Dropsafe

by Alec Muffett

Security Patches Too Bloated To Use?

Here’s amusement – a Wintel-using colleague just mailed out the following:

I mentioned to this to a few people earlier last week. Do NOT feel obliged to install the recently released Win dows XP Service Pack 2 (for Home Edition only, Professional Edition released on the 25th August). The BBC have this article on their website:

[news.bbc.co.uk]

… indicating security experts have found ways of getting around the service pack security updates … We already know of the weaknesses of M$, however I write to you only to save you the effort and time of having to download the hefty pack (80mb!) and update your WinXP Home Edition systems again in the future … Perhaps they will fix it up in time for the Professional Edition of WinXP … ? Perhaps ! 😉

Of course the matter of such insecurity is moot to me (My home is a MacOS/Linux shop) but as a security consultant I find this rather scary, reminiscent of some corporate enterprises that I have visited where some machine’s configuration is considered too mission-critical to have security patches applied.

Re-read that – some machines are considered by some to be too important to have security bugs fixed.

Now, for important, read the patches as being too untrustworthy or uneconomic.

I suppose this was mostly covered in my whitepaper from 1995 [www.crypticide.com] but even still, it is nice (huh? or maybe pleasingly consistent?) to see the same sort of problems starting to apply to the home user.

Maybe Sun/Apple’s combination of dinky little patches and ueber-globby huge ones really is the best of both worlds, as opposed to doing just really big flag day updates.

Comments

3 responses to “Security Patches Too Bloated To Use?”

  1. mrod
    re: Security Patches Too Bloated To Use?

    A great deal of the problem is that patches often fix some things that mission-critical applications rely upon to work.

    You should read some of the stuff written in some of the professional computing magazines where businesses spend 6 months testing a single patch before applying it. These days this means that the machines are generally 10 generations of vulnerability behind the current exploit.

    Add to this the amount of testing that these corporations do for the OS, which often means that they’re just starting to roll out OS upgrades which have been out of production for 5 years and you can see the scale of the problem.

    I think most of this is due to big business having their fingers burnt in the past with iffy OS upgrades and even more iffy software which just happened to work due to a feature caused by a bug somewhere. Oh, that and Windows service packs or even single patches which mess the whole system up to the point where it won’t boot.

    You also have to remember who the people are who are making the rules and decisions.. middle to upper management. These people have no idea about the technology and an even worse idea of the risks involved at the rock face. They’ve been burnt in the past by the IT department saying things will be fine and it going belly-up so they’re not trusting that department to give them information. If you add to this the idea that doing nothing and something going wrong is better than doing something and it going wrong because then they can pin the blame on you too easily and you start to get the picture.

    People are bad at risk management. Corporations are even more terrible at it.

    Reply
  2. dave.walker@sun.com
    re: Security Patches Too Bloated To Use?

    Flag-day mega-updates have another side effect of opening an opportunity window, especially where intended consumers have limited bandwidth Internet links.

    A fairly computer-illiterate friend of mine has an M$ laptop, and heard about Service Pack 2.

    She connected her unpatched laptop to the Internet for the first time in ages, to download and install it.

    During the time she spent downloading it, her laptop was compromised.

    Hence the reason to make such updates available on physical media.

    Reply
  3. Chris Samuel
    re: Security Patches Too Bloated To Use?

    Dave, agree totally, which makes it even more bizzare that MS in the US[1] *refuse* to allow Aussie PC magazines to include security updates on their cover CD’s.

    There was apparently one exception, for XP SP1, but none since. 🙁

    [1] – MS Australia apparently don’t have the ability to approve things like this, they have to refer them back to the hive for their approval, and they don’t understand this concept of cover CDs.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts