Category: security
May 31st, 2009
Microsoft sneaks in Firefox extension via Update
The good news is that Microsoft is writing extensions for Firefox. The bad news is, the Redmond giant is slipping the extension onto systems without notifying users and making it difficult to get rid of the extension. Even worse? It’s an extension that allows Web sites to install software onto users’ PCs behind the scenes — meaning that Firefox users on Windows may not be as safe as they think.
Brian Krebs, who originally recommended the .Net Framework that sneaks the extension into Firefox writes:
Anyway, I’m sure it’s not the end of the world, but it’s probably infuriating to many readers nonetheless. Firstly — to my readers — I apologize for overlooking this…”feature” of the .NET Framework security update. Secondly — to Microsoft — this is a great example of how not to convince people to trust your security updates.
Krebs is right: It’s not the end of the world. But it seems like a violation of user trust to monkey with a third-party program — and top it off by making it difficult to remove the extension without editing the Windows Registry. By using the update mechanism to sneak software onto the system, Microsoft is telling security conscious users to be suspicious of updates and to deploy them only after they’ve been widely vetted, or choose a more trustworthy vendor.
As a Linux user, it makes little difference to me what Microsoft does via Windows Update –users on openSUSE and other Linux distros can see exactly what updates will do to their system: Down to the source code, if they choose to take the time.
But, failing a source code audit, Microsoft could at least provide a full disclosure of the packages and features modified when a user runs Windows Update. Without that, users should be wary indeed of trusting Microsoft’s updates — and missing a trust relationship for security updates, users should be wary of running Windows in the first place.
February 2nd, 2009
More FOSS security scare-mongering
With all the talk of open source and the Obama administration, it shouldn’t come as any surprise that the scare-mongering around FOSS security is going to be close behind — and here’s part of the first wave, fresh from Ernest M. Park.
Park is using a single data point (the Debian SSL issue from last Spring) to try to build uncertainty around the readiness of FOSS for government work, even though he admits proprietary software may be no more secure than FOSS. Here’s what Park has to say:
Now one of the arguments for open source is that their are more eyes looking over the code, since the code is openly available to be reviewed and changed by the community. This is true and one of the reasons that this bug was discovered. The open source system of discovering bugs is beneficial in that the number of people reviewing the code is far greater than proprietary software. But as the Debian OpenSSL case shows us, it might take up to two years before it is discovered or at least published. Within the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time. The problem with community review is that it is a voluntary choice and not an obligation.
The problem with Park’s argument is this: Access to code is not necessary for discovery of vulnerabilities. Plenty of security holes are discovered in proprietary products without the results being published. Plenty of security holes have existed in proprietary products and been exploited long before the fix was available.
If Park wants to raise concerns about software security, he might start by asking if Microsoft is ready for government work.
Joe 'Zonker' Brockmeier is a longtime FOSS advocate, and currently works for Novell as the community manager for openSUSE. Prior to joining Novell, Brockmeier worked as a technology journalist covering the open source beat for a number of publications, including Linux Magazine, Linux Weekly News, Linux.com, UnixReview.com, IBM developerWorks, and many others. See his full profile and disclosure of his industry affiliations. Follow Zonker on Twitter.
Subscribe to Community, Incorporated via Email alerts or RSS.
SponsoredWhite Papers, Webcasts, and Downloads
- Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now
- Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
- Reducing Server Total Cost of Ownership with VMware Virtualization Software VMware VMware virtualization enables customers to reduce their server TCO and ... Download Now
Essential Topics 
Recent Entries
- Quick thoughts on the (possible) demise of OpenSolaris
- Microsoft sneaks in Firefox extension via Update
- What do you want for free? Do users have to pay up to complain?
- Using selfishness to put crowds to work for you
- Miro puts code up for adoption
Blogs From Our Sponsors
Top Rated
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- Reduce risk. Reduce complexity. Increase reliability.
-
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
- Learn more >>
- The best support in the Linux business
-
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
- Learn more >>
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
Archives
Favorite Links
Blogroll
ZDNet Blogs
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Technology and the Global Supply Chain
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
White Papers, Webcasts, and Downloads
- Through a Dell Technology Partnership, University of North Carolina Wilmington Manages Mobile Student Computing Initiative With Minimal Resources Dell University of North Carolina Wilmington is located on a 650-acre campus ... Download Now
- Key Strategies for Federal Agencies - Safe and Cost Effective Migration for Legacy Hardware GovConnection The federal government has mandated that federal agencies reduce energy ... Download Now
- Move to SUSE Linux Enterprise get 3 years of Red Hat support Novell One unified management tool for both Linux and Windows allows your mixed ... Download Now
SmartPlanet
- Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
- More from IBM
-
- Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
- Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
