Status

Release Engineering
Releases
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: mgoodwin, Assigned: mgoodwin)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments, 8 obsolete attachments)

(Assignee)

Description

3 years ago
Superfish is putting users at risk. Various anti-malware tools now remove Superfish but many leave behind the Superfish root in the Firefox certificate db. Since the private key for this is known, the risk remains for Firefox users.


As per Richard Barnes' email to release-drivers on 2015-02-23 we have a hotfix to remove the superfish root from such machines.

Currently this:
* checks to see if we're running on Windows
* checks that superfish is *not* currently installed
* if the above conditions are satisfied, an attempt is made to distrust superfish's root
(Assignee)

Comment 1

3 years ago
Created attachment 8568536 [details]
superskua.xpi

hotfix unsigned

Updated

3 years ago
OS: Linux → Windows 8
Hardware: x86_64 → All
Any chance of rebundling the hotfix in a plain format instead of using the add-on sdk? I see that the hotfix code itself on main.js is simple, so this should be simple to do.

The reason is that the hotfix should uninstall itself after it performs its operation, and the basic hotfix structure has been reused many times so it's well tested. You can just copy the main structure from a past hotfix and add the code of your own. E.g.:
https://hg.mozilla.org/releases/firefox-hotfixes/file/c8e13ae460f7/v20150106.01/bootstrap.js

It would also be nice to add some TelemetryLog.log() calls (even with gDebug=false) so we can see it in action through telemetry.

Ping me on irc for any assistance!
(Assignee)

Comment 3

3 years ago
Created attachment 8569207 [details]
hotfix-v20150225.01.xpi

This time without addon SDK (based on previous hotfixes)
Attachment #8568536 - Attachment is obsolete: true
(Assignee)

Comment 4

3 years ago
Created attachment 8569208 [details] [diff] [review]
Bug1136150.patch
Attachment #8569208 - Flags: review?(felipc)
Attachment #8569208 - Flags: review?(dkeeler)
(Assignee)

Comment 5

3 years ago
Created attachment 8569219 [details] [diff] [review]
Bug1136150.patch

.. this time with try / catch to prevent failure on fx versions earlier than 30 on importing TelemetryLog
Attachment #8569219 - Flags: review?(felipc)
Attachment #8569219 - Flags: review?(dkeeler)
(Assignee)

Updated

3 years ago
Attachment #8569208 - Attachment is obsolete: true
Attachment #8569208 - Flags: review?(felipc)
Attachment #8569208 - Flags: review?(dkeeler)
Comment on attachment 8569219 [details] [diff] [review]
Bug1136150.patch

Review of attachment 8569219 [details] [diff] [review]:
-----------------------------------------------------------------

in the root of the repo, there's a README file that you need to update with a description of this hotfix.

Do we have reason to believe that Superfish will eventually become uninstalled?

::: v20150225.01/bootstrap.js
@@ +78,5 @@
> +                    .createInstance(Ci.nsIWindowsRegKey);
> +  registry.open(Ci.nsIWindowsRegKey.ROOT_KEY_LOCAL_MACHINE,
> +                "SOFTWARE\\CLASSES\\CLSID",
> +                Ci.nsIWindowsRegKey.ACCESS_READ);
> +  if (registry.hasChild("{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}")) {

Has someone verified that after Superfish is uninstalled, this key is gone?

@@ +94,5 @@
> +
> +  // Clear any active sessions/tickets
> +  let sdr = Cc["@mozilla.org/security/sdr;1"]
> +              .getService(Ci.nsISecretDecoderRing);
> +  sdr.logoutAndTeardown();

could you also set a pref here after completion, and check that pref on shouldAttemptDistrust, to avoid doing this twice in case the code performed correctly, but the hotfix failed to uninstall?

::: v20150225.01/install.rdf
@@ +5,5 @@
> +
> +  <Description about="urn:mozilla:install-manifest">
> +    <em:id>firefox-hotfix@mozilla.org</em:id>
> +    <em:version>20150225.01</em:version>
> +    <em:bootstrap>true</em:bootstrap>

you should add:
<em:targetPlatform>WINNT</em:targetPlatform>

to this list to limit this to be distributed to Windows users.  (but keep the check in bootstrap.js)

@@ +9,5 @@
> +    <em:bootstrap>true</em:bootstrap>
> +    <em:strictCompatibility>true</em:strictCompatibility>
> +
> +    <em:name>Firefox Superfish Cleanup Hotfix</em:name>
> +    <em:description>Distrust the Superfish root if present.</em:description>

This is a bit misleading as it's gonna distrust the cert if Superfish is no longer present.  Since this hotfix will possibly remain installed (as opposed to most that just uninstall right away), I wonder if we need better text here (will regular users be aware of what "Superfish" is?)

