Sorry, but the irritating uninstall page will continue to display until I’m sure that all Wizz RSS users have seen it.
I have received a few emails asking how to turn off the irritating “Please uninstall Wizz RSS” page. I’m sorry to say that there isn’t much you can do to turn it off, unless you uninstall or dive into the Wizz RSS code.
I know for a fact that many people ignore warnings that I have posted over the years. On two previous occasions I have posted warnings with regard to backing up feeds before upgrading to a newer version of Firefox, only to have people get on my case when their feeds went missing.
To those of you who have chosen not to uninstall Wizz RSS: Sorry for the inconvenience. I promise that it won’t continue forever. If only one single Wizz RSS user gets hacked because they didn’t see the notification about the vulnerabilities, I would probably be held responsible. When I’m happy that all ± 100 000 Wizz RSS users have seen and read the notification, I’ll turn the irritating notification off.
November 16th, 2009 at 5:33 pm
Is there a way that I can download my feeds off of the server now that I have uninstalled? Do they still “live” anyplace? I have an account on the server but don’t have an absolute URL to it. Can you please give us some hints on getting back our feeds? Thanks!
November 16th, 2009 at 5:49 pm
Jen, your saved feeds are quite safe. Email me your username - mikek01 at telkomsa dot net - And I’ll email your saved data back to you.
November 16th, 2009 at 6:12 pm
Mike,
I deleted Wizz off my home machine but still have it installed at work. I know you’ve pulled it from download, but is there any way that I can copy the files from my work box so that I can reinstall it at home?
Thanks.
November 16th, 2009 at 6:38 pm
@Mike D: I will, over the next day or two, make two “vulnerability plugged” versions of Wizz RSS available through this blog.
One version will be a “vulnerability plugged” version of the current 3.1.0.4 code, for FF 3.5.n. The other will be a “vulnerability plugged” beta version for FF 3.6.
November 16th, 2009 at 6:44 pm
THERE REALLY IS A GOD!
Thanks, Mike. You’ve soothed my frazzled nerves.
November 16th, 2009 at 7:05 pm
Do I need to uninstall if I have 3.1.0? If so how do I do it? Please let me know when your new version is available. I have saved by exporting the opml code. Will that work?
Thanks,
Mary Ann
November 18th, 2009 at 8:56 pm
I uninstalled Wizz RSS a long time ago, and yet I still see the message every time I log in. If you have any tips on how I can stop seeing this message, that would be awesome. I have no interest in being warned about something that I haven’t really ever used.
November 18th, 2009 at 9:40 pm
@Ann: As far as I know, if you uninstall Wizz RSS, there is no way that the Welcome page can be displayed. Having said that, it also true that over the years many different people have complained about the same thing. Honestly, I have absolutely no idea what causes it. I have in the past been accused of coding something in Wizz RSS that prevents it from being uninstalled, which is certainly not true.
November 18th, 2009 at 9:43 pm
@MAO: Sorry, I seem to have missed your comment
A new version is now available - http://wizzrss.blat.co.za/2009/11/17/vulnerability-safe-versions/
December 8th, 2009 at 11:14 pm
How do I un-install?
December 9th, 2009 at 8:47 am
@Dave: Please see http://www.wizzrss.com/helpwiki/index.php/Uninstalling_Wizz_RSS
January 16th, 2010 at 9:08 pm
Mike - Thanks for all the hard work through the years. I use WIZRSS daily - could not live without it. I’ve installed 3.1.0.5 to fix the vulnerability. I know you said you cannot guarantee anything but you seem like a very smart person so can you somewhat qualify the risk of continuing to use 3.1.0.5 as “extremely small” “very small” “somewhat small”. Just so that we can assess to what extent things have been fixed - MANY THANKS!!!!!!
January 17th, 2010 at 8:06 am
@Joe: I have implemented nsIScriptableUnescapeHTML.parseFragment() as recommended by the self-proclaimed Firefox “security experts” (Who obviously don’t have much of a clue). Due to the fact that the implementation of nsIScriptableUnescapeHTML.parseFragment() caused previously plugged vulnerabilities in the Wizz RSS code to reappear, I have also left the old “sanitizing” code in place. This means that the Wizz RSS code now has two levels of sanitization (Which makes reading feeds quite a bit slower). Of course that doesn’t address the question of: Just how good those two levels of protection are.
I’m not, nor have I ever claimed to be, a security expert. It seems to take a malicious mind to be a security expert, and I’ve never had a malicious mind (Thankfully). Having said that, I’d guess that the risk associated with using Wizz RSS is extremely small, and it is definitely smaller than other Firefox add-ons that are relying solely on nsIScriptableUnescapeHTML.parseFragment() to sanitize potentially malicious code (As per Mozilla’s recommendation).
I have also made various people aware of the fact that nsIScriptableUnescapeHTML.parseFragment() is not watertight. The people I have made aware are “real” security experts (Unlike the self-proclaimed Firefox security experts). Hopefully they will fully assess the extent of the “holes” in nsIScriptableUnescapeHTML.parseFragment() and pass that information along to the Firefox development bunch, who, in turn, will hopefully plug the holes. Of course there is no guarantee that that will actually happen, but if it does, future releases of Firefox will make nsIScriptableUnescapeHTML.parseFragment() more watertight, which will automatically be inherited by the Wizz RSS code.