Random Entry: Mobile Privacy-Enhancing Proxies
< SATNAC 2005 Summary | If you pick it, it won't heal >

More Patch Scheduling and Disclosure

Right Oracle has it horribly wrong, they keep doing this and really should just start fixing vulnerabilities that are reported to them. You can't sit on them indefinitely. Now Microsoft doesn't sit on them indefinitely but also seems to think they can hold on to patches for a fair bit of time.

The reason why you can't do this is simple: "We don't know if determined attackers can already exploit these vulnerabilities."

There are caveats to this of course. You don't want to rush out a poor patch that breaks everything, and you don't want to encourage reverse engineering of the patch. The first problem is easier than the second, there are numerous ways big companies can throw money at testing infrastructures to make the problem more of a hiccup. The second problem however seems to degrade into a tradeoff, patch asap and risk large scale worm type situations on the increased number of unpatched machines¹ or patch monthly and lower the number of mass compromises but increase the risk of determined attackers. Determined attackers are the worse kind, they are the kind who engage in espionage, sabotage and other sorts of clandestine activity.

Now in a world with on the ball security officers with decent edge defenses the second would be the best options, you would be patched before a mass compromise could occur and you could use edge defenses such as firewalls, IDS, anit-malware etc. to hold the fort during testing. I don't think that is an unattainable ideal. The other option makes it easier for your typical overworked sysadmin to patch and defend against automated exploitation, but leaves them vulnerable to the determined attacker.

If we had some knowledge of whether there are secret exploits out this would be an easier decision, but we aren't going to get hold of that information any time soon. So this leaves us in a situation where:

Scheduled patching will result in less intrusions overall.
ASAP patching will result in less (possibly more damaging) damaging intrusions in those organisations with good security practices.

¹I am assuming scheduling makes it easier to patch and therefore more people patch

UPDATE: Pete Finnigan, an Oracle security blogger finds this interesting. Thanks Pete.

Saturday, September 17. 2005
Posted by Dominic White in Security
Comments (0) | Trackback (1)

Last modified on 2005-11-20 17:21

Trackbacks

Trackback specific URI for this entry

Microsoft Patches a month late
I just pointed this out in my last entry, but I felt it deserved its own entry. I once discussed the trade-off inherent in introducing a patch schedule, and I have said it before (one, two, three). The latest patches from Microsoft fix some vulnerabilit

Weblog: Dominic White's .tHE pRODUCT
Tracked: Dec 15, 17:52

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry