Factory Firmware

[Csection]

Just wondering! I'm new to Asus Merlin, so I was wondering if I have to revert back to Asuswrt to get the security fixes that they added to their new firmware or does Asus-Merlin include those fixes.

 

[ColinTaylor]

See the changelog for security and other fixes.

http://asuswrt.lostrealm.ca/changelog

 

[Wutikorn]

Just wondering! I'm new to Asus Merlin, so I was wondering if I have to revert back to Asuswrt to get the security fixes that they added to their new firmware or does Asus-Merlin include those fixes.

It is not that slow for you to get security fixes of stock firmware if you are using AsusWRT Merlin. Most of the time it takes less than a month if you are not alpha/beta firmwares testers. However, if you participate in both alpha and beta testing, it's likely that you will get update of stock firmware within a week. I would say that a month is not that bad, in exchange with what you get from his firmware. Many parts of firmware in Asus stock firmware are not up to date, meaning that they are likely to be more vulnerable, compared to RMerlin's firmware such as OpenVPN, BusyBox and OpenSSL. Btw, Asus does good job updating firmware components as well, but RMerlin does better job as he also merge Asus's updates.

 

[Csection]

It is not that slow for you to get security fixes of stock firmware if you are using AsusWRT Merlin. Most of the time it takes less than a month if you are not alpha/beta firmwares testers. However, if you participate in both alpha and beta testing, it's likely that you will get update of stock firmware within a week. I would say that a month is not that bad, in exchange with what you get from his firmware. Many parts of firmware in Asus stock firmware are not up to date, meaning that they are likely to be more vulnerable, compared to RMerlin's firmware such as OpenVPN, BusyBox and OpenSSL. Btw, Asus does good job updating firmware components as well, but RMerlin does better job as he also merge Asus's updates.

I know it's better. I just wondered because Asus fixed a flaw in IExplorer and I use it cause Norton doesn't work well with Firefox anymore and I was wondering if IE was fixed in RM's firmware as well.
I don't want to revert back to Asuswrt. It's too much hassle.

Thank you for the reply

 

[Wutikorn]

I know it's better. I just wondered because Asus fixed a flaw in IExplorer and I use it cause Norton doesn't work well with Firefox anymore and I was wondering if IE was fixed in RM's firmware as well.

He will eventually merge it soon, I think. But for now you may want to keep an eye on this change log. It will show changes in alpha and beta firmware as well. If you see that he merge his firmware with GPL4164 or fix about your specific issue, you might want to try that alpha/beta test to see if that will help you. If the fix he include or merge doesn't fix the problem and you have time to spend, you can backup your setting and JFFS(if it's on), and try stock firmware, reset to default if needed, to see if there is any difference. If stock firmware is working, but not on AsusWRT Merlin firmware, you can let him know so that you will eventually have that problem fixed. After testing, you can revert back to AsusWRT Merlin and backup all your setting. Here is a link to blog about 380.65 Alpha 1 for now; I am not sure if he will change blog when alpha 2 comes.

 

[Csection]

He will eventually merge it soon, I think. But for now you may want to keep an eye on this change log. It will show changes in alpha and beta firmware as well. If you see that he merge his firmware with GPL4164 or fix about your specific issue, you might want to try that alpha/beta test to see if that will help you. If the fix he include or merge doesn't fix the problem and you have time to spend, you can backup your setting and JFFS(if it's on), and try stock firmware, reset to default if needed, to see if there is any difference. If stock firmware is working, but not on AsusWRT Merlin firmware, you can let him know so that you will eventually have that problem fixed. After testing, you can revert back to AsusWRT Merlin and backup all your setting. Here is a link to blog about 380.65 Alpha 1 for now; I am not sure if he will change blog when alpha 2 comes.

Thanks! I'll keep an eye out. I had read the changelog before upgrading. Then I saw that Asus had put out a new FW after I upgraded to 380.64 RMerlin. It is hard for me to upgrade/downgrade cause I catch Hell for taking down the connection.

 

[RMerlin]

I picked 4164's CSS/XSS protection, however I did not includet the other security patches because they completely break various functionality such as the Network Tools and the WOL pages.

Largely publicized/major security issues are often patched in my firmware before in the original because I have a shorter lead time between development and releasing (no complex design/develop/QA/validation/release process to go through, I'm a one-man show). Less public issues that get fixed by Asus have to wait until the next GPL merge - assuming I actually can merge it.

So in short: neither of us is always more up-to-date security-wise than the others. Sometimes I'm ahead of Asus (especially when involving updating OpenSSL/OpenVPN/dropbear etc...), sometimes theirs is (when involving internal code).

 

[Csection]

I picked 4164's CSS/XSS protection, however I did not includet the other security patches because they completely break various functionality such as the Network Tools and the WOL pages.

Largely publicized/major security issues are often patched in my firmware before in the original because I have a shorter lead time between development and releasing (no complex design/develop/QA/validation/release process to go through, I'm a one-man show). Less public issues that get fixed by Asus have to wait until the next GPL merge - assuming I actually can merge it.

So in short: neither of us is always more up-to-date security-wise than the others. Sometimes I'm ahead of Asus (especially when involving updating OpenSSL/OpenVPN/dropbear etc...), sometimes theirs is (when involving internal code).

Thank you for the reply!
I already figured yours was more secure. I just wondered about the fix to IExplorer as I use it because of the issures between Norton security and FF(No IDSafe with FF).

 

[RMerlin]

Thank you for the reply!
I already figured yours was more secure. I just wondered about the fix to IExplorer as I use it because of the issures between Norton security and FF(No IDSafe with FF).

I don't know, as I have no idea what the actual issue was, nor what was the fix.

The only thing I took from 4164 was the two lines of codes to implement XSS protection at the browser level.

 

[Csection]

I don't know, as I have no idea what the actual issue was, nor what was the fix.

The only thing I took from 4164 was the two lines of codes to implement XSS protection at the browser level.

Thanks again!
When I ran FF. I used "Noscript" which had builtin Xss blocking, but as stated, FF doesn't work with Norton IDSafe anymore(Sad!).