I think something of the lines: Protects Firefox against a flawed security certificate program known as "Superfish". Opinions?

@@ +16,5 @@
> +    <em:targetApplication>
> +      <Description>
> +        <!-- Firefox -->
> +        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
> +        <em:minVersion>30.*</em:minVersion>

I think we can go with a much lower version.. Have the setCertTrustFromString(), constructX509FromBase64(), and nsISecretDecoderRing.logoutAndTeardown() existed since long ago?

@@ +19,5 @@
> +        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
> +        <em:minVersion>30.*</em:minVersion>
> +        <!-- We need to run after upgrade. Ensure this is greater than or
> +             equal to our upgrade target. Exact version shouldn't matter -
> +             we'll uninstall from ourselves if not needed. -->

Did you write this comment ("We need to run after upgrade...") yourself, or is it copied from another hotfix?  If this is original, I didn't understand what exactly it means
Attachment #8569219 - Flags: review?(felipc) → feedback+
(Assignee)

Comment 7

3 years ago
(In reply to :Felipe Gomes from comment #6)
> Comment on attachment 8569219 [details] [diff] [review]
> Bug1136150.patch
> 
> Review of attachment 8569219 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> in the root of the repo, there's a README file that you need to update with
> a description of this hotfix.
> 
> Do we have reason to believe that Superfish will eventually become
> uninstalled?

Only that Windows Defender (and other similar tools) now treat this as the malware that it is and remove it.

> Has someone verified that after Superfish is uninstalled, this key is gone?

Yes; tested for both manual removal (via add/remove software) and Windows Defender cleanup.

> could you also set a pref here after completion, and check that pref on
> shouldAttemptDistrust, to avoid doing this twice in case the code performed
> correctly, but the hotfix failed to uninstall?

Will do.

> you should add:
> <em:targetPlatform>WINNT</em:targetPlatform>
> 
> to this list to limit this to be distributed to Windows users.  (but keep
> the check in bootstrap.js)

Will do.

> > +    <em:name>Firefox Superfish Cleanup Hotfix</em:name>
> > +    <em:description>Distrust the Superfish root if present.</em:description>
> 
> This is a bit misleading as it's gonna distrust the cert if Superfish is no
> longer present.  Since this hotfix will possibly remain installed (as
> opposed to most that just uninstall right away), I wonder if we need better
> text here (will regular users be aware of what "Superfish" is?)
> 
> I think something of the lines: Protects Firefox against a flawed security
> certificate program known as "Superfish". Opinions?

Yes, yours is better. I'll go with that.

> @@ +16,5 @@
> > +    <em:targetApplication>
> > +      <Description>
> > +        <!-- Firefox -->
> > +        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
> > +        <em:minVersion>30.*</em:minVersion>
> 
> I think we can go with a much lower version.. Have the
> setCertTrustFromString(), constructX509FromBase64(), and
> nsISecretDecoderRing.logoutAndTeardown() existed since long ago?

I'll check for appropriate version ranges and sort this out.

> @@ +19,5 @@
> > +        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
> > +        <em:minVersion>30.*</em:minVersion>
> > +        <!-- We need to run after upgrade. Ensure this is greater than or
> > +             equal to our upgrade target. Exact version shouldn't matter -
> > +             we'll uninstall from ourselves if not needed. -->
> 
> Did you write this comment ("We need to run after upgrade...") yourself, or
> is it copied from another hotfix?  If this is original, I didn't understand
> what exactly it means

This is copied from the other 2015 hotfix. I'll remove...

