Confusion liable to undermine end-user adoption of security fixes

[Michael Vastola]

Hi all,
So I wasn't 100% sure where to send this, because this is not a
programming-based security issue.  As an information security professional
myself, though, I ultimately decided I would like to know about this if I
were in your shoes, so I'm passing this on.

Please see the attached screenshot of the pidgin.im homepage, which I took
just moments ago.

The security announcement asking people to upgrade to 2.10.9 (or, at the
very least 2.10.8) doesn't have any noticable flaws, but notice the
ambiguity (especially from the point of an end user who knows little about
computers... I trust you're well aware with the frequent need to go above
and beyond to 'stupid-proof' things for people) in the version of Pidgin
that is available for download from this page's link.

Right below the "n" in the logo for pidgin is the version 2.10.9, whilst
the link to download pidgin itself (which is given much more prominence)
suggests that the most recent available version is 2.10.6.

I think it's quite likely that more than a few users people will encounter
this and, albeit aware of the vulnerability -- not click the link --
falsely presuming a solution is not yet available. Or perhaps simply
becoming confused and warysome about proceeding further with this update.

Obviously, for these people, they are just as vulnerable as if the
vulnerability were never patched at all.

Best,
Mike Vastola
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140819/3ba3a7dc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pidgin,_the_universal_chat_client_-_2014-08-19_14.56.00.png
Type: image/png
Size: 123159 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140819/3ba3a7dc/attachment-0001.png>