Microsoft Black Wednesday

Dominic White

 
Random Entry: Cryptospotting
< Patch Tuesday | Absence >

Microsoft Black Wednesday

I got this from yesterday's ISC handler's diary. Is it better to release a patch as soon as possible after a vulnerability, mark it as unstable until it can be properly tested, then move it to stable when it is, or to release them all once a month?

There are problems with both models, not the least of which is how much information you are releasing to attackers as most exploits we are seeing are reverse engineered from the patch. However, is it better to deal with one or two exploits over a month or deal with them all for a day or two (or three), and does not releasing the patch for a month actually prevent people from coding exploits?

If you have been reading this blog for much time at all you would know my answers to these questions. I would like to hear yours however.

Friday, April 15. 2005
Posted by Dominic White in Masters
Comments (2) | Trackback (1)

Last modified on 2005-07-28 08:52
 

Trackbacks
Trackback specific URI for this entry

Microsoft Patches a month late
I just pointed this out in my last entry, but I felt it deserved its own entry. I once discussed the trade-off inherent in introducing a patch schedule, and I have said it before (one, two, three). The latest patches from Microsoft fix some vulnerabilit
Weblog: Dominic White's .tHE pRODUCT
Tracked: Dec 15, 17:52

Comments
Display comments as (Linear | Threaded)

#1 Kyle wrote (Link) (Reply)
Posted on Sunday, April 17. 2005
One of your assumptions (that exploits come from reverse engineering the patches) is not necessarily true. The logical conclusion to that would be that systems would stay most secure by never patching the vulnerabilities, as in that case there wouldn't be exploits and thus no threat. This isn't true, though; many researchers choose not to release the exploit until a patch is also released (though there's no requirement on them to do so), and there are exploits frequently published before exploits are available, even for Microsoft products. With all that, I'm curious why Microsoft takes so much longer than most other vendors (including Free/open source software) to release patches. Testing is one thing, but sometimes a vulnerability is know for six months or longer before it's patched. The window of vulnerability begins way before the patch is released, no matter what the party line may be, and so this is a disservice to customers (including myself, as I'm a security architect for a multinational telecom). All that notwithstanding, this is the first time I've run across your blog, and I've subscribed to it as it looks interesting and worthwhile.
 
#1.1 Dominic White wrote (Link) (Reply)
Posted on Sunday, April 17. 2005
My assumption about the reverse engineering was not meant to say this is the only way exploits are discovered. I meant to point out that releasing too much information before an effective patch (i.e. a stable one) is available is more likely to help the black hats. As for Microsoft, I think their patching is improving a lot, but isn't quite near where it should be. At most Microsoft shouldn't take more than a month to patch a vulnerability. They have the monthly release cycle to make scheduling easier for the average sysadmin. I think a month or even half a month is way too long and they should be releasing best efforts as soon as possible. In the open source world this would work much better as the ease of patch submission and modification is greater. Thanks for the subscription :)
 

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA