Silicon Shecky

Infosec Practitioner

Connect

The case for proper information or WHY CAN’T I UPGRADE THIS?

By Leave a Comment

Legacy OSes, Legacy systems. We all know that it sucks having them. We all have to deal with them. Software companies do not always account for them though.

When you work internally in a medium to large business change happens slowly at times. I recently ran into a weird issue due to slow change. I went to update my CarbonBlack Response server in the mindset of security and fixing a few annoying bugs. I have done these updates without issue in the past. So when I got an OpenJDK dependency error I was rather taken aback. I tried to update OpenJDK, no go. The repos this version of Linux is using had no update to openJDK (1.8.0.r92 is what I needed). I decided to get CB support involved. We eventually set up a Webex so they could see directly what was going on, since none of the fixes they had sent me worked.

Turns out that it was not documented that the Linux version we were on will not get that version of OpenJDK, or anything newer available for it. Mind you the Linux version is a number of years old, but still supported by said Linux vendor. Nor is there a way around the issue with the upgrade process, so CarbonBlack basically cannot be updated unless I can get the proper change order pushed through to upgrade the Linux version. We tried everything, manually installing new versions of OpenJDK which succeeded but still was not being seen when the dependency check was being done.

The support person from CarbonBlack was going to let the devs there know about this and try to get documentation updated so others who might be looking to upgrade know they cannot with this version of Linux. The other thing that got me thinking was why is a security company like CarbonBlack relying on Java (OpenJDK) since it is so insecure? I like CarbonBlack’s products but this is a huge WTF in my book.

Patch Tuesday is here

By Leave a Comment

With all the hacks going on out on the net today, patching your machines is more critical than ever.

Microsoft is releasing 16 Patches, 9 of which Microsoft deems critical. Patches include Windows, Office, and .Net, and all attempt to address RCE attacks.

Oracle has also released a major patch for Java in the past few days which addresses a number of security vulnerabilities. Adobe has patches out recently for Flash, Apple is playing whack-a-mole with malware, and basically there is a lot of patching to do.

Don’t forget though, with all these patches, to test them before deploying them. It doesn’t happen very often, but some patches can break your software.

Firefox 4 – Did they get it right?

By Leave a Comment

Firefox 4 is out. For a browser that re-sparked the browser wars, Firefox had been falling behind lately. Can 4 bring back Firefox?

I have a tendency not to download betas of web browsers. I’m not much of a bug hunter, haven’t been able to establish myself in those communities, don’t have a ton of time for actual hard core testing, and I’m not a developer. I just like having things work, especially where web browsing is concerned. So when I heard that Firefox 4’s final release was going to be the exact same as the last Release Candidate, I decided to actually jump the gun and start using it. I figured it couldn’t be any worse than using 3.6.

I’ve been using Firefox as my main browser since version 2, and overall have liked it. There have always been some issues with it, such as the memory hole it has, but they were things I could mostly live with. As  Firefox 3 kept getting updated though, it was all getting worse and worse. To open my iGoogle home page, which is set up with a bunch of news widgets, would take 5 minutes. Not only that, but the whole browser would be slow and unresponsive until it fully opened.

So I finished downloading Firefox 4 and installing it, expecting the same sluggishness. Surprisingly to me, my iGoogle paged opened in under a minute, and I was all set to go to other websites in other tabs, even while the iGoogle page was loading up. This is starting to look promising.

I continued on my browsing way, going to sites I frequent such as Tech Republic, ZDNet, Krebs on Security, and many more. All rendered faster than in Firefox 3.6. I did run into an occasional site which just wouldn’t open in Firefox 4 (Buffalo Wild Wings being one), but considering that there have been a lot of changes in Firefox 4, this doesn’t surprise me.

Everything isn’t all roses though. Java rendering (I enjoy playing Text Twist) and some Flash rendering is slow and painful. The Java being the worst of them all, as it slows to a crawl with a java game on Yahoo’s website. Once loaded, it works ok, but still a bunch of issues. Also, Firefox still uses a lot of memory, and doesn’t have the best memory management in the world. I have also heard reports of people who have had issues with it upon install, although the percentage seems to be small.

Is Firefox 4 an improvement? Definitely. Is it a game changer? No. Can it fend off Google Chrome? Maybe. Personally, I’m not going to Chrome unless I have to (Google has enough info on me from Android, Gmail etc, they don’t get any more if I can help it), and I don’t care of IE, Safari, or Opera. In the end, its really about what you are comfortable with and what works. On that, Firefox 4 is a solid, fast browser.