Comment 8

3 years ago
(In reply to :Felipe Gomes from comment #6)
> Comment on attachment 8569219 [details] [diff] [review]
> Bug1136150.patch
>
> @@ +9,5 @@
> > +    <em:bootstrap>true</em:bootstrap>
> > +    <em:strictCompatibility>true</em:strictCompatibility>
> > +
> > +    <em:name>Firefox Superfish Cleanup Hotfix</em:name>
> > +    <em:description>Distrust the Superfish root if present.</em:description>
> 
> This is a bit misleading as it's gonna distrust the cert if Superfish is no
> longer present.  Since this hotfix will possibly remain installed (as
> opposed to most that just uninstall right away), I wonder if we need better
> text here (will regular users be aware of what "Superfish" is?)

If we're worried about ensuring this is properly understood, it might be better to name it more generically. Just call it "Firefox Malware Mitigation Hotfix" instead, and only mention Superfish in the description.
(In reply to Dave Garrett from comment #8)
> If we're worried about ensuring this is properly understood, it might be
> better to name it more generically. Just call it "Firefox Malware Mitigation
> Hotfix" instead, and only mention Superfish in the description.

While I like the idea, I think the word Malware might scare people away, specially if it comes next to the word Firefox.. "Firefox Malware" might be all that people read... :) I think the description does a good job of elaborating and explaining what Superfish means.

Comment 10

3 years ago
(In reply to :Felipe Gomes from comment #9)
> (In reply to Dave Garrett from comment #8)
> > If we're worried about ensuring this is properly understood, it might be
> > better to name it more generically. Just call it "Firefox Malware Mitigation
> > Hotfix" instead, and only mention Superfish in the description.
> 
> While I like the idea, I think the word Malware might scare people away,
> specially if it comes next to the word Firefox.. "Firefox Malware" might be
> all that people read... :) I think the description does a good job of
> elaborating and explaining what Superfish means.

Fair enough. "Firefox Certificate Store Hotfix". Further bike-shedding is possible. :p

That said, I only suggested an alternative in response to the concern in comment 6. The existing title is fine with a sufficient description.
Comment on attachment 8569219 [details] [diff] [review]
Bug1136150.patch

Review of attachment 8569219 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good, but due to the requirement that the hotfix uninstall itself, we'll have to take a different approach because of bug 1045907. See https://github.com/mozkeeler/superskua/issues/4 and https://github.com/mozkeeler/superskua/pull/5 (Basically, we'll be deleting any certificates with the same key instead of actively distrusting them. The effect should be as if the root had never been installed.)
Attachment #8569219 - Flags: review?(dkeeler) → review-
(Assignee)

Comment 12

3 years ago
Created attachment 8569385 [details] [diff] [review]
Bug1136150.patch

Addressed feedback from Keeler and Felipe. Also changed the name and description in line with comments above.

In particular:
* The hotfix will now attempt to remove (rather than distrust) the root
* The hotfix now checks to see if it's previously run successfully (by setting and checking a pref)
Attachment #8569219 - Attachment is obsolete: true
(Assignee)

Comment 13

3 years ago
Created attachment 8569387 [details]
hotfix-v20150225.01.xpi
Attachment #8569207 - Attachment is obsolete: true
(Assignee)

Updated

3 years ago
Attachment #8569385 - Flags: review?(felipc)
Attachment #8569385 - Flags: review?(dkeeler)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #11)
> Comment on attachment 8569219 [details] [diff] [review]
> Bug1136150.patch
> 
> Review of attachment 8569219 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> This looks good, but due to the requirement that the hotfix uninstall
> itself, we'll have to take a different approach because of bug 1045907. See
> https://github.com/mozkeeler/superskua/issues/4 and
> https://github.com/mozkeeler/superskua/pull/5 (Basically, we'll be deleting
> any certificates with the same key instead of actively distrusting them. The
> effect should be as if the root had never been installed.)

Just clarifying, the requirement is not so much that the hotfix _must_ uninstall itself, but the thing to keep in mind is that the code wouldn't be running forever. The next time that another hotfix is released, the hotfix add-on would be updated to the newer one and the older one will cease to exist.
Comment on attachment 8569385 [details] [diff] [review]
Bug1136150.patch

Review of attachment 8569385 [details] [diff] [review]:
-----------------------------------------------------------------

Posting these two minor nits while we figure out what to do about sha256SubjectPublicKeyInfoDigest which Keeler says was added in Fx31.
Everything else looks good.

