How do you guys handle that?
In recent times we learnt about a couple of security problems fixed this year.
Should we inform them actively and ask them to upgrade, if we know what server version they use?
like if you use anything before 21.0, move to 21.0.
Or if you have 19.6.x make sure it is 19.6.4 at least.
The hardest thing is if the client is on a perpetual license and hasn’t continued their maintenance. The version of v19 depends on when their maintenance ran out.
We’re only now moving one client from v15 (MDI to SDI change within Windows v16 onwards being the reason, not maintenance) and have another who were going to replace the system we wrote with one they wrote themselves years ago. The only problem is that their system still doesn’t work and there is no chance of any more investment in FileMaker.
security is another argument to encourage client’s to upgrade, as are the performance improvements over the more recent releases. However, investment and licensing are the controlling factors.
We have a mix of hosted and self hosted. We test the new versions before we put them onto our hosted systems. If we find problems we advise our self hosted clients to wait. Otherwise we advise them to upgrade immediately.
While all our customers contracts require they have the latest version of FileMaker we still struggle getting them to stay updated. I had not considered the challenges of keeping the server OS updated. Some of our customers are still on Windows server 2016 and are in no hurry to upgrade.
I have been wary of talking about security as a way to get them to upgrade but maybe it would be a good idea to start. It is really frustrating to know they have the latest FileMaker but we can not get them to use it.
here, some of the customers are walking down a risky road..
Some years ago, one could buy a license and use that SW a couple of years, then look at that 'world' and maybe buy a new license ('never touch a running system').
As of today with that security danger and new technologies, that is too risky - but that is not so clear (at least not everywhere)..
For some customers, we suggest to rent, not to buy - so there is a +/- fixed budget, You 'only' have to deal with updating the software - and the os...
We are lucky to have a lot of customers who update software/os frequently - we have to ask them to install a new os or software not too soon after new releases.
Wherever we are still in contact with customers, we discuss security questions (often, customers have their own IT support who is also supplying FM licenses, etc... We are just consultants if there are questions concerning FM)
I think I will make a statement on my mailing list for people to remind them to update to a saver version. And I may email a few people about checking their version.
We'll see whether people will be thankful for the notice or complain about me caring.
Given the severity of the flaw, we (fmcloud.fm) decided not to leave the choice to customers and were pretty straight forward.
in 48 hours we updated all the servers we manage and that were not running one of the secured versions (19.6.3, 20.3.2, 21.0), which means several hundred of servers to their respective secure versions.
There were a few exceptions with 19 servers where the log indicated that some users still connected with versions 17 or 18. For these, we told the customer that they needed to upgrade immediately. All mines 1 (there always have to be one) did so, the last one refused (why ? I paid my license a zillion years ago, why should I pay more, it's Claris' fault if there is a security flaw…). We sent him his databases and refunded the hosting.
So within 48h after we learnt about this flaw we were 99% safe, and after 5 days we were 100%.
Note that we received only thanks from our customers. They all understood that the flaw was so bad that they had to upgrade.
Seeing how many Server 14 to 18 instances are still accessible online, including those hosted by major providers, makes me realise that security isn’t being taken as seriously as it should be.
Wow. That shows a lot of courage. Great you take it seriously.
Basically set a minimum version you accept to host.
So for about 300 emails I sent on 10. November, I got nine emails back thanking me.
Nobody complained.
Today I'll email a reminder to 235 emails. I hope it helps to keep people using secure versions.
If you would be willing I would love to see what your email sent. Ether way thanks for the topic and updates.
An email like this:
Hello Name,
Since you have a MBS Plugin from us running on your FileMaker server, we'd like to ask you to upgrade your server to a newer FileMaker version.
There was a security problem in FileMaker Server, which would allow anyone to query data from a server without authentication and without any logging.
Versions up to 19.6.3 and 20.0 to 20.3.1 are affected.
Please make sure you use version 20.3.2 or newer.
Learn more about this security problem:
FileMaker - FMS, bypass authorisationOr watch this video on YouTube:
https://www.youtube.com/watch?v=SR8XfDb8qaY&t=2911sI thought I should let you know.
Greetings
Christian