Re: Patching is the problem, says Microsoft

[InfoSec News <isn () c4i org>]

Forwarded from: Kurt Seifried <kurt () seifried org>

Keeping AV definitions up to date is essentially patching (hint: those
virus definitions aren't kept one to a file). The only difference is
that the AV industry has figured out how to patch stuff safely and
correctly. The major players even update the engines and other core
components, not just the signatures automatically now as well.

This isn't to say I'm blaming Microsoft completely, I mean the amount
of work they must go through in order to ensure a patch maintains
backwards compatibility and doesn't break anything major is
horrifying. Having said that they could have been more intelligent
about designing the system, things like IIS requiring Internet
Explorer to be installed so that Java can be supported, Outlook
Express providing MHTML support or file locking that makes it
incredibly easy to lock files but almost impossible to pry those locks
off have left Microsoft painted into a nasty corner.

As well patching is always going to leave you behind the curve, just
like Anti-Virus definitions. The time needed for someone to notice the
new security flaw/virus in the wild, report it to vendor, fot the
vendor to confirm it, create a patch, test it, and then make said
patch available is minimum several hours, sometimes several years. Add
to this the user's time requirement (identify new security
vulnerability, see if it applies to systems, if yes does a fix exist,
if yes is it going to cause problems, if no actually deploy it, etc.).

Personally I don't think this is a very sane future.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.