Let's say that you start an old box, even a WinXP... that had not been used for a while.

Because you're aware of security risks if you don't update your software, you try to update the whole stuff. Windows Updates works like a charm, and may deploy 100 updates with 1 or 2 reboots, okay fine.

But... for some other products, it's not that simple.

On the machine, there is an old Firefox 3.0.15. First, it did upgrade itself to 3.0.19, okay. But then, things begin to be more complicated.

Firefox does warn there is an available upgrade... version 3.6.13. Okay, but, it's not able to download and install it! And were now at version 9... will I have to install every major versions, one after the other?

Anyway, let's see what happens.

The Wireshark screenshot below says it all, while checking for available updates through the "?" menu:

The request contains every relevant information that is needed:

GET /?product=firefox-3.6.13-complete&os=win&lang=fr&force=1 HTTP/1.1\r\n

So yeah, the upgradable version is a 3.6.13, running under Windows, localization France, and a complete download may be required. Fine.

But... the server's response is not what one could expect:

"HTTP 404 not found"!

Even worse, the users gets a quite non-understandable message:

[quick English translation]

Software upgrade - end.

Failure (unkwown reason)

I'm afraid a lambda user will not know what to do...

Therefore, unless the user does go to mozilla.org and downloads the new version on his own, which is most likely not gonna happen most of the time for lambda users, Firefox will remain stuck at this old version, 3.0... This, including security holes that were fixed in later versions!

Mozilla said they were gonna keep on providing support for 3.6 version. That could be smart, in such a situation, but only if the upgrade from older versions is still possible.

Mozilla dev: please don't forget that 100% of the "computer world" does not run even the N-1 version of Firefox! some machines have not been able to upgrade for a while, and will thus remain at an obsolete and insecure state!

To admins: I suggest you to check your proxy logs to see if some machines are not trying to upgrade from old versions of Firefox... or even better: build your own internal repository for Firefox, that's really the best solution to keep your park under control. Within that repo, keep old versions of Firefox to let machines with old configurations upgrade with less problems!

You may also want to deploy it with your own remote install solutions, in that case make sure the package intelligence will look for all old versions of Firefox to properly uninstall them...

Last, don't forget that a software being spread all over a park, but without any real central & automated management, does bring a global risk to the IT. Even if Firefox was secure at a time, leaving it on the machines, without properly managed upgrade, will create a risk (attacks based on security holes, that were patched, but patches not deployed to all the machines).

This is the case for any software, in fact, but above all for browsers since users access Internet content through them.

Update 1: 02/05/12

This issue is quite the same for Thunderbird...

The updater tries to download the 3.1.10 version, but fails (still getting a "404 not found" from Moz' servers). But the thing is with Thunderbird, the user is not likely to go to "Mozilla Google start page", that will tell him his Thunderbird is obsolete and has to be upgraded!

Thus, admins need to manually control Firefox/Thunderbird upgrades. But this is also true for lambda users, that are not professionals...

Je ne dois pas être le seul à l'avoir vu, l'opérateur en fait l'annonce sur son portail dès l'instant que l'on rentre dans la partie "webmail"...

Mais le problème est que l'infra Zimbra en question ne semble pas elle aussi neuve :

 D'après le site éditeur de PHP, cette version 5.2 n'est plus supportée...

Et évidemment, elle souffre de diverses failles de sécurité... que je ne détaillerai pas publiquement par principe !

Messieurs les admins et intégrateurs à Free, c'est à vous de jouer... 

Mise à jour 1 :

Je n'avais même pas songé à vérifier mais en fait l'URL d'accès à une boîte aux lettres chez Free est en HTTP !

Exemple :

http://imp.free.fr/horde/imp/mailbox.php?mailbox=INBOX&actionID=

Cela ne respecte pas les bonnes pratiques de sécurité pour les sites Internet... mais surtout, de nombreuses attaques sont possibles (empoisonnement ARP, détournement DNS, écoute simple, etc) ! 

I would believe we are back to Win 9x systems fashion, when adwares used to be legion (at least, in proportion compared to global threats trends at this time). But this case seems to concern any Android OS from 1.6 to 2.x, much more modern systems...

In a nutshell, this adware will:

- add an icon on the main screen of your phone, leading to a kindda "fake" Google search engine

- display adds within the top taskbar, suggesting you to download, or pay I should say, new apps, on a regular basis; therefore accessing the network through 3G connectivity

- remain active as a background service... 

But what are we really talking about? This is all about a game: Helicopter Strike Force. See splashscreen of the game, while loading:

Most of the installed AV I've tested do not detect it: 

- Norton (no screenshot available at the time of the test... :( )

- DrWeb 

- Weebroot

- Kaspersky Lite 

Note that KAV uses the "Kaspersky Security Network", to scan in the cloud the app before its first execution. Although I have installed (and uninstalled) it twice, with several days between each install, the KSN did not find anyting.

I even tried VirusTotal, but no real result. I'm wondering if the command line versions of AV engines that VT uses are able to use mobile-specific threat signatures.

But that's not all, this app will also install a service, that could be surprising for "just" a game...

Now here is the new icon on the main/first desktop:

But the thing is, this search engine is not what you may think. When you launch it, it will get access to livemobilesearch.com... which in turns does look like Google, but it's not!

Then:

(bottom of page)

You have to go read the "privacy" link, down the page, to confirm our expectations:

Last, but not least, the results this search engine provides do differ from the Google's ones. For instance, the keyword "music" will return:

While the "real" Google says:

Therefore I'd say that:

- yes, antimalware on smartphones is more and more needed. I suggest everybody tries one...

- as we have been saying for years on regular computers, be carefull regarding the links you click and the apps you download... 

Update 1, 01/15/12:

Let's see what's going on deeper within Android:

It appears that "helicopterstrikeforce" launches 3 processes/services. One of them seems to have an interesting name: noolah.pushnotification. 

Searching Google for it returns the following PDF document:

https://docs.google.com/viewer?a=v&q=cache:JD8QLTJaokAJ:forum.unity3d.com/attachment.php%3Fattachmentid%3D22799%26d%3D1311396784+&hl=fr&pid=bl&srcid=ADGEESjCxeNBKAr8al8ucNN9aYNB4e14wcIVSyGps1m98N4V28LCbBDok2MP00DAuK67r-VGip0kMbnUuwTYdYn62PuEsyqCnLJqbpv-kaoOZymAxhzFJ1NVYqIFeQ-TNyrJYCT_A5np&sig=AHIEtbR8kCBOiQlmRSpvniyC5MzAMoFo7w

Pretty interesting too, as it explains the ad's implementation:

There we go: service androidname="com.moolah.NotificationService"!

Thereforce, this will act as the adware component, and will remain active even if the game is not being run.

Let's see the result:

"Android app offert", and "Live & work in the USA" are not related to the phone's own processes (or user's actions/RQ).

Here is an example of such advertised apps: once the user has clicked on it, he will be redirected to a website like:

Fortunately, this phone was using WiFi connectivity ATOW, but obviously wireless does not work while roaming (I mean, walking in the street, for instance), thus this ads will create extra and uncontrolled data transfert over 3G!

If the mobile network operator does charge data in anyway, those apps may become painfull for people's CC. So pay attention whenever an app requires full Internet connexion at install, while it is not necessary according to its type!

Qui a dit que cela n'arrivait pas à tous les fournisseurs de service ? GMail ne fait pas exception à la règle.

Bien que le Copyright sur la page date de 2008, le message lui, date bien de 2011 ! (je n'avais pas eu l'occasion de le poster).

Attention donc à ceux qui veulent "mettre dans le nuage" leurs services informatiques : dans ce cas-là, certains métiers peuvent presque rentrer chez eux... :( 

L'avertissement est, je pense, suffisamment explicite !

Mais où se cache le HTTPS ?

Solution possible : utiliser HTTPS EveryWhere dans Firefox...