Security Basics mailing list archives
Re: Patching
From: Florian Streck <streck () papafloh de>
Date: Mon, 20 Oct 2003 18:53:42 +0200
On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:
A thought has been crossing my mind for a long time, I'd like to confront it with the list. In the "old days" a patch and/or fix was defined as "something that closes a known hole and opens ten unknown holes" :-) Yet, literature and common practices keep saying we should maintain our systems and network appliances up to date with the last patches / software releases. WHY should I feel safer that way? How can I tell Rev. 1.3 is any better (security-wise) than Rev. 1.2 ? Is the cost (financial and others) of change management worth it? If so, how can I measure such worthness? -- Alessandro Bottonelli
You should feel safer, because the hole that the patch was made for is already known and exploits might come up in a very short time. The holes that are possibly introduced by the patch aren't yet known (hopefully) and so your system will be safe for a while, until those holes are discovered. And, assumed a patch closes one hole, introduces at most one new hole the number of holes decreases. I'm not very familiar with the number of new holes that are opened through patching but I can't imagine (blessed ignorance ;-) that patches are that bad. Florian Streck
Attachment:
_bin
Description:
Current thread:
- Patching Alessandro Bottonelli (Oct 20)
- RE: Patching Raoul Armfield (Oct 20)
- Re: Patching Florian Streck (Oct 20)
- Re: Patching Meritt James (Oct 20)
- RE: Patching Alexander Suhovey (Oct 21)
- Re: Patching Meritt James (Oct 21)
- Re: Patching Meritt James (Oct 20)
- Re: Patching Alessandro Bottonelli (Oct 20)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
- Re: Patching Alessandro Bottonelli (Oct 21)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 22)
- RE: Patching Graydon McKee (Oct 22)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)