::: README
@@ +40,5 @@
>                 to Firefox 34.0.5, all platforms.
>  v20150106.01 - Bug 1113222 - copies the distribution directory to the new location required
>                 by Mac v2 signing for Firefox 10 - 37 on Mac OS X and hotfix v20141211.01 
>                 for Firefox 34.0.5 - 35 on all platforms.
> +v20150225.01 - Attempts to remove the Superfish root.

Follow the model from the other entries and add this bug number in the description, plus the target platform (Windows) and FF versions.

::: v20150225.01/bootstrap.js
@@ +49,5 @@
> +  } else {
> +    if (shouldAttemptRemoval()) {
> +      log("Superfish is not installed; attempting to remove root");
> +      try {
> +        Services.prefs.savePrefFile(null);

I suppose you intended to call savePrefFile _after_ the setBoolPref?

::: v20150225.01/install.rdf
@@ +9,5 @@
> +    <em:bootstrap>true</em:bootstrap>
> +    <em:targetPlatform>WINNT</em:targetPlatform>
> +    <em:strictCompatibility>true</em:strictCompatibility>
> +
> +    <em:name>Firefox Certificate Store Hotfix</em:name>

great
(Assignee)

Comment 16

3 years ago
Created attachment 8569510 [details]
hotfix-v20150225.01.xpi

Unsigned XPI
Attachment #8569387 - Attachment is obsolete: true
(Assignee)

Comment 17

3 years ago
Created attachment 8569511 [details] [diff] [review]
Bug1136150.patch

Addressed feedback:
* moved savePrefFile call to after setBoolPref
* fixed the readme to include the bug, version and platform information
* replaced usage of sha256SubjectPublicKeyInfoDigest with sha1Fingerprint to move minversion back before fx31 (currently 10 - is this OK?)
Attachment #8569385 - Attachment is obsolete: true
Attachment #8569385 - Flags: review?(felipc)
Attachment #8569385 - Flags: review?(dkeeler)
Attachment #8569511 - Flags: review?(felipc)
Attachment #8569511 - Flags: review?(dkeeler)
(Assignee)

Comment 18

3 years ago
A note on bug pre-history: this patch is based on https://github.com/mozkeeler/superskua - started by David Keeler and picked up by myself.
Comment on attachment 8569511 [details] [diff] [review]
Bug1136150.patch

Review of attachment 8569511 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM. Most of my comments are just formatting nits, which are probably unimportant for this. I do think it's a bit strange that the hotfix will uninstall itself even if removing the root failed, but I'll defer to Felipe on if that's the behavior we want or not.

::: v20150225.01/bootstrap.js
@@ +38,5 @@
> +function log(str) {
> +  Cu.reportError("v20150225 hotfix error: " + str);
> +  try {
> +    // TelemetryLog may not be present
> +    TelemetryLog.log("Superfish-hotfix",[str]);

nit: space after comma

@@ +56,5 @@
> +        Services.prefs.savePrefFile(null);
> +      } catch (ex) {
> +        log("Removing superfish root failed");
> +      }
> +      uninstallHotfix(data);

Shouldn't we only uninstall the hotfix if we succeed? (Although, I guess if we fail once we're likely to continue failing in the future...)

@@ +66,5 @@
> +
> +function uninstall(data, reason) { }
> +
> +function isRunningOnWindows() {
> +  var osString = Cc["@mozilla.org/xre/app-info;1"]

nit: using 'let' would be more consistent with the rest of the file

@@ +67,5 @@
> +function uninstall(data, reason) { }
> +
> +function isRunningOnWindows() {
> +  var osString = Cc["@mozilla.org/xre/app-info;1"]
> +                    .getService(Ci.nsIXULRuntime).OS;

nit: move this line one space to the left

@@ +121,5 @@
> +  let removedAnyCerts = false;
> +  while (enumerator.hasMoreElements()) {
> +    let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
> +    if (cert.sha1Fingerprint ==
> +        tempCert.sha1Fingerprint) {

nit: I would have put these two on the same line
Attachment #8569511 - Flags: review?(dkeeler) → review+
Comment on attachment 8569511 [details] [diff] [review]
Bug1136150.patch

Review of attachment 8569511 [details] [diff] [review]:
-----------------------------------------------------------------

(In reply to David Keeler [:keeler] (use needinfo?) from comment #19)
> LGTM. Most of my comments are just formatting nits, which are probably
> unimportant for this. I do think it's a bit strange that the hotfix will
> uninstall itself even if removing the root failed, but I'll defer to Felipe
> on if that's the behavior we want or not.

