LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The web browser "insecurity iceberg"

The web browser "insecurity iceberg"

Posted Jul 2, 2008 6:05 UTC (Wed) by ajft (guest, #52749)
Parent article: The web browser "insecurity iceberg" 

Pretty much any company that puts firefox into their SOE will have locked it (either the SOE
or the app.) so that it either doesn't auto-update or the staff don't have administrator
access so they can't apply the auto-update.  When you've got 5000 staff in a bank using
firefox 2.0.12 to access some "only verified for version x and y" web application you don't
simply let the staff update software like its their home PC.

(Log in to post comments)

The web browser "insecurity iceberg"

Posted Jul 2, 2008 8:12 UTC (Wed) by slef (subscriber, #14720) [Link] 

> When you've got 5000 staff in a bank using firefox 2.0.12 to access some "only verified for
version x and y" web application you don't simply let the staff update software like its their
home PC.

...because breaking all staff terminals simultaneously is clearly the Right Way!

Don't laugh - I've seen that happen.  The Central IT Department usually won't test as fully as
real live staff doing real live work.  So there's a bug with the new browser that only appears
if you enter 0.00 (rather than 0) in the discount rate field on the web app - how would CITD
find that?

I feel you might as well let a few lemmings^Wvolunteers upgrade if they want to and maybe have
to use another terminal while their browser is downgraded or the web app is fixed.  The trick
is to monitor staff terminals so that you know who's upgraded what when.

The web browser "insecurity iceberg"

Posted Jul 3, 2008 12:25 UTC (Thu) by deleteme (guest, #49633) [Link] 

> The trick is to monitor staff terminals so that you know who's upgraded what when.

Which makes this method fail, you can't do that. IT can never test everything, doing partial
rollouts seems like a good idea, but I have never seen anyone doing it. My experience of
Windows desktops is only anecdotal, so maybe there are great tools for that now...

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds