Δευτέρα 22 Μαρτίου 2010

German Government: Don't use Firefox


Δύο newsletters που παρακολουθώ (Sophos enews /22 March 2010 και ZDNetAnnouncements) αναφέρονται σήμερα στην πρόταση της Γερμανικής Κυβέρνησης προς τους χρήστες να μην χρησιμοποιείται ο MOZILLA FIREFOX 3.6 λόγω προβλημάτων ασφαλείας που παρουσιάζει.

Συγκεκριμένα υπάρχει ένα κενό μέσω του οποίου μπορούν να διεισδύσουν hackers στους υπολογιστές που χρησιμοποιούν τον συγκεκριμένο browser και να εγκαταστήσουν μολυσμένο κώδικα.

Οι υπεύθυνοι του Mozilla υποσχέθηκαν ότι θα υπάρχει ελεγμένο patch μέχρι την 30η Μαρτίου ωστόσο όσοι το επιθυμούν μπορεί να το εγκαταστήσουν νωρίτερα από εδώ

https:/ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

με δική τους ευθύνη.

Η σχετική ανάρτηση στον ιστοχώρο sophos.com έχει ως ακολούθως:

German Government: Don't use Firefox

No Firefox
The German government has advised computer users not to run Firefox and run an alternative browser instead, because of a critical security flaw.

The advice, which comes from BürgerCERT, part of the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI), recommends that computer users stop using Firefox until Mozilla releases a fix.

The reason why Germany is suggesting such seemingly drastic action is that there is a critical vulnerability in currently available versions of Firefox that could be exploited by hackers to launch malicious code on users' computers.

Advisory on BürgerCERT's website

For its part, Mozilla has acknowledged the security vulnerability, and advises that a patched version 3.6.2 of Firefox is scheduled to be available on March 30th.

Here is a rough translation (courtesy of Google Translate):

Recommendation
Because of the Mozilla Foundation, a privately disclosed vulnerability Bürger-CERT recommends the use of alternative browser until Mozilla has released Firefox version 3.6.2. The current release of Firefox 3.6.2 Plan provides for delivery on Tuesday 30 Before March 2010.

Description
There is an as yet unspecified vulnerability in Mozilla Firefox version 3.6. A remote attacker to execute using rigged websites the opportunity to inject malicious code in the context of the logged on user.

Security researcher Evgeny Legerov discovered the vulnerability last month, controversially making code which exploited it available to those who were prepared to pay. That's not an approach which is likely to have won him many friends at Mozilla, who would much prefer that vulnerability researchers worked with them on responsible disclosure.

It must be an uncomfortable time for German web users too. After all, in January they were advised not to use Internet Explorer, and now they're being told to keep a wide berth from Firefox until it's fixed.

It's certainly a lot easier for computer-savvy home users to leapfrog from browser to browser than companies.

Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it's worth. For instance, imagine how much training some users will require to switch from one browser to another.

And it's worth bearing in mind - what are you going to do when your replacement browser itself turns out to contain a vulnerability? Are you going to switch yet again?

My advice is to only switch from Firefox if you really know what you are doing with the browser you're swapping to. If you stick with Firefox, apply the security update as soon as its available.

If you can't wait - Mozilla says it has produced a release candidate build of Firefox 3.6.2 which already contains the fix (obviously it hasn't been through their complete quality assurance process yet). You can download it from their website at https:/ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

Πηγή:

http://www.sophos.com/blogs/gc/g/2010/03/22/german-government-firefox/



Δεν υπάρχουν σχόλια:

Δημοσίευση σχολίου