Open Andreas-Schniertshauer opened 3 years ago
champnic
commented
3 years ago Hey @Andreas-Schniertshauer - Is there a reason you need the version of the installer? In general for WebView2 you just need to know the SDK version of the nuget package, and the runtime version (sometimes). The installer version doesn't usually matter that much, and it typically updates itself even if you start with an older version.
Andreas-Schniertshauer
commented
3 years ago @champnic Yes, I need the version for Escrow documentation.
champnic
commented
3 years ago Gotcha - I've added this as a feature request on our backlog, but speaking candidly I don't think we'll be able to get to this work for a while.
robinsonns508pm
commented
3 years ago I can tell you we are not going to allow the installer in the enterprise without versioning and release notes. SAFECode Software Supply Chain Integrity should be important for a component of this type. References: NIST SP 800-53; CWE-505; CWE-506; CWE-507; CWE-510; CWE-511
champnic
commented
3 years ago Thanks for the info @robinsonns508pm - I'm forwarding to our installer team who may have more info.
champnic
commented
3 years ago @robinsonns508pm Is your concern that Microsoft is introducing a Trapdoor, Time bomb, or Trojan Horse through the installer? Or that the installer would get replaced by a malicious actor with a Trapdoor, Time bomb, or Trojan Horse?
robinsonns508pm
commented
3 years ago Yes. Both scenarios are possible. More likely there is a vulnerability that team is unaware of and no way beyond file checksum to identify the binaries and remove from the IT environment. Not providing basic version control does not reflect well upon the maturity of this product or ability to trust the team understands or has considered the lifecycle dependencies in large enterprise environments.
From another perspective, would the team like to see a CVE Zero-day notice for the product that applies to all versions of the product and confuses all customers, or a specific version of the installer that could refer to a previous version already patched?
From: Nic Champagne Williamson [MSFT] @.> Sent: Monday, September 20, 2021 12:51 PM To: MicrosoftEdge/WebView2Feedback @.> Cc: Robinson, Norman @.>; Mention @.> Subject: Re: [MicrosoftEdge/WebView2Feedback] Missing MicrosoftEdgeWebView2RuntimeInstallerX64.exe version number and release history (#1739)
@robinsonns508pmhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frobinsonns508pm&data=04%7C01%7CRobinsonN%40state.gov%7C6ef1e0dee1ca4568a32e08d97c56f98d%7C66cf50745afe48d1a691a12b2121f44b%7C0%7C0%7C637677535281604280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I%2BIoExy1pfrgLYFV1YeW0hI8SZC7tWvNUV5WcBF6Fsk%3D&reserved=0 Is your concern that Microsoft is introducing a Trapdoor, Time bomb, or Trojan Horse through the installer? Or that the installer would get replaced by a malicious actor with a Trapdoor, Time bomb, or Trojan Horse?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftEdge%2FWebView2Feedback%2Fissues%2F1739%23issuecomment-923101323&data=04%7C01%7CRobinsonN%40state.gov%7C6ef1e0dee1ca4568a32e08d97c56f98d%7C66cf50745afe48d1a691a12b2121f44b%7C0%7C0%7C637677535281604280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vF7ebY3QvYoTbpIlwKtxkMjpujAlNGktsU%2F0FiP1Drc%3D&reserved=0, or unsubscribehttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAC3NXDMTFQWNJZM6LLOGG6TUC5Q7NANCNFSM5D74X5GA&data=04%7C01%7CRobinsonN%40state.gov%7C6ef1e0dee1ca4568a32e08d97c56f98d%7C66cf50745afe48d1a691a12b2121f44b%7C0%7C0%7C637677535281614235%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wJ2NGCK6bzsmndudca9w%2B%2BTDSItr2EFDoaC48IDOFo8%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7CRobinsonN%40state.gov%7C6ef1e0dee1ca4568a32e08d97c56f98d%7C66cf50745afe48d1a691a12b2121f44b%7C0%7C0%7C637677535281624192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7XjOZtBkY2ZmtgbPXgfdffbkIzaV49kfcoZ3M6%2F3bnE%3D&reserved=0 or Androidhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7CRobinsonN%40state.gov%7C6ef1e0dee1ca4568a32e08d97c56f98d%7C66cf50745afe48d1a691a12b2121f44b%7C0%7C0%7C637677535281624192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4uZ8%2FtpT95ZFAYaynIakpww3E%2Fi%2BSZHrJZ4vgLv0cTg%3D&reserved=0.
