New - RAX35/38/40/42/43/45/50/54 Firmware Version 1.0.15.128 - Hot Fix Released

---

michaelkenward wrote:

---

wealth-secure wrote:

1. Security Vulnerabilities Patched:

The release notes mention that the hotfix addresses security vulnerabilities but do not provide specific details. Could someone from Netgear or the community shed light on what vulnerabilities were addressed? Detailed information would be highly beneficial for users who prioritize security.

This is not generally thought to be a good idea.

 

Telling you what was fixed leaves the door open for nasty people to exploit things that aren't covered in the update.

 

Users who prioritise security might like to consult the appropriate section:

 

NETGEAR Product Security | NETGEAR

 

---

2. Auto-Update Issue:

I've noticed that this firmware version has not appeared in the auto-update feature of my router, even though it was released four months ago. Is there a reason for this delay? Are "Hot Fixes" not included in the standard update cycle, or is there another explanation?

Hot fixes are not always, if ever, included in the automated update process.

 

This happened in phases, depending on the severity of the update. The first fighting of new firmware is often on the product support pages.

 

As it is, experienced users tend to avoid autoupdates. (They turn them off.) They can result in a dead (bricked) router when the process goes wrong, for example, if there is a power failure mid update.

 

True nerds like to download updates from the support pages and to manually update the firmware.

 

How do I manually upgrade firmware to my NETGEAR router? | Answer | NETGEAR Support

 

 

 

---

Thank you for your reply. I have already manually updated the firmware before posting on this thread. My main point simply was, if there is an update with 'important security vulnerability fixes' and it is not disclosed what those are and it takes some high degree of technical skill to find this hotfix to mitigate the risk of this being exploited on my router, it is a bit of a double edged sword.

As anyone on this forum probably does update their routers like this, the majority of people have the default setting with auto update enabled and thus will never receive this hotfix and the impact of what that may have is impossible to assess if one does not know what vulnerabilities are patched in this hotfix. Well I do get the argumentation about power outages, that raises another point, why is this auto update setting on by default then? If this is the reason for not including hotfixes in auto updates, because of the small chance one router may die due to mid update power outages? Does Netgear find the risk of power outages bigger than the risk of 'security vulnerabilities being patched' being exploited on potentially the vast majority of their clientele who has not installed this hotfix? Impossible for me to tell if I don't know what the update actually does. Also, I don't think the argument holds up. When manually patching my router the power could also have a blackout. It is not necessarily something you can predict.

Just figured I'd bring this up.

With regards to the Netgear Product Security webpage you referenced, I did not necessarily find it useful. It is very generic and only offers the option to report a vulnerability and see what productrs are on their end of life cycle.

Cheers,

Daniel