Educause Security Discussion mailing list archives
Re: Browsers and OS's
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Tue, 4 Oct 2005 09:12:59 -0700
Hi Justin, You raised the issue: #In a nutshell, there is a belief that a browser tied to an #OS (IE for Windows, Safari for MacOS) allow for better security #because of the ability through the OS to let the users (a) know when #there is an update to the browser and (b) assist with the download/ #install. In the ideal world, *all* products on a workstation would be scanned for currency (and patched if necessary) using a patch management product. In reality, however, most patch management products are either breathtakingly expensive for campus-sized audiences, or quite limited in the products that they track (and as we all know, campus audiences tend to have particularly eclectic tastes relative to the corporate environment). When it comes to browsers, however, you have more options than for most apps. For example, you could do browser sniffing on your institutional home page, and when you see an out-of-date browser connect from institutional IP space, besides showing the normal content, nag the user to upgrade (publicly spirited institutions may elect to nag regardless of the origin of the connection). If users find the process of upgrading daunting, one could envision little "hand holding" how-to-do-it videos built with something like Camtasia Studio or an equivalent make-a-movie-out-of-a-series-of-steps-on-screen product. I don't think that the upgrade issue has to be/should be a deal breaker for an alternative browser deployment. #The challenges is that we also want to use Firefox for a #variety of purposes FWIW, we're heavily pushing Firefox and Thunderbird at Oregon at this point... #and there doesn't appear to be a way (on Firefox #for any OS) to have similar functionality. So, the **real** concern #is someone downloads Firefox and is using it. Then after time new #versions come out, the end user doesn't (a) know about it and (b) #doesn't actually do the upgrade and then we have a potential security #hole. Firefox for "techies" isn't the concern, it is the use by the #common person that has some concerned. Current versions of Firefox have the "little red arrow" its-time-to-upgrade thingee in the menu bar, but IMO that hint is rather understated given its importance.
From a user-interface-design point of view, important tasks that require
attention should be insistent and "in your face" (and automatic) unless overridden, not something that's optional/easily disregarded: tink, "LOCA in main coolant loop. Shut down your nuclear reactor now? <yes> <NO> <ask me again in 1 day>" vs. blaring klaxons, flashing lights, and a *very* brief opportunity to override/abort before an *automatic* scram occurs... But let's come back to the fundamental issue of browser choice and vulnerabilities. What does Secunia say? -- MS Internet Explorer 6.x ( http://secunia.com/product/11/ ): "Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated *Highly critical*" [emphasis in the original] and "Currently, 20 out of 86 Secunia advisories, is marked as "Unpatched" in the Secunia database." -- Mozilla Firefox 1.x ( http://secunia.com/product/4227/ ) "Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated *Less critical*" [emphasis in original] and "Currently 3 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database." [Oh yes... and also check out Opera 8.x while you're there... http://secunia.com/product/4932/ :-)] When you get right down to it, it is great that IE has integrated patch nagging/updating, but if patches for known vulnerabilities aren't available, well, you know. Regards, Joe St Sauver, Ph.D. (joe () uoregon edu) Director, User Services and Network Applications University of Oregon Computing Center [Disclaimer: while I am co-chair of the Educause Security Effective Practices Working Group with Gary Dobbins of Notre Dame, this note does not express the opinion of that working group. Mention of a particular product should not be taken as excluding other potentially equally efficacious products. YMMV. etc.]
Current thread:
- Browsers and OS's Justin Sipher (Oct 04)
- <Possible follow-ups>
- Re: Browsers and OS's Stephen W. Bradley (Oct 04)
- Re: Browsers and OS's Louis Brooks (Oct 04)
- Re: Browsers and OS's Jason Richardson (Oct 04)
- Re: Browsers and OS's Louis Brooks (Oct 04)
- Re: Browsers and OS's Eric Brewer (Oct 04)
- Re: Browsers and OS's Joe St Sauver (Oct 04)
- Re: Browsers and OS's Justin Sipher (Oct 04)
- Re: Browsers and OS's Jason Richardson (Oct 04)
- Re: Browsers and OS's Jeni Li (Oct 04)
- Re: Browsers and OS's Harrold Ahole (Oct 04)
- Re: Browsers and OS's Valdis Kletnieks (Oct 04)
- Re: Browsers and OS's Jeff Giacobbe (Oct 04)
- Re: Browsers and OS's Shalla, Kevin (Oct 04)
- Re: Browsers and OS's Valdis Kletnieks (Oct 04)
- Re: Browsers and OS's Matt Kirchhoff (Oct 06)