RE: Releasing patches is bad for security

From: Dozal, Tim (tdozal_at_cisco.com)
Date: 03/01/04

  • Next message: Matthew Pope: "Re: Blaster Recurrence"
    Date: Mon, 1 Mar 2004 14:40:40 -0800
    To: "Joe Miller" <joseph-p-miller@cox.net>, "Chris Brenton" <cbrenton@chrisbrenton.org>, <incidents@securityfocus.com>
    
    

    The question to ask yourself is do the vulnerabilities get exploited
    before or after MS releases the patches. I think for code red/Nimda MS
    posted a patch and some 300ish days later the worm hit. Then move ahead
    a year and blaster patch is released then some 18 days later the worm
    hits. If you take what MS is saying about the worm following patch
    trend I think it's accurate. The problem then is how to release patches
    in such a way to allow large IT organizations the ability to have time
    to deploy them before the worm hits.

    The recent steps to stick to a patch cycle has helped me and probably
    many others to set dates for MS patches ahead of hearing about them the
    morning they are released. If on the 2nd Tuesday of the month nothing
    is released great, no IT patch deployment I'm happy. However if
    something is released then it's expected and has been planned for ahead
    of time, no shock.

    Asking for software to be bug free is NEVER going to happen. It's just
    not the way the industry works. If you look at anything even linux it
    has tons of bugs, they get fixed over time. Companies hire the best
    available talent from the available resource pools, do what they can to
    make money, it's a business.

    RE:
    I would hope MS has hundreds of the brightest software engineers
    specifically focused on finding security flaws in all of their software.
    They should also hire third party security engineers

    They do, I've met many of them, but as good as they might be they will
    never find everything, it's a reality of the industry.

    Tim

    -----Original Message-----
    From: Joe Miller [mailto:joseph-p-miller@cox.net]
    Sent: Saturday, February 28, 2004 11:49 AM
    To: Chris Brenton; incidents@securityfocus.com
    Subject: Re: Releasing patches is bad for security

    I would hope MS has hundreds of the brightest software engineers
    specifically focused on finding security flaws in all of their software.
    They should also hire third party security engineers to do the same
    until all security holes are discovered, code rewrites planned, designed
    and deployed before the company chokes to death on it's own mistakes.
    They certainly have enough liquid assets to do so.
    They also have enough cash to then hire the brightest security and
    software engineers to develop OS's and Applications while incorporating
    security specs, reasonable care and due diligence. Developing the
    security controls with the OS and applications is the only way Microsoft
    will survive as a software company of the future.

    ============================================================
    From: Chris Brenton <cbrenton@chrisbrenton.org>
    Date: 2004/02/26 Thu PM 01:31:03 EST
    To: incidents@securityfocus.com
    Subject: Releasing patches is bad for security

    Greets all,

    This is just such a hoot I had to share:
    http://news.bbc.co.uk/1/hi/technology/3485972.stm

    The story quotes David Aucsmith, who is in charge of technology at
    Microsoft's security business and technology unit as stating:

    "We have never had vulnerabilities exploited before the patch was
    known,"

    The story then goes on to talk about how vulnerabilities are always
    reverse engineered from patches. It really sounds to me like he's saying
    that patches are *the* problem and if only Microsoft would stop
    releasing patches, then all the security issues would just go away.

    Microsoft has already dropped down to a monthly patch system. Even then
    they have already been skipping months. Could this be early PR spin to
    justify not releasing security patches?

    C

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ============================================================
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security
    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.
    Download your free trial at 
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------
    

  • Next message: Matthew Pope: "Re: Blaster Recurrence"

    Relevant Pages

    • RE: Releasing patches is bad for security
      ... The new patch model for longhorn will not require reboots. ... functionality over security. ... Current patches are getting smaller as with large enterprises bandwidth can ... > MS posted a patch and some 300ish days later the worm hit. ...
      (Incidents)
    • Re: [Full-Disclosure] Gates: You dont need perfect code for good security
      ... the blaster worm preceded the patch so this argument is DOA ... you do not have to pay for RHN to get redhat patches. ... I run Astaro Security Linux here at the house..blaster ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
      ... But you'd still patch either way, ... of home users who don't even know what a security patch *IS*, ... But how many organisations firewall off internal servers from ... administrators have the time to watch the IDS given the number of patches they ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...
      ... My personal prejudice is that I subscribe to the school of "security by ... I said why release them all on day 0 of the patch release. ... We use the details to create signatures for our vulnerability ... >>these signatures and use them to check for patches or to protect systems ...
      (Full-Disclosure)
    • Re: patchdiag.xref
      ... Alan Coopersmith writes in comp.unix.solaris: ... (Some of our X patches were supposed to be ... ||I'm scared about "the new patch release mechanism". ... |was "the mechanism for releasing new patches" and not "a new mechanism ...
      (comp.unix.solaris)