Re: Releasing patches is bad for security

[mgotts () 2roads com]

Chris Brenton <cbrenton () chrisbrenton org> wrote on 02/26/2004 10:31:03 AM:

> The story quotes David Aucsmith, who is in charge of technology at
> Microsoft's security business and technology unit as stating:
>
> "We have never had vulnerabilities exploited before the patch was
> known,"

I'm sure from his perspective that is true (or at least he believes it is 
true). But, there is a logic flaw in the statement, because there is no 
way for him to know if a vulnerability has not been exploited prior to the 
patch. It's impossible. You can't prove the nonexistence of something; you 
can only prove its existence. All you can say is that you *don't know* of 
an incident where it was exploited prior to the patch.

> The story then goes on to talk about how vulnerabilities are always
> reverse engineered from patches. It really sounds to me like he's saying
> that patches are *the* problem and if only Microsoft would stop
> releasing patches, then all the security issues would just go away.

I'd suspect that most of the huge worm attacks we've seen would probably 
not have happened without the vulnerability announcement and patch. Lots 
of the vulnerabilities are discovered by chance (due to the statistical 
increase of millions of people using some piece of software) or by the 
work of skilled, dedicated researchers looking for the flaws. I'd imagine 
that most of the worm/virus programmers do not have the same range of 
experience or skill to find most of these on their own. They wait until a 
vulnerability is announced, and then study it to create an exploit.

> Microsoft has already dropped down to a monthly patch system. Even then
> they have already been skipping months. Could this be early PR spin to
> justify not releasing security patches? 

There are two takes on vulnerability announcements and patches to fix 
them:

1) For those of us that spend the time and resources to stay on top of the 
issue (we hope), I like having the system be as secure as possible, 
regardless of whether the exploit is real or hypothetical.

2) For a vendor such as Microsoft that has TONS of inexperienced 
consumer-level customers, I'm sure that the MS folks just sit and wait 
after a patch announcement for the new vulnerability that exploits it. 
Their userbase will never, IMHO, of their own accord keep their PCs 
patched. Never. And even if 95% did, that 5% is still millions of 
vulnerable machines.

I don't think either side is 'wrong'. It's just that each side (the vendor 
and the experienced customer) have two different, legitimate points of 
view.

And then there is the whole issue of 'vulnerability researchers' who are, 
to some extent, hunting for holes for their own self interest (either ego 
and/or for the benefit of their security company, which gains prestige by 
finding lots of vulnearabilities). But that is a whole different topic.

I always view with skepticism every statement that rolls out of the 
Microsoft PR machine. This is no different, but their point of view is not 
entirely invalid. It's just that their desires and mine, in this case, 
don't coincide.

-- Mark

---------------------------------------------------------------------------
----------------------------------------------------------------------------