Re: Browsers and OS's

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Hi Justin,

You raised the issue:

#In a nutshell, there is a belief that a browser tied to an
#OS (IE for Windows, Safari for MacOS) allow for better security
#because of the ability through the OS to let the users  (a) know when
#there is an update to the browser and (b) assist with the download/
#install.

In the ideal world, *all* products on a workstation would be scanned for
currency (and patched if necessary) using a patch management product.

In reality, however, most patch management products are either
breathtakingly expensive for campus-sized audiences, or quite limited
in the products that they track (and as we all know, campus audiences
tend to have particularly eclectic tastes relative to the corporate
environment).

When it comes to browsers, however, you have more options than for most apps.

For example, you could do browser sniffing on your institutional home page,
and when you see an out-of-date browser connect from institutional IP space,
besides showing the normal content, nag the user to upgrade (publicly
spirited institutions may elect to nag regardless of the origin of the
connection).

If users find the process of upgrading daunting, one could envision little
"hand holding" how-to-do-it videos built with something like Camtasia Studio
or an equivalent make-a-movie-out-of-a-series-of-steps-on-screen product.

I don't think that the upgrade issue has to be/should be a deal breaker for
an alternative browser deployment.

#The challenges is that we also want to use Firefox for a
#variety of purposes

FWIW, we're heavily pushing Firefox and Thunderbird at Oregon at this
point...

#and there doesn't appear to be a way (on Firefox
#for any OS) to have similar functionality.  So, the **real** concern
#is someone downloads Firefox and is using it.  Then after time new
#versions come out, the end user doesn't (a) know about it and (b)
#doesn't actually do the upgrade and then we have a potential security
#hole.  Firefox for "techies" isn't the concern, it is the use by the
#common person that has some concerned.

Current versions of Firefox have the "little red arrow" its-time-to-upgrade
thingee in the menu bar, but IMO that hint is rather understated given its
importance.

> From a user-interface-design point of view, important tasks that require
attention should be insistent and "in your face" (and automatic) unless
overridden, not something that's optional/easily disregarded:

   tink, "LOCA in main coolant loop. Shut down your nuclear reactor now?
           <yes> <NO> <ask me again in 1 day>"
vs.

   blaring klaxons, flashing lights, and a *very* brief opportunity to
   override/abort before an *automatic* scram occurs...

But let's come back to the fundamental issue of browser choice and
vulnerabilities. What does Secunia say?

-- MS Internet Explorer 6.x ( http://secunia.com/product/11/ ):

   "Microsoft Internet Explorer 6.x with all vendor patches installed and
   all vendor workarounds applied, is currently affected by one or more
   Secunia advisories rated *Highly critical*" [emphasis in the original]

   and

   "Currently, 20 out of 86 Secunia advisories, is marked as "Unpatched"
   in the Secunia database."

-- Mozilla Firefox 1.x ( http://secunia.com/product/4227/ )

   "Mozilla Firefox 1.x with all vendor patches installed and all vendor
   workarounds applied, is currently affected by one or more Secunia
   advisories rated *Less critical*" [emphasis in original]

   and

   "Currently 3 out of 24 Secunia advisories, is marked as "Unpatched"
   in the Secunia database."

[Oh yes... and also check out Opera 8.x while you're there...
http://secunia.com/product/4932/ :-)]

When you get right down to it, it is great that IE has integrated patch
nagging/updating, but if patches for known vulnerabilities aren't available,
well, you know.

Regards,

Joe St Sauver, Ph.D. (joe () uoregon edu)
Director, User Services and Network Applications
University of Oregon Computing Center

[Disclaimer: while I am co-chair of the Educause Security Effective Practices
Working Group with Gary Dobbins of Notre Dame, this note does not express the
opinion of that working group. Mention of a particular product should not be
taken as excluding other potentially equally efficacious products. YMMV. etc.]