Computerworld op/ed on vulnerability patch cycle

["Kenneth R. van Wyk" <Ken () KRvW com>]

FYI, I just saw an opinion piece on Computerworld written by Bill Addington 
called "Slow down the security patch cycle".  (See 
http://www.computerworld.com/printthis/2004/0,4814,92037,00.html for full 
story.)  In the article, the author discusses some possible solutions for 
improving the distribution of vulnerability and patch information.  

For example, he says, "In one possible scenario, software owners would 
subscribe to an automated patch service. Those without a subscription would 
receive the patch through current means, but it would expose those users to 
greater risk. Subscribers would receive a predeployed, encrypted version of 
the patch. At a predetermined point, a decryption key would be passed to a 
patch installer on all subscribed systems."

Now, I'm not at all convinced that this would solve any problems -- IMHO, it 
would create more than it solves.   In particular, he's advocating this 
slowing down of patch distribution in response to the recent Witty worm, 
which hit the net just a day or so after ISS put out their patch for the 
vulnerabilities in their products.

Also, I believe that the author is too focused on an operations-only solution 
set to vulnerability issues, IMHO.

Cheers,

Ken van Wyk
http://www.krvw.com