Re: Browsers and OS's

[Justin Sipher <jsipher () SKIDMORE EDU>]

Thanks all (so far).  I agree that there are two sides to the
equation regarding the potential vulnerability of having the OS and
the Browser tied closely together.  On one side is "it's better"
because it can ease updating and user notification.  On the other
side is "it's worse" because with ties to the OS come additional ways
for holes in the browser to allow for more catastrophic holes into
the OS.

The suggestion of being able to use web server's ability to assess
browser type and version is a good one and one that we actually
discusses earlier today.  Is anyone actually doing this?  If I come
to any/all of the college web pages/apps and do so with an out of
date browser it takes the request and redirects the return page to an
applicable page with info/links/directions on getting up to date?
Seems like a neat idea, but again curious if anyone has actually done
this (obviously for computer that fall in the institutions IP space).

...Justin
_______________________________________________________
  Justin Sipher
  Chief Technology Officer
  Skidmore College
  Saratoga Springs, NY
  jsipher () skidmore edu
  518-580-5909
_______________________________________________________

On Oct 4, 2005, at 12:12 PM, Joe St Sauver wrote:

> Hi Justin,
>
> You raised the issue:
>
> #In a nutshell, there is a belief that a browser tied to an
> #OS (IE for Windows, Safari for MacOS) allow for better security
> #because of the ability through the OS to let the users  (a) know when
> #there is an update to the browser and (b) assist with the download/
> #install.
>
> In the ideal world, *all* products on a workstation would be
> scanned for
> currency (and patched if necessary) using a patch management product.
>
> In reality, however, most patch management products are either
> breathtakingly expensive for campus-sized audiences, or quite limited
> in the products that they track (and as we all know, campus audiences
> tend to have particularly eclectic tastes relative to the corporate
> environment).
>
> When it comes to browsers, however, you have more options than for
> most apps.
>
> For example, you could do browser sniffing on your institutional
> home page,
> and when you see an out-of-date browser connect from institutional
> IP space,
> besides showing the normal content, nag the user to upgrade (publicly
> spirited institutions may elect to nag regardless of the origin of the
> connection).
>
> If users find the process of upgrading daunting, one could envision
> little
> "hand holding" how-to-do-it videos built with something like
> Camtasia Studio
> or an equivalent make-a-movie-out-of-a-series-of-steps-on-screen
> product.
>
> I don't think that the upgrade issue has to be/should be a deal
> breaker for
> an alternative browser deployment.
>
> #The challenges is that we also want to use Firefox for a
> #variety of purposes
>
> FWIW, we're heavily pushing Firefox and Thunderbird at Oregon at this
> point...
>
> #and there doesn't appear to be a way (on Firefox
> #for any OS) to have similar functionality.  So, the **real** concern
> #is someone downloads Firefox and is using it.  Then after time new
> #versions come out, the end user doesn't (a) know about it and (b)
> #doesn't actually do the upgrade and then we have a potential security
> #hole.  Firefox for "techies" isn't the concern, it is the use by the
> #common person that has some concerned.
>
> Current versions of Firefox have the "little red arrow" its-time-to-
> upgrade
> thingee in the menu bar, but IMO that hint is rather understated
> given its
> importance.
>
> From a user-interface-design point of view, important tasks that
> require
> attention should be insistent and "in your face" (and automatic)
> unless
> overridden, not something that's optional/easily disregarded:
>
>    tink, "LOCA in main coolant loop. Shut down your nuclear reactor
> now?
>            <yes> <NO> <ask me again in 1 day>"
> vs.
>
>    blaring klaxons, flashing lights, and a *very* brief opportunity to
>    override/abort before an *automatic* scram occurs...
>
> But let's come back to the fundamental issue of browser choice and
> vulnerabilities. What does Secunia say?
>
> -- MS Internet Explorer 6.x ( http://secunia.com/product/11/ ):
>
>    "Microsoft Internet Explorer 6.x with all vendor patches
> installed and
>    all vendor workarounds applied, is currently affected by one or
> more
>    Secunia advisories rated *Highly critical*" [emphasis in the
> original]
>
>    and
>
>    "Currently, 20 out of 86 Secunia advisories, is marked as
> "Unpatched"
>    in the Secunia database."
>
> -- Mozilla Firefox 1.x ( http://secunia.com/product/4227/ )
>
>    "Mozilla Firefox 1.x with all vendor patches installed and all
> vendor
>    workarounds applied, is currently affected by one or more Secunia
>    advisories rated *Less critical*" [emphasis in original]
>
>    and
>
>    "Currently 3 out of 24 Secunia advisories, is marked as "Unpatched"
>    in the Secunia database."
>
> [Oh yes... and also check out Opera 8.x while you're there...
> http://secunia.com/product/4932/ :-)]
>
> When you get right down to it, it is great that IE has integrated
> patch
> nagging/updating, but if patches for known vulnerabilities aren't
> available,
> well, you know.
>
> Regards,
>
> Joe St Sauver, Ph.D. (joe () uoregon edu)
> Director, User Services and Network Applications
> University of Oregon Computing Center
>
> [Disclaimer: while I am co-chair of the Educause Security Effective
> Practices
> Working Group with Gary Dobbins of Notre Dame, this note does not
> express the
> opinion of that working group. Mention of a particular product
> should not be
> taken as excluding other potentially equally efficacious products.
> YMMV. etc.]