Yeah, I guess it depends on what the code is trying to do, and what are the fail cases for it. In this case, I believe that if this code failed once, there's no reason to believe that running it again will succeed. So there's no point in keeping the hotfix installed and re-running the same error over and over.


This all looks good. Next steps for releasing a hotfix are:
 - Push this code (with Keeler's nits fixed) to the hotfix repo: https://hg.mozilla.org/releases/firefox-hotfixes/
 - File a bug to get a signed xpi (you can follow this example: bug 1110452 comment 0)
 - send an email to release-drivers and moc with the intent to ship the hotfix (all communication process described here: https://wiki.mozilla.org/Firefox/Hotfix)
 - kickstart the testing for this hotfix (get someone from QA, explain how to test the hotfix, etc).  More details about testing hotfixes here: https://developer.mozilla.org/en-US/Add-ons/Hotfix

::: v20150225.01/install.rdf
@@ +17,5 @@
> +    <em:targetApplication>
> +      <Description>
> +        <!-- Firefox -->
> +        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
> +        <em:minVersion>10.*</em:minVersion>

10 is right. It is the first version where the hotfix system landed.
Attachment #8569511 - Flags: review?(felipc) → review+
(Assignee)

Comment 21

3 years ago
Created attachment 8569788 [details] [diff] [review]
Bug1136150.patch

Nits addressed.
Assignee: nobody → mgoodwin
Attachment #8569511 - Attachment is obsolete: true
Attachment #8569788 - Flags: review+
(Assignee)

Comment 22

3 years ago
Created attachment 8569789 [details]
hotfix-v20150225.01.xpi

Updated xpi (unsigned)
Attachment #8569510 - Attachment is obsolete: true
(Assignee)

Updated

3 years ago
Component: Security → Releases
Product: Firefox → Release Engineering
QA Contact: rail
Version: Trunk → unspecified
r+ from release management.
(Assignee)

Updated

3 years ago
Keywords: checkin-needed
(Assignee)

Comment 24

3 years ago
(In reply to :Felipe Gomes from comment #20)
>  - kickstart the testing for this hotfix (get someone from QA, explain how
> to test the hotfix, etc).  More details about testing hotfixes here:
> https://developer.mozilla.org/en-US/Add-ons/Hotfix

We need some testing on this; are you able to help, Matt?
Flags: needinfo?(mwobensmith)
http://hg.mozilla.org/releases/firefox-hotfixes/rev/1946d8ad7bdd
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Keywords: qawanted
Whiteboard: [not deployed yet]
Depends on: 1137421
Kamil did the last QA for hotfixing, maybe he's available for this one too?
Flags: needinfo?(kjozwiak)
I'll take this :)
Flags: needinfo?(mwobensmith)
Kamil, no worries, I got this already.
Flags: needinfo?(kjozwiak)
Created attachment 8570211 [details]
fx10_xpi_not_supported.png

I ran a pass on Windows 8, testing locally, and all looks good.

* Superfish cert is not removed when Superfish software is installed.
* Superfish cert is removed when Superfish software is not installed.
* In both cases, additional user-added certs are not removed by the add-on.
* Add-on removes itself after install.
* Min/max versions - plus Fx36 - of Fx tested, with one unrelated issue. [1]
* Platform check tested, with one unrelated issue. [2]
* Sanity check on Windows 7 to see that add-on removes Superfish cert. [3]

[1] Min version is set to Fx10, but we actually get an error message there saying it's unsupported. See attached screenshot. However, this works fine in Fx11. Since we are unlikely to fix Fx10, this couldn't be addressed even if it were a real bug. Couldn't find anything in Bugzilla pertaining to it, although that doesn't mean it hasn't been filed before.

[2] Attempt to install on unsupported platform - Mac - yields dialog saying it's incompatible (which is true) but says it's due to the version (which is false). Searching for an existing bug, but again not related to our work here.

