Microsoft and Adobe have delivered a fresh batch of security updates for April. If you use products from either vendor, watch today’s short Security Byte to get a summary of the updates, and more importantly, follow the links below to get your patches.
(Episode Runtime: 2:00)
Direct YouTube Link: https://www.youtube.com/watch?v=r95SPareQU4
- Microsoft Patch Day summary for April 2016 – Microsoft
- Adobe’s April Security updates – Adobe
— Corey Nachreiner, CISSP (@SecAdept)
@Corey – you should have a word with your team – I just noticed that my Watchguard device does not update itself, and does not even tell me that an update exists, not even when I log in to the admin panel – I have to manually go and check for updates in the control panel for every device to see if there’s something I need to update to.
Not the best idea for a security focused product!
Corey Nachreiner says
Thanks for sharing the feedback. I’ll share it with the Product Managers here, although know we already have some of the features you describe.
First, as far as fully automated updates, I wouldn’t expect those soon… but for good reason. We are a hardware gateway device that is critical to production networks, and our updates require re-uploading firmware, and rebooting the device between you and the Internet. It’s a more involved process that just updating a Windows desktop, many of which aren’t critical to everyday business. Because our device is critical to your Internet connect, I doubt we’ll ever take a purely automated update approach, since administrators would not want to disrupt their production network during an unscheduled period.
It’s like Windows desktop updates vs Server updates. You probably have all your desktops set to automatically take updates and install them at the next reboot. That’s not too disruptive for user desktops. However, you probably don’t have server updates set to automatic, because these are mission critical machines, and you want to at least test and decide when to push those update so you don’t disrupt business. The Firebox falls in the server class of things (especially as your Internet gateway), so automatic updates are undesirable to most people.
That said, Our product and UI should absolutely TELL you when an update is available, and it does. If you have the latest version of Fireware, in the web UI you can go to:
System => Upgrade OS
And it will tell you if there is a newer version available. We do have some feature requests that take this further, perhaps automatically downloading the latest Fireware to the box, but not applying it unless the admin presses button. However, our storage limitation make this hard. We may also be more aggressive about alerting about updates in the main WebUI dashboard, but in either case, our WebUI will tell you if there’s an update you are missing.
You might also notice, when we release an update with a big security fix, I inform customers about it on this blog as well.
Thanks again, for the feedback.
Please ask your team to make a self-auto-update *option* available. I know better than you when/if my internet is needed, and also when/if it’s OK to be running an outdated unpatched O/S 🙂
I forgot to note what fireware version I was on, but it didn’t “tell” me until I logged in and looked under “system”. Maybe the latest version will? Either way – asking humans to regularly poll for all their firmware patches is unsustainable. For the handful of clients you have who might be unable to “suffer” 5 minutes of downtime at 2am on sundays (or whatever) for automatic updating, you should “push” a notice to them so they know what to do. (I don’t know when your last blog message mentioned this – I don’t recall seeing it, but I’ve only been subscribed a few months – either way – notice in a blog is not what I mean; direct message to a nominated patch admin is needed)
is this important?
My HP proliant’s iLo did not auto-update – hackers got in, screwed with my firmware, and exfiltrated my admin credentials. It has only rudimentary logging; so we have no idea what else they did. What do I now do with that $12,000 server with a questionable BIOS running? Will I ever get back (or paid for) all the subsequent weeks of cleanup? Who’s fault was it?
Answer = mine = for not telling HP to take security seriously and allow important patches to be auto-updated.
I don’t make mistakes a second time.
Corey Nachreiner says
I will pass it on. I guess there is no reason not to have an “optional” auto-update mechanism. I think we’d still have it disabled by default. In any case, I think we both agree that aggressively keeping your software and hardware up-to-date, especially for the latest security fixes, is a very important thing to do. I’ll share your requests with PM. Thanks for giving us the feedback.
Oh yeah, and if you want an example of some of the posts that tell you to patch our products, this is the last one I remember:
I didn’t have to tell you to Patch Fireware since the flaw wasn’t exposed there. I do also mention it in videos when I talk about updates to something like OpenSSL, which affect our products too.