Re: Patching

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2003-10-20 Alessandro Bottonelli wrote:
> OK, so the main idea I get from the list is: a known hole is fixed and
> the others are (for the moment) unknown. Therefore, patching is a good
> idea.
>
> Hmmmm. I am not convinced yet that all this makes sense from a "wider"
> security perspective. Must a vulnerability / hole be known to be a
> risk? 

Yes.

> Security risks do not all come from "out there" and "bad guys" trying
> to exploit a vulnerability. System errors, data loss may very well
> occur from holes that are very unknown (or very honest operators that
> make mistakes).

Not very likely. The occasional malcontent user is much more of a
problem than that. IMHO.

> Once I get a very well oiled and stable infrastructure, I personally
> suffer everytime I have to disturb that balance. There's a lot of
> interdependability among the various elements of the whole system.
> Application X at release n.m needs Middleware Y at release j.k that in
> turn requires OS Z at release l.m that in turn.... everytime I touch
> something I feel that I have no control (but that could be just me) of
> where the ripples are going to end up to.

Patches breaking Software are a different kind of trouble. That's not
(directly) security related.

My 0.02 $CURRENCY.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------