General: November 2004 Archives

AOL bringing security to the masses. There's a phrase I never thought I'd here. According to their ads they are offering free desktop antivirus and free antispyware software. I think they are building Aluria's antispyware product into the AOL software, but it looks like McAfee antivirus and personal firewall are separate downloaded that AOL is making it available for free.

It would be much better if antivirus was part of the software with updates via AOLs standard update mechanism. Then the typical user would never have to think about it. I dont know maybe it will work that way.

AOL has made security the the forefront of their current advertising scheme. Its a rather wise ploy. We've all seen article after article quoting people who cant keep up on patches, who keep getting hit with viruses, and now on top of it all, spyware is making their computer unusable. AOL's Internet with Training Wheels just added protection for their customers. I think that's pretty cool.

Back in the 90s the Clinton White House legal counsel's office had a conspiracy theory on how news is made in Washington DC. According to this flowchart, "news" would start with well funded right wing thinktanks and individuals. It would then flow to the Western Journalism Center, the American Spectator magazine and the Pittsburgh Tribune Review. From there the legend would grow on the Internet where it would then be picked up by the British Tabloids before filtering to the Walls Street Journal, the Washington Times and the New York Post. After that it would be discussed by congressional commitees. Only then would the Washington Post or the NY Times pick up on the story. I cut a diagram of this communication stream from the paper back then and always get a kick out of looking at it.

I was thinking the other day that the tech news cycle is much like this theory. Rumors are posted to lists like bugtraq and full disclosure. From there it filters down to slightly more reputable sources, lets says SANS ISC and if its antimicrosoft it will show up on slashdot. From there it will be written up by a tech writer at zdnet or the register. Soon after that it will be in the Washington Post. From there it is on the AP wire and will appear in newspapers all over America.

If you ever feel overwhelmed by Microsoft patches, dont even think of looking at patching the rest of the applications that are deployed in your enterprise. Recently, I was taking inventory of our vulnerability status and found we needed later versions of Adobe, Real, Winamp, Winzip, AIM, SUN JRE. The list probobably is longer than that but that list was long enough to be frightening.

I quickly found that some applications defy inventory. They dont use a version number in on the exe so a standard file query in SMS wont work. Or the version number for a vulnerable version of the product is the same as the version number for a non-vulnerable version. Sometimes the exe version was different from the product version leaving the admin to wonder if version 14 is version 10; what is version 12 equal to version 9.

Next I considered the upgrade options. Most of the time there wasn't a patch. It was necessary to redeploy the application. Then there is the special case of the SUN JRE where deploying a new version seems to install the new version but leave the old. My favorite though was Adobe Acrobat Reader which required installing 6.0.1 before you could install the patch to take the version to 6.0.2.

This is making Microsoft patching look easy by comparison. I wonder how many times a day we can interrupt the users with the patching/upgrade software before they rebel.