Re: Upgrading Eudora clients due to recent vulnerability

[Joe St Sauver <JOE () OREGON UOREGON EDU>]

Hi,

#Is anyone else in a university (primarily decentralized) environment with a
#large number of installed Windows Eudora clients currently grappling with
#how best to get all of the systems upgraded due to the vulnerability
#recently discovered by NGSSoftware present in all versions prior to 6.2.1?

We're in that sort of environment. For us, for Eudora, the issue is
partially that:

-- folks may have paid for an earlier version

-- having paid once, they may be loathe to upgrade to a current/secure
   version that means they either (a) need to pay again, or (b) subjects
   them to those odd portable dog-shower ads, or (c) requires them to
   be willing to accept a less feature-ful interface (is this unrealistic
   on their part? perhaps yes, but it is no less real as a phenomenon
   for that).

Having made *that* non-choice, e.g., to not-update, they then continue
running their old paid-for version that *will* eventually end up causing
security issues.

I also don't know about you, but efforts to drift them towards something
more like Thunderbird are often met with resistance, and the thought of
them self-directing towards Outlook/Outlook Express as an alternative
also makes my eyebrows go up.

#Are other schools not concerned with the vulnerability and ignoring the
#issue, or just sending out awareness alerts, etc.  Any information or
#guidance would be appreciated since we haven't seen any chatter on this
#topic in the usual places.

We've been working on that one, but if we're like other sites, we're also
working hard to also get users to apply...

-- the <N> Windows XP critical updates for the month

-- upgrades to their MS Office installations as well as upgrades to the OS
   and browser (but that I had two bits for every time someone said,
   "What do you mean I *also* need run Office Update separately? Why didn't
   Windows Update do those updates, too?"

-- fixes for the Symantec vulnerabilities announced over the last day or two,

-- upgrades to Java,

-- fixes for the IDN phishing issues, the popup injection phishing issues,
   and all the other phishing related stuff in circulation,

-- anti-spyware measures,

-- etc., etc., etc.

My conclusion? There are *too many* things with gaping holes. Users, even
very conscientious users for whom updating their PC software is their
#1 priority, *will* fail to get at least *some* key updates successfully
applied for at least *some* installed products.

Users are burning out hearing about critical vulnerability after critical
vulnerability after critical vulnerability, and yet that's what they're
facing.

Because of that, I've begun looking for agent based solutions that can
check EVERYTHING installed on a user's box, and then give the user a
report that says, "Hey, you know what? You need to apply 8 critical updates
to XP." "You need to upgrade Eudora. The new version will cost $<foo>."
"You need to manually request that NAV update its components."
"You know that music player app a friend recommended? It has
vulnerabilities, and unfortunately there's no patch available for it yet.
Remove it or stop using it until there is a corrected version."
"Hey, there's a fix for <XYZ> but I notice that you're also using <DEF>
and if you fix <XYZ>, you're going to break <DEF>. The problem with <XYZ>
is bad enough that we recommend you install the fix even if it breaks
<DEF>." etc., etc., etc."

Followed by "Push <go> to implement all the recommendations mentioned
above now."

This becomes particularly key as you move some products away from the
one true MS path. For example, if you replace IE with Firefox (and please
don't take this as a shot at Firefox, because I *do* like Firefox and I *do*
think it is vastly preferable to IE), obviously (at least to you and me)

  -- Windows Update is NOT going to automatically check Fire Fox for
     needed updates, and

  -- Windows Update is NOT going to automatically get and *install* that
     needed update for the user, if one is needed.

Users need to handle that independently of the Windows Update process (and
that "Check for New Version" button/process is not as prominent in Firefox
(and many, many, many other products, for that matter) as it really needs
to be these days).

Multiply by the dozens or hundreds or thousands of programs in use on your
campus. :-)

I'd really be interested if anyone's found my fantasy agent-based "tell
users which of all their applications need to be updated"-type application
(particularly if it is open source or cheap enough that I can afford it
for everyone who needs it on campus!)

Regards,

Joe St Sauver (joe () oregon uoregon edu)
Director, User Services and Network Applications
University of Oregon Computing Center

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.