Security Incidents mailing list archives
Re: Releasing patches is bad for security
From: mgotts () 2roads com
Date: Thu, 26 Feb 2004 13:28:01 -0800
Chris Brenton <cbrenton () chrisbrenton org> wrote on 02/26/2004 10:31:03 AM:
The story quotes David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit as stating: "We have never had vulnerabilities exploited before the patch was known,"
I'm sure from his perspective that is true (or at least he believes it is true). But, there is a logic flaw in the statement, because there is no way for him to know if a vulnerability has not been exploited prior to the patch. It's impossible. You can't prove the nonexistence of something; you can only prove its existence. All you can say is that you *don't know* of an incident where it was exploited prior to the patch.
The story then goes on to talk about how vulnerabilities are always reverse engineered from patches. It really sounds to me like he's saying that patches are *the* problem and if only Microsoft would stop releasing patches, then all the security issues would just go away.
I'd suspect that most of the huge worm attacks we've seen would probably not have happened without the vulnerability announcement and patch. Lots of the vulnerabilities are discovered by chance (due to the statistical increase of millions of people using some piece of software) or by the work of skilled, dedicated researchers looking for the flaws. I'd imagine that most of the worm/virus programmers do not have the same range of experience or skill to find most of these on their own. They wait until a vulnerability is announced, and then study it to create an exploit.
Microsoft has already dropped down to a monthly patch system. Even then they have already been skipping months. Could this be early PR spin to justify not releasing security patches?
There are two takes on vulnerability announcements and patches to fix them: 1) For those of us that spend the time and resources to stay on top of the issue (we hope), I like having the system be as secure as possible, regardless of whether the exploit is real or hypothetical. 2) For a vendor such as Microsoft that has TONS of inexperienced consumer-level customers, I'm sure that the MS folks just sit and wait after a patch announcement for the new vulnerability that exploits it. Their userbase will never, IMHO, of their own accord keep their PCs patched. Never. And even if 95% did, that 5% is still millions of vulnerable machines. I don't think either side is 'wrong'. It's just that each side (the vendor and the experienced customer) have two different, legitimate points of view. And then there is the whole issue of 'vulnerability researchers' who are, to some extent, hunting for holes for their own self interest (either ego and/or for the benefit of their security company, which gains prestige by finding lots of vulnearabilities). But that is a whole different topic. I always view with skepticism every statement that rolls out of the Microsoft PR machine. This is no different, but their point of view is not entirely invalid. It's just that their desires and mine, in this case, don't coincide. -- Mark --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Releasing patches is bad for security Chris Brenton (Feb 26)
- RE: Releasing patches is bad for security Dave Paris (Feb 26)
- Re: Releasing patches is bad for security Clint Bodungen (Feb 26)
- RE: Releasing patches is bad for security Curt Purdy (Feb 26)
- Re: Releasing patches is bad for security Pall Thayer (Feb 26)
- Re: Releasing patches is bad for security mgotts (Feb 26)
- RE: Releasing patches is bad for security Ross M. W. Bennetts (Feb 26)
- RE: Releasing patches is bad for security Brian Taylor (Feb 29)
- RE: Releasing patches is bad for security Ross M. W. Bennetts (Feb 26)
- Re: Releasing patches is bad for security james (Feb 26)
- RE: Releasing patches is bad for security ELLIS, STEVEN (Feb 27)
- Re: Releasing patches is bad for security james (Feb 27)
- Re: Releasing patches is bad for security Meritt James (Feb 27)
- RE: Releasing patches is bad for security ELLIS, STEVEN (Feb 27)
- <Possible follow-ups>
- RE: Releasing patches is bad for security Gary Nichols (Feb 26)
- Re: Releasing patches is bad for security Joe Miller (Feb 29)