Re: Releasing patches is bad for security

From: Joe Miller (joseph-p-miller_at_cox.net)
Date: 02/28/04


To: Chris Brenton <cbrenton@chrisbrenton.org>, incidents@securityfocus.com
Date: Sat, 28 Feb 2004 14:48:37 -0500

I would hope MS has hundreds of the brightest software engineers specifically focused on finding security flaws in all of their software. They should also hire third party security engineers to do the same until all security holes are discovered, code rewrites planned, designed and deployed before the company chokes to death on it's own mistakes. They certainly have enough liquid assets to do so.
They also have enough cash to then hire the brightest security and software engineers to develop OS's and Applications while incorporating security specs, reasonable care and due diligence. Developing the security controls with the OS and applications is the only way Microsoft will survive as a software company of the future.

============================================================
From: Chris Brenton <cbrenton@chrisbrenton.org>
Date: 2004/02/26 Thu PM 01:31:03 EST
To: incidents@securityfocus.com
Subject: Releasing patches is bad for security

Greets all,

This is just such a hoot I had to share:
http://news.bbc.co.uk/1/hi/technology/3485972.stm

The story quotes David Aucsmith, who is in charge of technology at
Microsoft's security business and technology unit as stating:

"We have never had vulnerabilities exploited before the patch was
known,"

The story then goes on to talk about how vulnerabilities are always
reverse engineered from patches. It really sounds to me like he's saying
that patches are *the* problem and if only Microsoft would stop
releasing patches, then all the security issues would just go away.

Microsoft has already dropped down to a monthly patch system. Even then
they have already been skipping months. Could this be early PR spin to
justify not releasing security patches?

C

---------------------------------------------------------------------------
----------------------------------------------------------------------------

============================================================

---------------------------------------------------------------------------
----------------------------------------------------------------------------



Relevant Pages

  • Re: How to Maintain an IIS Server?
    ... >>> I looked at the Microsoft Security Website. ... >> before a firewall and antivirus have been installed]. ... >> new patches that are missing, ...
    (microsoft.public.inetserver.iis.security)
  • RE: Releasing patches is bad for security
    ... patches and various other methods like login scripts systems. ... Security is at the front of every hi-tech company's priority list and MS ... Releasing patches is bad for security ... The new patch model for longhorn will not require reboots. ...
    (Incidents)
  • RE: Patching
    ... There seems to be at least 5 or 6 new vulnerabilities released on ... As information security people, ... at those patches you need for what you do have running. ... network analyzers. ...
    (Security-Basics)
  • Re: Anyone know why the Alpha market is so so quiet?
    ... this with all of the Windows security patches. ... Because if those systems where running Linux - how many security ... With 5-20 Linux (and Windows) security patches being released each ... have they told you was behind their decision to turf VMS out? ...
    (comp.os.vms)
  • Re: How to Maintain an IIS Server?
    ... > [for MS MBSA Baseline Security Analyzer] ... Get a firewall or two as well, ... >>> new patches that are missing, ... >>> software installed on your computer, especially Microsoft Windows, ...
    (microsoft.public.inetserver.iis.security)