Re: [Fed-Talk] Firefox self-update?
Re: [Fed-Talk] Firefox self-update?
- Subject: Re: [Fed-Talk] Firefox self-update?
- From: Ron Colvin <email@hidden>
- Date: Wed, 29 Aug 2012 11:47:43 -0400
On 8/29/12 11:36 AM, David Emery wrote:
A big part of my concern is what you've identified, how to verify that the pushed update is legitimate? Wasn't there a recent problem with spoofing Adobe Flash updates?
There have been many cases reported about spoofed Flash installers. If
Flash self-updates and the users are trained on the pattern than they
should not go looking or approve Flash installers that show up, well in
theory at least.
I'm OK with Apps asking to update (I'm not OK with having updates pushed to me automatically, and no matter how many times Adobe tries to change that preference, I'll cuss at them and change it back.) Most of the apps I'm running require an Admin password when they do the update, that's the level of trust I find appropriate.
On a self-managed system where updates can be problematic I understand
turning off the auto-update mechanism but the sheer number of security
patches and exploits that are out there a user that is not a technical
security person will have a hard time keeping up unless prompted.
Drive-by exploits are very common, much less common on OS X but we have
seen them. For Flash and Adobe Reader half the time exploits already
exist in the wild by the time Adobe has released a patch. These exploits
have rarely been targeted at OS X but the exploits do exist.
Of course, if you're operating in an environment where end users don't have access to an Admin password, that's a Whole 'Nuther Thing.
(In the Windows world, my wife's company pushed out an update last week, which basically bricked her laptop while she was at offsite training. So she went back to her office and got them to fix it. But her co-worker who telecommutes from somewhere in India was Well and Truly Screwed, and had to FedEx her laptop to another part of India for repair. And I can't tell you how many times I've watched my wife or co-workers have updates pushed to their laptops when they're in the middle of doing real work, causing at least consternation and in some cases automatic rebooting and loss-of-work.)
Actually one of the reasons I like pull from the vendors rather than
packaged updates in an Enterprise tool. Default on Windows 7 now is a
regular user can run Microsoft update and get anything available from
the mother-ship. Enterprise tools can mange that list or turn off the
capability.
dave
On Aug 29, 2012, at 11:22 , Ron Colvin <email@hidden> wrote:
There is way too much software on a standard computer to want to block approved software products from doing minor version updates, particularly when there are frequent security updates and malicious code in the wild. Most organizations already allow AV signatures to self-update as well as Apple's malicious software list. Chrome updates itself at launch and pushing a new Flash update for Safari and other browsers almost every month is not high on my list. especially on the case of laptops. From a risk perspective how likely is allowing the vendor to self-update or the user to do updates from the vendor without admin rights to increase your risk more than not patching in a timely manner? If the application is trustworthy enough to have in your environment it should be trusted for updates until such time as it has been shown to be questionable. Then reconsider the use of the application altogether.
That said any update mechanism should be resistant to spoofing. Is that really the latest update from Mozilla or is it malware. 10.8 and code signing should help with this.
There is a way to block auto-updates, at least on the Windows version of Firefox inside the Firefox Application directory. On the Mac it should be in the app bundle. Just not sure how exactly. Though again I don't think blocking it is a good idea.
On 8/29/12 11:01 AM, David Emery wrote:
So where does Firefox store its code? ~/Library/Application Support ?
And isn't that A Bad Thing?
dave
p.s. is anyone else really bothered by the change in how ML Mail.app handles email accounts when replying to messages? It worked in Lion, and it's -badly broken- in Mountain Lion!
On Aug 29, 2012, at 10:45 , Joel Esler <email@hidden> wrote:
Firefox runs as a user, it doesn't need Admin.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<email@hidden>
Direct phone 301-286-2451
NASA Jabber (email@hidden) AIM rcolvin13
NASA LCS (email@hidden)
********************************************************
-----
David Emery, 703 298 3473 (c) 703 272 7496 (fax)
ASA(ALT) OCSE / SoSE Directorate
--
********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<email@hidden>
Direct phone 301-286-2451
NASA Jabber (email@hidden) AIM rcolvin13
NASA LCS (email@hidden)
********************************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden