Editer l'article Suivre ce blog Administration + Créer mon blog
2 février 2012 4 02 /02 /février /2012 23:58

Let's say that you start an old box, even a WinXP... that had not been used for a while.

Because you're aware of security risks if you don't update your software, you try to update the whole stuff. Windows Updates works like a charm, and may deploy 100 updates with 1 or 2 reboots, okay fine.

But... for some other products, it's not that simple.


On the machine, there is an old Firefox 3.0.15. First, it did upgrade itself to 3.0.19, okay. But then, things begin to be more complicated.


Firefox does warn there is an available upgrade... version 3.6.13. Okay, but, it's not able to download and install it! And were now at version 9... will I have to install every major versions, one after the other?

Anyway, let's see what happens.


The Wireshark screenshot below says it all, while checking for available updates through the "?" menu:



The request contains every relevant information that is needed:

GET /?product=firefox-3.6.13-complete&os=win&lang=fr&force=1 HTTP/1.1\r\n


So yeah, the upgradable version is a 3.6.13, running under Windows, localization France, and a complete download may be required. Fine.

But... the server's response is not what one could expect:

"HTTP 404 not found"!


Even worse, the users gets a quite non-understandable message:


[quick English translation]

Software upgrade - end.

Failure (unkwown reason)


I'm afraid a lambda user will not know what to do...


Therefore, unless the user does go to mozilla.org and downloads the new version on his own, which is most likely not gonna happen most of the time for lambda users, Firefox will remain stuck at this old version, 3.0... This, including security holes that were fixed in later versions!

Mozilla said they were gonna keep on providing support for 3.6 version. That could be smart, in such a situation, but only if the upgrade from older versions is still possible.


Mozilla dev: please don't forget that 100% of the "computer world" does not run even the N-1 version of Firefox! some machines have not been able to upgrade for a while, and will thus remain at an obsolete and insecure state!


To admins: I suggest you to check your proxy logs to see if some machines are not trying to upgrade from old versions of Firefox... or even better: build your own internal repository for Firefox, that's really the best solution to keep your park under control. Within that repo, keep old versions of Firefox to let machines with old configurations upgrade with less problems!

You may also want to deploy it with your own remote install solutions, in that case make sure the package intelligence will look for all old versions of Firefox to properly uninstall them...


Last, don't forget that a software being spread all over a park, but without any real central & automated management, does bring a global risk to the IT. Even if Firefox was secure at a time, leaving it on the machines, without properly managed upgrade, will create a risk (attacks based on security holes, that were patched, but patches not deployed to all the machines).

This is the case for any software, in fact, but above all for browsers since users access Internet content through them.



Update 1: 02/05/12


This issue is quite the same for Thunderbird...




The updater tries to download the 3.1.10 version, but fails (still getting a "404 not found" from Moz' servers). But the thing is with Thunderbird, the user is not likely to go to "Mozilla Google start page", that will tell him his Thunderbird is obsolete and has to be upgraded!


Thus, admins need to manually control Firefox/Thunderbird upgrades. But this is also true for lambda users, that are not professionals...

Partager cet article