Random Entry: OSS Patches Slower
< Seeing LAND brings a Teardrop to the eye | Website Cosmetic Tweaks >
< Seeing LAND brings a Teardrop to the eye | Website Cosmetic Tweaks >
This is something I have spoken about before, but it is nice to have a big vendor backing me up. Releasing patches on a regular schedule doesn't make sense. The argument for it is that it makes things easier for firms as they can schedule their patching. The argument against is quite simply that it provides too much time for an attacker to exploit a vulnerability. Releasing patches when they are ready and as soon as possible is a far better idea.
Sun Microsystems has impressed me hugely with their patch strategy.
They release temporary (T-patches) as soon as a patch is ready to fix a
vulnerability. Once it is stable they release it properly. Then twice a
month they provide two bundles (what they call clusters) a security
alert cluster, which containst the smallest amount of change necessary
to fix vulnerabilities (i.e. it might not be the latest revision of a
patch, and it is usually only security fixes) and the reccomended patch
cluster which contains all the patches required to fully update an OS.
Thus they provide optional flexibility allowing a firm to set their own patch management schedule and introduce as little or as much change as the firm deems necessary. Further, they make that task easier by providing clusters, but not compromising their security by withholding patches unecessarily.
I just pointed this out in my last entry, but I felt it deserved its own entry. I once discussed the trade-off inherent in introducing a patch schedule, and I have said it before (one, two, three). The latest patches from Microsoft fix some vulnerabilit
Tracked: Dec 15, 17:52