Re: Browsers and OS's

[Jeff Giacobbe <giacobbej () MAIL MONTCLAIR EDU>]

All-

Just as a point of information; the upcoming Firefox 1.5 (now in Beta 1
status and available for testing) supposedly has a MUCH improved
auto-update mechanism. Not only is the notification itself more
prominent to the user, but that actual update process only downloads the
pieces of the application that need updating - it's not a full
re-install of the entire application as is done currently.

Regarding Microsoft's integration of Internet Explorer as a "feature" of
the OS, this is a very very BAD decision from a security perspective.
The reason IE flaws are often so catastrophic is precisely because of
this deep embedding of the browser into the OS.

And if I may jump on the soapbox for a moment: Microsoft's decision to
"integrate" IE into the OS a number of years back was based not on any
technical merit, but rather as a way to force customers to use IE
instead of Netscape. In federal court (with a straight face) they
claimed that IE was not a stand alone application but rather a core
feature of the Windows OS. They said this even though IE was available
on retail shelves as a stand alone shrink-wrapped application for both
Windows 95/98 and MacOS.  I guess perjury is OK when you're a
multi-billionaire MS executive ;-)


BTW, Montclair State supports Firefox and Thunderbird as our officially
supported browser and email apps, though all web/email services we
provide to our users will work with any standards compliant email/web
application.

--
Jeff Giacobbe
Director of Systems, Security, Networking
Montclair State University



Jeni Li wrote:
> My experience with Firefox update notification has been pretty spotty too. It tells me updates are available when I've already 
> applied the updates; it tries to download theme/plug-in updates and fails; it tosses up messages that an end user might find 
> confusing. I prefer Firefox hands-down for every situation except those few obnoxious IE-only sites -- two words, AdBlock and RIP -- 
> but if keeping it updated on non-technical end users' systems is the goal, not so much. Unless maybe you're in an 
> environment where you can push out software updates using GPO or something.
>
>
> > -----Original Message-----
> > From: Jason Richardson [mailto:A00JER2 () WPO CSO NIU EDU]
> > Sent: Tuesday, October 04, 2005 12:10 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Browsers and OS's
> >
> >
> > That is incorrect, I see a message roll up from the bottom right hand
> > side of the browser window notifying me that updates are available.
> > Then I click on the red icon in the upper right hand corner
> > to download
> > and apply the updates.  I am running the latest ver. (1.0.7)
> > but it has
> > done that for several versions now.
> >
> > ---
> > Jason Richardson
> > Manager, IT Security and Client Development
> > Enterprise Systems Support
> > Northern Illinois University
> >
> >
> > > > > lbrooks () CS FSU EDU 10/4/2005 10:29:39 AM >>>
> >
> > The only notification that Firefox gives that it needs to be
> > updated is
> > a
> > red icon in the upper right hand corner of the tool bar. It is easy to
> > miss.
> > In fact I usually will miss it unless I have seen a notification for
> > updates
> > on one of the security mailing lists.
> >
> > Louis Brooks
> > SAIT Labs
> > Florida State University
> >
> >
> > -----Original Message-----
> > From: Stephen W. Bradley [mailto:bradlesw () MUOHIO EDU]
> > Sent: Tuesday, October 04, 2005 11:18 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Browsers and OS's
> >
> > Firefox has the option to periodically check for updates.
> >
> > I have personally never seen it work but it is under:
> >
> > Tools
> > Advanced
> > Software-update.
> >
> >
> > I leave mine checked all the time.
> >
> > steve
> >
> > -----Original Message-----
> > From: Justin Sipher [mailto:jsipher () SKIDMORE EDU]
> > Sent: Tuesday, October 04, 2005 10:49 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Browsers and OS's
> >
> > Folks,
> >
> > Hello.  I would welcome feedback/insight on an issue we are
> > discussing.  It relates to browser world and *potential* security
> > concerns.  In a nutshell, there is a belief that a browser tied to an
> >
> > OS (IE for Windows, Safari for MacOS) allow for better security
> > because of the ability through the OS to let the users  (a) know when
> >
> > there is an update to the browser and (b) assist with the download/
> > install.  The challenges is that we also want to use Firefox for a
> > variety of purposes and there doesn't appear to be a way (on Firefox
> > for any OS) to have similar functionality.  So, the **real** concern
> > is someone downloads Firefox and is using it.  Then after time new
> > versions come out, the end user doesn't (a) know about it and (b)
> > doesn't actually do the upgrade and then we have a potential security
> >
> > hole.  Firefox for "techies" isn't the concern, it is the use by the
> > common person that has some concerned.
> >
> > Has anyone else on other campuses talked about this and have insight
> > as to how you have or have not addressed the issue.  Are there ways/
> > systems out there to aid in this process?
> >
> > Thanks,
> > ...Justin
> >
> > _______________________________________________________
> >   Justin Sipher
> >   Chief Technology Officer
> >   Skidmore College
> >   Saratoga Springs, NY
> >   jsipher () skidmore edu
> >   518-580-5909
> > _______________________________________________________