RE: Releasing patches is bad for security
From: Dozal, Tim (tdozal_at_cisco.com)
Date: 03/01/04
- Previous message: Zachary Mutrux: "RE: A basic Question from a new bie!!"
- Maybe in reply to: Mike Barushok: "RE: Releasing patches is bad for security"
- Next in thread: Jerry Shenk: "RE: Releasing patches is bad for security"
- Reply: Jerry Shenk: "RE: Releasing patches is bad for security"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: Releasing patches is bad for security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 1 Mar 2004 14:40:40 -0800 To: "Joe Miller" <joseph-p-miller@cox.net>, "Chris Brenton" <cbrenton@chrisbrenton.org>, <incidents@securityfocus.com>
The question to ask yourself is do the vulnerabilities get exploited
before or after MS releases the patches. I think for code red/Nimda MS
posted a patch and some 300ish days later the worm hit. Then move ahead
a year and blaster patch is released then some 18 days later the worm
hits. If you take what MS is saying about the worm following patch
trend I think it's accurate. The problem then is how to release patches
in such a way to allow large IT organizations the ability to have time
to deploy them before the worm hits.
The recent steps to stick to a patch cycle has helped me and probably
many others to set dates for MS patches ahead of hearing about them the
morning they are released. If on the 2nd Tuesday of the month nothing
is released great, no IT patch deployment I'm happy. However if
something is released then it's expected and has been planned for ahead
of time, no shock.
Asking for software to be bug free is NEVER going to happen. It's just
not the way the industry works. If you look at anything even linux it
has tons of bugs, they get fixed over time. Companies hire the best
available talent from the available resource pools, do what they can to
make money, it's a business.
RE:
I would hope MS has hundreds of the brightest software engineers
specifically focused on finding security flaws in all of their software.
They should also hire third party security engineers
They do, I've met many of them, but as good as they might be they will
never find everything, it's a reality of the industry.
Tim
-----Original Message-----
From: Joe Miller [mailto:joseph-p-miller@cox.net]
Sent: Saturday, February 28, 2004 11:49 AM
To: Chris Brenton; incidents@securityfocus.com
Subject: Re: Releasing patches is bad for security
I would hope MS has hundreds of the brightest software engineers
specifically focused on finding security flaws in all of their software.
They should also hire third party security engineers to do the same
until all security holes are discovered, code rewrites planned, designed
and deployed before the company chokes to death on it's own mistakes.
They certainly have enough liquid assets to do so.
They also have enough cash to then hire the brightest security and
software engineers to develop OS's and Applications while incorporating
security specs, reasonable care and due diligence. Developing the
security controls with the OS and applications is the only way Microsoft
will survive as a software company of the future.
============================================================
From: Chris Brenton <cbrenton@chrisbrenton.org>
Date: 2004/02/26 Thu PM 01:31:03 EST
To: incidents@securityfocus.com
Subject: Releasing patches is bad for security
Greets all,
This is just such a hoot I had to share:
http://news.bbc.co.uk/1/hi/technology/3485972.stm
The story quotes David Aucsmith, who is in charge of technology at
Microsoft's security business and technology unit as stating:
"We have never had vulnerabilities exploited before the patch was
known,"
The story then goes on to talk about how vulnerabilities are always
reverse engineered from patches. It really sounds to me like he's saying
that patches are *the* problem and if only Microsoft would stop
releasing patches, then all the security issues would just go away.
Microsoft has already dropped down to a monthly patch system. Even then
they have already been skipping months. Could this be early PR spin to
justify not releasing security patches?
C
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ ---- ============================================================ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
- Previous message: Zachary Mutrux: "RE: A basic Question from a new bie!!"
- Maybe in reply to: Mike Barushok: "RE: Releasing patches is bad for security"
- Next in thread: Jerry Shenk: "RE: Releasing patches is bad for security"
- Reply: Jerry Shenk: "RE: Releasing patches is bad for security"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: Releasing patches is bad for security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
