Re: [ISN] Patching is the problem, says Microsoft

From: InfoSec News (isnat_private)
Date: Sun May 04 2003 - 23:58:13 PDT

  • Next message: InfoSec News: "[ISN] Top 75 Security Tools"

    Forwarded from: Kurt Seifried <kurtat_private>
    
    Keeping AV definitions up to date is essentially patching (hint: those
    virus definitions aren't kept one to a file). The only difference is
    that the AV industry has figured out how to patch stuff safely and
    correctly. The major players even update the engines and other core
    components, not just the signatures automatically now as well.
    
    This isn't to say I'm blaming Microsoft completely, I mean the amount
    of work they must go through in order to ensure a patch maintains
    backwards compatibility and doesn't break anything major is
    horrifying. Having said that they could have been more intelligent
    about designing the system, things like IIS requiring Internet
    Explorer to be installed so that Java can be supported, Outlook
    Express providing MHTML support or file locking that makes it
    incredibly easy to lock files but almost impossible to pry those locks
    off have left Microsoft painted into a nasty corner.
    
    As well patching is always going to leave you behind the curve, just
    like Anti-Virus definitions. The time needed for someone to notice the
    new security flaw/virus in the wild, report it to vendor, fot the
    vendor to confirm it, create a patch, test it, and then make said
    patch available is minimum several hours, sometimes several years. Add
    to this the user's time requirement (identify new security
    vulnerability, see if it applies to systems, if yes does a fix exist,
    if yes is it going to cause problems, if no actually deploy it, etc.).
    
    Personally I don't think this is a very sane future.
    
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon May 05 2003 - 02:31:48 PDT