So McAfee's much ballyhooed ePolicy Orchestrator -- the central management console for all McAfee's security tools--is a web-based interface that has a few pages that are broken in Firefox 3.6.3. Being the "they can't fix what they don't know about" helpful guy I am, I wanted to report the bug to McAfee. Little did I know that my deed for the greater good was about to rob me of 3 hours of my life and make me want to bang my head on the desk. Or create a blog to capture such rants.
So I _call_ McAfee's Gold support--which in the past has been my best hope of getting someone with a decent clue quotient and command of my native language. I am fortunate and get a guy who's fired up, understands the page I'm talking about, allows me to email him the screenshots I took showing a page that doesn't function at all in FF, and is quickly able to reproduce the issue with Firefox 3.6.3 and an even later version of the ePO and VirusScan Enterprise software than I have installed. We're at about 50minutes into the call when I say "Great! Can we log the bug now?'
I'm put on hold for 8 minutes and the guy returns to the phone, with a different tone, and seemingly defeated, has to report to me that he's unable to log the bug. And he emails me a link to the ePO supported platforms (kb51569) and inviting me to submit a product enhancment request (KB60021). Turns out their officially supported browsers are IE6/7/8 and Firefox... um... 3.0. Because Firefox 3.6 isn't on that list, he couldn't file a bug report.
Which of course elicited a rant I knew this guy wasn't positioned to address but needed to be voiced all the same:
"So you're telling me that McAfee, a purportedly market leading security company, is telling me an information security professional that I'm expected to run a web browser with widely known critical vulnerabilities that no self respecting infosec person has touched in 18 months (for fear of drive by downloads which by the way your AV product is pretty poor at detecting) in order to use your enterprise _security_ console? And that I need to file a product enhancement request if I want this page fixed?
Of course the answer was a sheepish yes, "or you can use IE8."
And sadly, the heinousness didn't end there.
So I try to be a good soldier, understand that platform qualification for a company McAfee's size is a sticky wicket and takes a lot of QA time (which apparently is in short supply there given recent events), and I submit the product enhancement request per their KB60021 instructions. For VirusScan enterprise enhancements you end up at a third party site https://mcafee.acceptondemand.com/ that requires registration. I roll my eyes a bit, register, get the confirmation email. Try to login in Firefox, and it won't work. Try in IE8... and it won't work either... but _it_ wants to download an ActiveX control.
An ActiveX control? From a third party website I've never heard of? To submit a feature request for a market leading endpoint security company? Ironically about lack of Firefox support?
Fail. Times 2.
At this point I gave up and emailed my (sympathetic) sales contact about how crazy it was.
Ultimately my ticket was transferred to another support technician who offered to submit the FMR for me (Feature Modification Request, but it's more fun to think of it in terms of an exasperated "Well, F* Me Running"). Though he had to make it generic requesting Firefox 3.6 support.
And I'm sure by the time they officially support that, I'm sure it'll be an abandonned branch of FF with several unpatched critical vulns too.
Corollary: This makes a good argument against web based security consoles in favor of rich clients. On the other hand, that'd invariably be developed in Java ... and only certified to run on critically vulnerable versions of the JVM.
Forget it, we're doomed.
Tuesday, May 25, 2010
Subscribe to:
Posts (Atom)