Netgear Responds to Critical Vulnerabilities With Beta Router Firmware Updates

[Guest]

Netgear announced that it has released beta firmware updates for routers with critical security vulnerabilities.

Netgear Responds to Critical Vulnerabilities With Beta Router Firmware Updates : Read more

 

[dgingeri]

This is something that should have come back in September, considering the vulnerability was known to them back in August.

 

[sykozis]

Did you even read the article? They had no record of a prior report before Dec 9, so it was not known to them back in August. It's been known to them since Dec 9 when CERT notified them.

 

[jkhoward]

@Sykozis - Do you honestly think it fell through the cracks.. don't be a fool.

 

[NinjaNerd56]

FYI, you have to go after this manually. The firmware updates in the device UI can't "see" the beta .18 release.

Download from Netgear and browse for the file, otherwise it's no joy in Mudville.

 

[dgingeri]

Did you even read the article? They had no record of a prior report before Dec 9, so it was not known to them back in August. It's been known to them since Dec 9 when CERT notified them.

Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part.

Yes, they knew about it in August. They disregarded it because their internal processes regarding being informed of such things failed to include or specifically excluded outside sources of such information. In other words: they don't consider communication with their customers as a priority.

This has to do with management style. It is "old school" to only consider internal sources of information for such things unless forced. This was the way management was taught until the last 10 years or so. I know this because I have fought with it for most of my career. Many companies are still stuck in this mentality, even in the tech industry. Cisco, Oracle, Creative Labs, VMWare, and EA are particularly bad about it. Companies like this head off in their own direction, regardless of what their customers want, and then suddenly realize they have become irrelevant.

More pioneering companies have begun to realize that this mentality is what causes big companies to fail to stay up in their markets. They began to take heed of what their customers had to say, and even began to solicit feedback from their customers. Microsoft started it with their constant focus groups, but have lagged behind lately, particularly during Steve Balmer's time as CEO. Bill Gates had the wisdom to work with people and find out what they wanted and how they worked to create an interface that people could use easily. (Thankfully, their new CEO has headed back in this direction.) Since then, others have started this, like Blizzard, which started a very active forum system to listen to their players' feedback.

Netgear has always been a rather isolationist company. They have very little in the way of active support, let alone user feedback. Ever try to get tech support for a bad router? It takes weeks to get a replacement. Do you think they even have any way to submit feedback on bugs? That is why they failed at this. They aren't paying attention, to their customers, the direction of the market, or the quality of their products, and they are going to pay for it in the end.

 

[sam1275tom]

I gave my Netgear away and never buy that brand again since they refuse to fix the critical(and simple) bug on my jnr3210, now I'm looking at this and laughing, good work Netgear, screw all your customers continuously, you know they are all foolish and will buy your product again!

 

[hoofhearted]

You would think they would staff someone with a rudimentary knowledge of all thing security related who keeps up. Anyway to test:

/cgi-bin/;ps$IFS]http://[router-ip-address]/cgi-bin/;ps$IFS

 

[hoofhearted]

Opinions?

Netgear-updated-firmware
tomato
openwrt
ddwrt

I have read that you take a performance hit with ddwrt as it doesn't leverage some of the proprietary network driver stuff as the stock fw does.

 

[hoofhearted]

Also, if you run the above ps command and see telnetd in there, you may have already been hacked.

 

[dgingeri]

pfsense seems to be about the best way to go for a router, unless you want to get into enterprise level firewalls.

 

[Tom Delco]

The $20 R6100 is not affected, due to the old version of openwrt running underneath the netgear interface!

 

[sam1275tom]

You would think they would staff someone with a rudimentary knowledge of all thing security related who keeps up. Anyway to test:

http://[router-ip-address]/cgi-bin/;ps$IFS

What's that? I get "Error 404: Not Found"

 

[lhughey]

Odd that this doesn't seem to affect the R7800.

 

[firefoxx04]

The problem is that most people will not know to update their firmware. Without some sort of auto updating (big brother style) firmware system a majority of routers will be left un-patched. Do it right first.

 

[laststop311]

Wouldn't say blizzard listens to all their customers "you think you do but you don't"

 

[dgingeri]

Wouldn't say blizzard listens to all their customers "you think you do but you don't"

They used to, which is what led to Wrath of the Lich King, and record subscriptions to WoW, and then they kind of stopped, which has reflected in their subscription numbers. I've heard they're listening more in Legion.

 

[wifiburger]

wonder who's going to update these garbage consumer routers ! they are all mostly junk and full of bugs ! once you find your working configuration you never update / log back into the router and risk crashing it !