Security Advisor

Mozilla Didn't Properly Plan for Microsoft's Monthly Patch

Hey Brian, looks like something went crazy in the RED HTML and now the final section's number is on its own separate line.

In case you haven't heard, Microsoft released its March patch yesterday. And in case you haven't heard and are in IT, what's wrong with you?

We all know that the calendars should be clear for the second Tuesday of every month, in case there's a huge load of 'critical' updates for Windows (luckily, this month only has one).

It's no secret that Microsoft software needs constant update, and it's no secret when those fixes are coming.

So why was Mozilla caught off guard? The plan was to release its new browser version on Monday. Just like Microsoft, Mozilla stays very religious to its updates and product releases -- they come every six weeks on a Tuesday. It just so happens that this month's browser update came out the same day as Microsoft's security update.

Or, should I say, should have come.

After previously announcing that Firefox 11 would arrive on March 13, it pulled the plug on the release hours before it was projected to go live. The issue was that Mozilla didn't want to release a browser that may not be compatible with Microsoft's monthly patch. So it waited for the patch to come out, did all necessary patching and released the browser early this morning, six weeks and one day after its last update.

What is puzzling about this whole situation is if you know that there may be a potential issue with your software's update and Microsoft's patch, why choose Tuesday to release it? Why not Wednesday? Or Thursday? You literally have six other days to choose from that won't be interfered by what Microsoft is doing.

Just seems like you can save yourself some scrambling with a more flexible release schedule.

For those fans of Mozilla's open source browser, looks like there were no compatibility issues with Microsoft's security update. (And that's good -- I was afraid that fix for Microsoft Expression Design was going to bring Firefox to a halt…)

People Are Still Using 'Password' for Their Password
And guess what, it's your fault.

That's according to a recent security report from Trustwave that found the issue of weak passwords stems from the rules governing passwords, not the users' simplistic passwords. Because if some users can use a simplistic password, they will.

The burden falls on IT to evolve password management that it won't allow easily guessable words. Trustwave recommends using a NT Hash-based storage system for password integration. Also, length really does matter. "[I]t's time to stop thinking of passwords as words, and more as phrases," said the report.

How's your shop's password management situation? Could it need some tightening up? Also, if you have an embarrassingly bad story involving user passwords, send them to [email protected] and I'll share with the readers (I'll keep them anonymous).

And Down Goes the Champ
Every year, hackers are (legally) put to the test at the annual CanSecWest security conference's Pwn2Own contest.

The goal is to publically show vulnerabilities in Web browsers and OSes by hacking them. Besides providing valuable security information to the companies whose products have been compromised, cash is also on the line.

Google has left the competition the last three years a bit cocky -- it's been the only Web browser to not succumb to the hackers. However, after five minutes into this year's event, the streak was over.

A Russian teen brought Chrome to its knees and bypassed the browser's sandbox environment. For his efforts, Google cut him a check for $60,000. Not too shabby for five minutes of work!

Google took its $60,000 information and pushed out a patch on Thursday -- even though it had no idea how it would interact with Microsoft's security update.


About the Author

Chris Paoli is the site producer for and


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus