Browser News and Vindication

If you haven’t updated to Firefox 1.5 yet, I would wait a while. I think they still have some bugs to hammer out of this version, and there are also a number of extensions that I use which haven’t been upgraded.
Today is black Tuesday. (That is what I call the second Tuesday of each month when Microsoft releases the patches for the month, it is usually a long day.) There will be important fixes for Internet Explorer. If you own a computer, you should make sure that your computer gets updated today. On a related note, I was very pleased to find out from E-Bitz that Small Business Server is supported by Microsoft Update now. If you don’t know about Microsoft Update, its like Windows Update providing automatic patches, except that Microsoft Update also provides patches to applications such as Microsoft Office, MS Exchange, and now SBS too.
I’ve been saying it for years and now SANS, one of the of the most respected security organizations in the country, has agreed with me. In the most recent NewsBites, SANS inaugurates a section called the “Application Security Hall of Shame”, and the first inductee is …

You guessed it. Quickbooks.
Quickbooks requires unsafe permissions in order to run correctly. In effect, any machine where QuickBooks is installed is at risk. This comes as no surprise to me. In my experience, when users have done things to damage their computers they have been granted administrative permission to make changes to the computer. Take away the permission, reduce the risks.

The latest release of Intuit’s QuickBooks, widely used by accountants and businesses, negates the security attributes of the underlying operating system (e.g., Windows) on a computer using this Intuit product. Installation and operation of QuickBooks requires granting operating system “Administrative privileges” to the user, giving users complete control over the security features of the computer on which it is installed. In an enterprise setting, this hinders the organization’s ability to ensure security policies are implemented appropriately for password control, user privileges, and other security disciplines for a computer with QuickBooks installed. This is an unfortunately perfect example of an application software product demolishing the security capabilities of the underlying operating system. Computers with unprotected operating systems are easy pickings for would-be intruders looking for personal identity and financial information in QuickBooks files.

Windows 98 is gone. Get over it. Users should not require elevated privileges for day to day tasks.

Comments are closed, but trackbacks and pingbacks are open.