Secure Coding mailing list archives
Computerworld op/ed on vulnerability patch cycle
From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Wed, 14 Apr 2004 00:11:00 +0100
FYI, I just saw an opinion piece on Computerworld written by Bill Addington called "Slow down the security patch cycle". (See http://www.computerworld.com/printthis/2004/0,4814,92037,00.html for full story.) In the article, the author discusses some possible solutions for improving the distribution of vulnerability and patch information. For example, he says, "In one possible scenario, software owners would subscribe to an automated patch service. Those without a subscription would receive the patch through current means, but it would expose those users to greater risk. Subscribers would receive a predeployed, encrypted version of the patch. At a predetermined point, a decryption key would be passed to a patch installer on all subscribed systems." Now, I'm not at all convinced that this would solve any problems -- IMHO, it would create more than it solves. In particular, he's advocating this slowing down of patch distribution in response to the recent Witty worm, which hit the net just a day or so after ISS put out their patch for the vulnerabilities in their products. Also, I believe that the author is too focused on an operations-only solution set to vulnerability issues, IMHO. Cheers, Ken van Wyk http://www.krvw.com
Current thread:
- Computerworld op/ed on vulnerability patch cycle Kenneth R. van Wyk (Apr 13)
- <Possible follow-ups>
- RE: Computerworld op/ed on vulnerability patch cycle Alexander Antonov (Apr 14)
- Re: Computerworld op/ed on vulnerability patch cycle Kenneth R. van Wyk (Apr 14)