Mozilla's Afraid of Microsoft Security Updates
Plus: Better user password starts with password policy, Google's Chrome browser hacked at the Pwn2Own contest.
In case you haven't heard, Microsoft released its March patch yesterday. And in case you haven't heard and are in IT, what's wrong with you?
We all know that the calendars should be clear for the second Tuesday of every month, in case there's a huge load of 'critical' updates for Windows (luckily, this month only has one).
It's no secret that Microsoft software needs constant update, and it's no secret when those fixes are coming.
So why was Mozilla caught off guard? The plan was to release its new browser version on Monday. Just like Microsoft, Mozilla stays very religious to its updates and product releases -- they come every six weeks on a Tuesday. It just so happens that this month's browser update came out the same day as Microsoft's security update.
Or, should I say, should have come.
After previously announcing that Firefox 11 would arrive on March 13, it pulled the plug on the release hours before it was projected to go live. The issue was that Mozilla didn't want to release a browser that may not be compatible with Microsoft's monthly patch. So it waited for the patch to come out, did all necessary patching and released the browser early this morning, six weeks and one day after its last update.
What is puzzling about this whole situation is if you know that there may be a potential issue with your software's update and Microsoft's patch, why choose Tuesday to release it? Why not Wednesday? Or Thursday? You literally have six other days to choose from that won't be interfered by what Microsoft is doing.
Just seems like you can save yourself some scrambling with a more flexible release schedule.
For those fans of Mozilla's open source browser, looks like there were no compatibility issues with Microsoft's security update. (And that's good -- I was afraid that fix for Microsoft Expression Design was going to bring Firefox to a halt…)
People Are Still Using 'Password' for Their Password
And guess what, it's your fault.
That's according to a recent security report from Trustwave that found the issue of weak passwords stems from the rules governing passwords, not the users' simplistic passwords. Because if some users can use a simplistic password, they will.
The burden falls on IT to evolve password management that it won't allow easily guessable words. Trustwave recommends using a NT Hash-based storage system for password integration. Also, length really does matter. "[I]t's time to stop thinking of passwords as words, and more as phrases," said the report.
How's your shop's password management situation? Could it need some tightening up? Also, if you have an embarrassingly bad story involving user passwords, send them to cpaoli@1105media and I'll share with the readers (I'll keep them anonymous).
And Down Goes the Champ
Every year, hackers are (legally) put to the test at the annual CanSecWest security conference's Pwn2Own contest.
The goal is to publically show vulnerabilities in Web browsers and OSes by hacking them. Besides providing valuable security information to the companies whose products have been compromised, cash is also on the line.
Google has left the competition the last three years a bit cocky -- it's been the only Web browser to not succumb to the hackers. However, after five minutes into this year's event, the streak was over.
A Russian teen brought Chrome to its knees and bypassed the browser's sandbox environment. For his efforts, Google cut him a check for $60,000. Not too shabby for five minutes of work!
Google took its $60,000 information and pushed out a patch on Thursday -- even though it had no idea how it would interact with Microsoft's security update.