champnic
commented
3 years ago Here's the info that the installer team provided: "The CVE history, version history, and release notes are the same for WebView2 and Edge.
Available here - CVEs: Release notes for Microsoft Edge Security Updates | Microsoft Docs Feature notes: Microsoft Edge release notes for Stable Channel | Microsoft Docs
If customers want to manage WebView2 updates, they will be able to start doing so around October when we begin publishing all WebView2 updates to WSUS/Catalog."
@Andreas-Schniertshauer / @robinsonns508pm - Does this work for you? Note that this info is for the runtime that the installer installs, and not the installer itself. Do you also need this info the the installer itself?
Bond007s
commented
3 years ago @champnic , That would be great for our system. WSUS catalog publishing is a requirement of using it in a secure environment.
Andreas-Schniertshauer
commented
3 years ago @champnic I need the version and history of the evergreen installer because that is the tool that I download and use to install the WebView2 component and must mention in the documentation.
Bond007s
commented
3 years ago @champnic , Has there been any update on timeframe for WSUS integration? We are waiting to use it until then even though we have a vendor requesting it be setup. Part of this resolves around compliance requirements for our air-gapped networks.
champnic
commented
3 years ago @liminzhu Do you have a timeline update on WSUS for @Bond007s ?
liminzhu
commented
3 years ago @Bond007s @champnic should be very soon, likely end of this/early next month.
Bond007s
commented
2 years ago @liminzhu , I have not seen it in our WSUS server. Is there an update on availability? One of our vendors is asking us to install it. We cannot until this is met.
liminzhu
commented
2 years ago @Bond007s you should be able to see it here - https://www.catalog.update.microsoft.com/Search.aspx?q=webview2.
exaiwitmx
commented
1 year ago Here's the info that the installer team provided: "The CVE history, version history, and release notes are the same for WebView2 and Edge.
Available here - CVEs: Release notes for Microsoft Edge Security Updates | Microsoft Docs Feature notes: Microsoft Edge release notes for Stable Channel | Microsoft Docs
@champnic If I understand that right, the version numbers of Standalone Microsoft Edge and WebView2 runtime are the same? So, if Release notes for Microsoft Edge Security Updates states that a vulnerability has been fixed in a specific stable channel version of Microsoft Edge, I can safely assume that it has also been fixed in a WebView2 Runtime having the same version number?
champnic
commented
1 year ago @champnic If I understand that right, the version numbers of Standalone Microsoft Edge and WebView2 runtime are the same? So, if Release notes for Microsoft Edge Security Updates states that a vulnerability has been fixed in a specific stable channel version of Microsoft Edge, I can safely assume that it has also been fixed in a WebView2 Runtime having the same version number?
Yes, that's correct.
Hello, I can't find a page showing the release history and version numbers of the MicrosoftEdgeWebView2RuntimeInstallerX64.exe found here: https://developer.microsoft.com/en-us/microsoft-edge/webview2/#download-section e.g. today I downloaded MicrosoftEdgeWebView2RuntimeInstallerX64.exe the properties dialog of the exe shows version number 1.3.151.27, a few days ago I downloaded 1.3.145.49, but there is no info what has changed. Also the version of MicrosoftEdgeWebView2RuntimeInstallerX64.exe is not shown on the webpage, so as developer I must download the exe before I can see the version number, that is not very practicable. Is it possible to show the version number and a release history for MicrosoftEdgeWebView2RuntimeInstallerX64.exe? Thanks, Andreas.
AB#36193528