I felt that utterly sucked. And when I asked others, they agreed. Sure, I was encouraged to “practice”, but the unspoken, implied vibe I always got? That I’ll always be mediocre at it. There is lots of common valid wisdom about how to improve your presentation skills. Avoid putting too much on your slides. Make eye contact with your audience. Always hold something in your hands. Never stare at the projection canvas. When making pauses, emphasize them to give everyone — not just yourself — a chance to think about what you’ve just said. All sound advice, and much of it is conveyed at school. But one thing isn’t: pick a subject you’re passionate about.

It doesn’t matter how much you royally suck at telling your classmates about how the assassination of Franz Fredinand of Austria ultimatley led to World War I, because even if you’re a history buff, chances are you don’t find that subject any more exciting than your audience does, and acting as if it is just isn’t gonna work well. Seriously, it won’t. Acting and speaking are two entirely different things.

As I said, I’d been suspecting this to be true for a while. But when I held a presentation on relational databases to a class on Wednesday, for 35 minutes, with most of the students intently listening, several telling me afterwards that it was fantastic, and one going so far as to say that he’s never had someone explain it so well, I finally knew.

You’ll still be nervous ahead of it. You’ll still want to avoid throwing up. You’ll still feel relieved afterwards. But believe you me, as long as you love what it is you’re talking about, you can blow everyone’s socks off. And you might even look forward to the next time.

For updates you don’t care to hear about again, Windows Update provides you with a “Hide update” function. One of those updates would be Silverlight, and I’d like to not have it installed; not because of some irrational hatred towards it¹, but because I currently have no need for it on what is a virtual machine purely for development purposes. But while the hide function works fine on other updates (language packs, for instance), it doesn’t appear to for Silverlight: seemingly, Silverlight re-appears a few minutes later. Try again, and it re-appears again.

I’ve finally taken the minute to figure out why this is. Don’t attribute this to malice on Microsoft’s part; Silverlight is not exempt from hiding. Instead, what’s really going on is that as you reject the newest version of Silverlight, you get the previous one. Reject that, and you get another older one. In total, you have to hide six updates to get the desired effect² — and you can’t do them all in one batch because the respective older one will only become available as the newer one has been hidden.

I’m glad they’re not trying to force Silverlight down our throats, but you’d think they’d have figured out a way, by now, to really hide an entire group of “updates” altogether.

1. Nor because it is very much a completely new component, rather than an update. ↩
2. You can easily verify this yourself by taking a closer look at the different knowledge base IDs after each hidden update. ↩

CocoaHeads is a group all over the world¹ meeting up every month and discussing Cocoa (and Cocoa Touch), Apple’s primary development framework for the Mac and iPhone platforms. Alexander Repty (perhaps best known for his neat Lab Tick utility) took the initiative in launching a chapter for Bremen. We² met for the first time on Thursday. About a dozen people came (we were hoping for four, maybe five), and it turned out to be a great two and a half hours in a café.

Like In The Old Days

It struck me when explaining this event to someone else how oddly this must come across: as more and more social activities of our everyday life — both leisurely and professional — takes place over the Internet, with chat rooms, discussion forums, blogs, and other fast-paced media, here comes what amounts to a perfectly old-fashioned hanging-out over coffee and cake. I first met Alex in #macsb (for Macintosh Software Business), an IRC channel on FreeNode focused on running independent Mac development studios. It’s one of the stranger coincidences in life: despite being an international chatroom hosting only several dozen people, we actually grew up less than a mile from each other. And yet, we never met in person until Thursday.

So why, when you can use CocoaDev to look up API commentary, Stack Overflow to discuss problems that have you stumped and Twitter to follow what others are cooking up, would you really need to attend anything in real life³ any more? It is perhaps downright antithetical to the stereotype for a software developer to do.

Truth be told, the benefits are hard to describe exhaustively. As far as resources go, the Internet is absolutely unparalleled. And yet, because we aren’t forced to interact socially, we tend not to. Forums and even twitter are far from real-time anyway, and as for chatrooms, we tend to lurk for minutes or even hours, only sticking our heads in when we feel like it. A café doesn’t give us that option, and while it honestly isn’t something I’d want to experience every day, it is a refreshing contrast to the usual. So, immediacy places a role. Those who are there are actually… there.

There’s a quality to actually meeting that perhaps roughly matches what Rands calls The Pond; a shared, mutual breeding place for ideas that just cannot with our current technology be replicated or even closely imitated with telecommunication. I’ve witnessed this myself with the occasional work from home (or elsewhere) I do; sure, everyone’s reachable, but that’s a stark contrast to everyone being around. Got a problem and can’t figure it out immediately? In the office, you’ll ask your neighbor to take a look (and, typically, just the advantage of two additional eyes solves things fast). Elsewhere, you’ll hesitate to instant-message around, call anyone up or even write an e-mail, and will for no good reason be more inclined to solve things yourself.

Finally, perhaps the decidedly low-tech nature of this — though, to be far, some did show apps that they’ve written or are working on around — is simply a refreshing change.

I had never been to anything like this before — I’ve been to expositions, and I’ve done demos for current and potential customers, but conferences, not so much. One reason? I had regarded the very idea of meeting up in person as somewhat outdated and superfluous.

Now, not so much, because clearly, the benefits of socializing with others who share your profession go way beyond the obvious intoxication and “networking”.

Post Scriptum

I thank (again) Lexx for organizing, and everyone else for attending. For those in Bremen or nearby, we plan to meet the second Thursday of every month. If anyone wants to join in or perhaps even present something, please do!

1. Though Africa is feeling rather lonely right now, and South America even more so. ↩
2. To my own astonishment, that includes yours truly. ↩
3. It feels funny to stress this. ↩

For some, this has to be the best news of the month so far¹: “within a week or so”, Apple will send iPhone developers a new version of the SDK agreement that will no longer put API usage under NDA. From open discussion (and exchange of code) to books being published to open source software being put out of legal limbo, this should resolve many entirely unnecessary (from the developers’ perspective) hindrances.

What I find interesting is how Apple describes this as a change of mind, rather than something they had intended all along:

We put it in place as one more way to help protect the iPhone from being ripped off by others.

However, the NDA has created too much of a burden on developers, authors and others interested in helping further the iPhone’s success, so we are dropping it for released software.

And:

Thanks to everyone who provided us constructive feedback on this matter.

Whether individual developers had a stake in this decision, or whether is was rather influenced by higher-profile companies (or perhaps largely by recent cancellations of books) will perhaps never be clear. Nonetheless, it confirms Matt Gemmell: “Apple is listening”. Perhaps they sometimes do so too late, but at least they do at all.

Now let’s hope some progress can be made on the arbitrary rejection front.

1. Especially considering the month just started today. ↩