[3] My understanding is that we only care about Windows 8, but this still works there.
Follow-up to mark maxVersion as 38.* because 39.* is not yet supported on AMO:
https://hg.mozilla.org/releases/firefox-hotfixes/rev/4934d9ac1574
Thanks for the testing. Regarding the 10/11 version think, I believe the minVersion as set ("10.*") doesn't actually include 10.0, so the minVersion is effectively 11 here. I'm fine with that, 11 is early enough, so let's leave it at that. 
Let's wait now for the hotfix to be pushed to staging to do some final testing with the deployment.
It's staged now. The MDN link has instructions on how to test the staged hotfix. Could you also do a sanity check on WinXP to make sure none of the APIs used have a problem there? (at least for the path "no superfish, nothing to do here")
Flags: needinfo?(mwobensmith)
I am in the process of testing this now. Give me an hour or so. I will do a check in WinXP also, as requested.
Flags: needinfo?(mwobensmith)
I've completed a test pass on the staged add-on, and I believe it passes. I didn't recreate all of the tests I did for the initial testing - only the ones that are relevant to the add-on being staged.

* Windows 8, Fx36, removes Superfish cert if no Superfish software is installed
* Windows 8, Fx39, no update is given (Fx version exceeds maxVersion)
* WinXP, Fx36, removes Superfish cert if no Superfish software is installed

I had issues getting the update to trigger, and had to do so manually following the steps below [1]. I don't do add-on testing often, so it's possible that I just missed something. It seems to me that the important piece is that the add-on is in place and functions as expected. If there are concerns about any of this, please let me know and I'll dig deeper.

[1] https://developer.mozilla.org/en-US/Add-ons/Hotfix#updatecheck
The hotfix is now live.

Comment 36

3 years ago
https://blog.mozilla.org/security/2015/02/27/getting-superfish-out-of-firefox/
Whiteboard: [not deployed yet]
Keywords: qawanted
There's a report that the hotfix might not be properly uninstalling itself on Linux.  Can anyone reproduce?

https://blog.mozilla.org/security/2015/02/27/getting-superfish-out-of-firefox/comment-page-1/#comment-111840
Flags: needinfo?(mgoodwin)
(Assignee)

Comment 38

3 years ago
(In reply to Richard Barnes [:rbarnes] from comment #37)
> There's a report that the hotfix might not be properly uninstalling itself
> on Linux.  Can anyone reproduce?
> 
> https://blog.mozilla.org/security/2015/02/27/getting-superfish-out-of-
> firefox/comment-page-1/#comment-111840

This is already being worked on; there was an issue with AMO (nothing we did wrong) where AMO didn't pick up the <targetPlatform>WINNT</targetPlatform> from the install.rdf file and distributed it to mac / linux too (which it shouldn't have). After installed on those platforms, it was marked as disabled for being incompatible, which means the uninstall code doesn't run.

Felipe is working on an update which just bumps the version number and removes the TargetPlatform so it'll just remove itself on those platforms.
Flags: needinfo?(mgoodwin)
Did we consider alerting the user if the Superfish cert is found and the software is still present? We obviously can't remove the cert in that case because they are cut off from the Internet, but we could point them at the Lenovo download site.

Gerv
(Assignee)

Comment 40

3 years ago
(In reply to Gervase Markham [:gerv] from comment #39)
> Did we consider alerting the user if the Superfish cert is found and the
> software is still present? We obviously can't remove the cert in that case
> because they are cut off from the Internet, but we could point them at the
> Lenovo download site.
> 
> Gerv

We did; the main issue is that if we use our own message, we have l10n considerations (and additional testing). We also considered opening a tab with the Lenovo message - this has a few problems, the main one being that users probably wouldn't notice it.

It'd be lovely to work out some way of communicating with the user for future, similar issues (then, even if there are l10n things to work out, the quality work required would be reduced).
(In reply to Mark Goodwin [:mgoodwin] from comment #38)

> Felipe is working on an update which just bumps the version number and
> removes the TargetPlatform so it'll just remove itself on those platforms.

Mark, is that being tracked somewhere else?
Flags: needinfo?(mgoodwin)
(Assignee)

Comment 42

3 years ago
(In reply to Matt Wobensmith from comment #41)
> Mark, is that being tracked somewhere else?

I don't know. Felipe will. My understanding was that it was due to happen over last weekend.
Flags: needinfo?(mgoodwin) → needinfo?(felipc)
Depends on: 1142228
It should happen this week. Thanks for getting a bug on file, Matt.
Flags: needinfo?(felipc)
You need to log in before you can comment on or make changes to this bug.