Educause Security Discussion mailing list archives
Re: Upgrading Eudora clients due to recent vulnerability
From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Thu, 10 Feb 2005 12:43:52 -0800
Hi, #Is anyone else in a university (primarily decentralized) environment with a #large number of installed Windows Eudora clients currently grappling with #how best to get all of the systems upgraded due to the vulnerability #recently discovered by NGSSoftware present in all versions prior to 6.2.1? We're in that sort of environment. For us, for Eudora, the issue is partially that: -- folks may have paid for an earlier version -- having paid once, they may be loathe to upgrade to a current/secure version that means they either (a) need to pay again, or (b) subjects them to those odd portable dog-shower ads, or (c) requires them to be willing to accept a less feature-ful interface (is this unrealistic on their part? perhaps yes, but it is no less real as a phenomenon for that). Having made *that* non-choice, e.g., to not-update, they then continue running their old paid-for version that *will* eventually end up causing security issues. I also don't know about you, but efforts to drift them towards something more like Thunderbird are often met with resistance, and the thought of them self-directing towards Outlook/Outlook Express as an alternative also makes my eyebrows go up. #Are other schools not concerned with the vulnerability and ignoring the #issue, or just sending out awareness alerts, etc. Any information or #guidance would be appreciated since we haven't seen any chatter on this #topic in the usual places. We've been working on that one, but if we're like other sites, we're also working hard to also get users to apply... -- the <N> Windows XP critical updates for the month -- upgrades to their MS Office installations as well as upgrades to the OS and browser (but that I had two bits for every time someone said, "What do you mean I *also* need run Office Update separately? Why didn't Windows Update do those updates, too?" -- fixes for the Symantec vulnerabilities announced over the last day or two, -- upgrades to Java, -- fixes for the IDN phishing issues, the popup injection phishing issues, and all the other phishing related stuff in circulation, -- anti-spyware measures, -- etc., etc., etc. My conclusion? There are *too many* things with gaping holes. Users, even very conscientious users for whom updating their PC software is their #1 priority, *will* fail to get at least *some* key updates successfully applied for at least *some* installed products. Users are burning out hearing about critical vulnerability after critical vulnerability after critical vulnerability, and yet that's what they're facing. Because of that, I've begun looking for agent based solutions that can check EVERYTHING installed on a user's box, and then give the user a report that says, "Hey, you know what? You need to apply 8 critical updates to XP." "You need to upgrade Eudora. The new version will cost $<foo>." "You need to manually request that NAV update its components." "You know that music player app a friend recommended? It has vulnerabilities, and unfortunately there's no patch available for it yet. Remove it or stop using it until there is a corrected version." "Hey, there's a fix for <XYZ> but I notice that you're also using <DEF> and if you fix <XYZ>, you're going to break <DEF>. The problem with <XYZ> is bad enough that we recommend you install the fix even if it breaks <DEF>." etc., etc., etc." Followed by "Push <go> to implement all the recommendations mentioned above now." This becomes particularly key as you move some products away from the one true MS path. For example, if you replace IE with Firefox (and please don't take this as a shot at Firefox, because I *do* like Firefox and I *do* think it is vastly preferable to IE), obviously (at least to you and me) -- Windows Update is NOT going to automatically check Fire Fox for needed updates, and -- Windows Update is NOT going to automatically get and *install* that needed update for the user, if one is needed. Users need to handle that independently of the Windows Update process (and that "Check for New Version" button/process is not as prominent in Firefox (and many, many, many other products, for that matter) as it really needs to be these days). Multiply by the dozens or hundreds or thousands of programs in use on your campus. :-) I'd really be interested if anyone's found my fantasy agent-based "tell users which of all their applications need to be updated"-type application (particularly if it is open source or cheap enough that I can afford it for everyone who needs it on campus!) Regards, Joe St Sauver (joe () oregon uoregon edu) Director, User Services and Network Applications University of Oregon Computing Center ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 10)
- <Possible follow-ups>
- Re: Upgrading Eudora clients due to recent vulnerability H. Morrow Long (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Joe St Sauver (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Valdis Kletnieks (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Gary Dobbins (Feb 11)
- Re: Upgrading Eudora clients due to recent vulnerability Wayne J. Hauber (Feb 14)
- Re: Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 14)
- Re: Upgrading Eudora clients due to recent vulnerability Wayne J. Hauber (Feb 16)
- Re: Upgrading Eudora clients due to recent vulnerability H. Morrow Long (Feb 23)
- Re: Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 24)