Zyxel's policy release for firmwares: can be improved?

mMontana Posts: 1,302  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

Some says that bad luck does not exist. I'm asking myself if that's true for ZLD4.33

Announced ad the end of January, 7 months after 4.32, it has been... a quite rough way.

At the beginning of March was announced a patched version for addresing Wireless connection issues.

Middle april, XSS reference vulnerability

Beggining of June, "Patch 1 version" for SecuReporter

Ending of August, CGI vulnerability

But still, late october or end of the year is the release outlook for an updated version.

Starting from 4.x i was not very fond of the automatic update of the firmware (instead very fond of dual image capability) and the lack of availability on FTP server for firmware. But i get along with that.

But during this funny 2019 it's the fifth time that i have to update devices... which are supposed to update automatically. And they are not because no "official" version is released, only "patched" or "lab" or "WK"ish, and i have to contact someone, or look for some NextCloud or OneDrive for business to find them.

I understand that vulnerabilities can be found and need to be fixed. But if there's no automation in updating (even delaying that for a month, which can be chieved with configuration)... A vulnerable firmware is better then a patched one? Firmware release by Zyxel seems that't their song.

I hope that this "rant" won't hurt, it's a suggestion to improve. I don't like "Release Now, Fix it Later" approach, but this is keeping "keep not releasing even if released it's broken" ?


Security Highlight