Re: Releasing patches is bad for security

mgotts_at_2roads.com
Date: 02/26/04

  • Next message: Gary Nichols: "RE: Releasing patches is bad for security" 
    To: Chris Brenton <cbrenton@chrisbrenton.org>
Date: Thu, 26 Feb 2004 13:28:01 -0800

    Chris Brenton <cbrenton@chrisbrenton.org> wrote on 02/26/2004 10:31:03 AM:

    > The story quotes David Aucsmith, who is in charge of technology at
    > Microsoft's security business and technology unit as stating:
    >
    > "We have never had vulnerabilities exploited before the patch was
    > known,"

    I'm sure from his perspective that is true (or at least he believes it is
    true). But, there is a logic flaw in the statement, because there is no
    way for him to know if a vulnerability has not been exploited prior to the
    patch. It's impossible. You can't prove the nonexistence of something; you
    can only prove its existence. All you can say is that you *don't know* of
    an incident where it was exploited prior to the patch.

    > The story then goes on to talk about how vulnerabilities are always
    > reverse engineered from patches. It really sounds to me like he's saying
    > that patches are *the* problem and if only Microsoft would stop
    > releasing patches, then all the security issues would just go away.

    I'd suspect that most of the huge worm attacks we've seen would probably
    not have happened without the vulnerability announcement and patch. Lots
    of the vulnerabilities are discovered by chance (due to the statistical
    increase of millions of people using some piece of software) or by the
    work of skilled, dedicated researchers looking for the flaws. I'd imagine
    that most of the worm/virus programmers do not have the same range of
    experience or skill to find most of these on their own. They wait until a
    vulnerability is announced, and then study it to create an exploit.

    > Microsoft has already dropped down to a monthly patch system. Even then
    > they have already been skipping months. Could this be early PR spin to
    > justify not releasing security patches?

    There are two takes on vulnerability announcements and patches to fix
    them:

    1) For those of us that spend the time and resources to stay on top of the
    issue (we hope), I like having the system be as secure as possible,
    regardless of whether the exploit is real or hypothetical.

    2) For a vendor such as Microsoft that has TONS of inexperienced
    consumer-level customers, I'm sure that the MS folks just sit and wait
    after a patch announcement for the new vulnerability that exploits it.
    Their userbase will never, IMHO, of their own accord keep their PCs
    patched. Never. And even if 95% did, that 5% is still millions of
    vulnerable machines.

    I don't think either side is 'wrong'. It's just that each side (the vendor
    and the experienced customer) have two different, legitimate points of
    view.

    And then there is the whole issue of 'vulnerability researchers' who are,
    to some extent, hunting for holes for their own self interest (either ego
    and/or for the benefit of their security company, which gains prestige by
    finding lots of vulnearabilities). But that is a whole different topic.

    I always view with skepticism every statement that rolls out of the
    Microsoft PR machine. This is no different, but their point of view is not
    entirely invalid. It's just that their desires and mine, in this case,
    don't coincide.

    -- Mark

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Gary Nichols: "RE: Releasing patches is bad for security"

    Relevant Pages

    • Re: Its not that simple... [Was: Re: [Full-disclosure] Disney Down?]
      ... PnP is not a show stopper when it comes to patch compatibility testing ... "Successful exploitation of this vulnerability could be leveraged to ... "If it had been International Paper or some company like ... > to take security matters more seriously. ...
      (Full-Disclosure)
    • Re: NT4 patch for MS00-084??
      ... there is no such patch to be found on the technet security ... > "Microsoft has released a patch that eliminates a security ... > vulnerability in Microsoft® Indexing Services for Windows 2000. ...
      (microsoft.public.security)
    • Download.ject - commentary - LONG
      ... vulnerability in question, but instead is just a partial workaround. ... ADDITION to applying the 870669 patch. ... Granted these are known security best practices related to Internet ... a new default browser to users and hope that it will be safe enough. ...
      (microsoft.public.win2000.security)
    • Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!
      ... M$ issuing patches "PDQ" is ... >> files served by the web server. ... this vulnerability ... the installed patch ...
      (microsoft.public.security.virus)
    • Re: My MS04-028 FAQ
      ... The more of them you run, the more of them you patch. ... > critical patches as this one, why didn't MS issue a Security Bulletin ... Does this vulnerability affect only MS sw? ... How many more MS apps are going to get their own patches for this ...
      (microsoft.public.security)