Confusion liable to undermine end-user adoption of security fixes

Eion Robb eion at robbmob.com
Tue Aug 19 16:43:01 EDT 2014 

>From what I can see, the link on the front page is just labelled as
"2.10.6" but when you click through it links to a PPA containing 2.10.9

Was your experience different?


On 20 August 2014 06:56, Michael Vastola <michael.vastola at gmail.com> wrote:

> Hi all,
> So I wasn't 100% sure where to send this, because this is not a
> programming-based security issue.  As an information security professional
> myself, though, I ultimately decided I would like to know about this if I
> were in your shoes, so I'm passing this on.
>
> Please see the attached screenshot of the pidgin.im homepage, which I
> took just moments ago.
>
> The security announcement asking people to upgrade to 2.10.9 (or, at the
> very least 2.10.8) doesn't have any noticable flaws, but notice the
> ambiguity (especially from the point of an end user who knows little about
> computers... I trust you're well aware with the frequent need to go above
> and beyond to 'stupid-proof' things for people) in the version of Pidgin
> that is available for download from this page's link.
>
> Right below the "n" in the logo for pidgin is the version 2.10.9, whilst
> the link to download pidgin itself (which is given much more prominence)
> suggests that the most recent available version is 2.10.6.
>
> I think it's quite likely that more than a few users people will encounter
> this and, albeit aware of the vulnerability -- not click the link --
> falsely presuming a solution is not yet available. Or perhaps simply
> becoming confused and warysome about proceeding further with this update.
>
> Obviously, for these people, they are just as vulnerable as if the
> vulnerability were never patched at all.
>
> Best,
> Mike Vastola
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140820/7b8dffa6/attachment.html>

More information about the security mailing list