Re: Industry calls on Microsoft to scrap PatchTuesday for Critical flaws

[Nick Withers <nick () nickwithers com>]

On Sat, 25 Mar 2006 18:53:36 -0800
"William Lefkovics" <william () lefkovics net> wrote:

> Indeed.  You don't want to release a bad patch (who does?) and you also want
> to work on critical issues in an ASAP manner, not tied to any schedule like
> 7 to 14 days.

Agreed. However, I do strongly believe that Microsoft should
release security patches as soon as they _are_ confident that
they're ready to go.

As I understand it (please correct me if I'm wrong) the current
Microsoft strategy of releasing security advisories on the
second Tuesday of the month is to appease managers who were
getting sick of constantly having to allocate staff to deal
with them.

Whilst I understand this logic, I don't really agree with it -
security patching is (at least for the foreseeable future) a
"fact of life" and should be a top priority. If this means
re-allocating resources to deal with it, then so be it (in my
books, anyway).

> "The worst scenario for us is that we release an update which has quality
> problems. We believe the downstream problems of releasing patches too
> quickly are even more serious than not putting in the quality that they
> deserve." - Ben English, Security Leader, Microsoft Australia
>
> Furthermore, Microsoft has an exception policy in place for addressing
> vulnerabilities with greater customer risk.
>
> "Microsoft will make an exception to the above release schedule if we
> determine that customers are at immediate risk from viruses, worms, attacks
> or other malicious activities. In such a situation Microsoft may release
> security patches as soon as possible to help protect customers."
> http://www.microsoft.com/technet/security/bulletin/revsbwp.mspx

I don't like the idea of Microsoft making assessments on behalf
of me / my employer / etc. Probably my biggest gripe with this
idea is that it's entirely possible for someone to be actively
exploiting, or to have the ability to actively exploit, a
security problem in a Microsoft product without anyone else -
including Microsoft - knowing about it. If there's a security
patch sitting there which would fix the issue I want it!

Good to see discussion on this issue, methinks!

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
> Valdis.Kletnieks () vt edu
> Sent: Saturday, March 25, 2006 6:23 PM
> To: n3td3v
> Cc: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Industry calls on Microsoft to scrap
> PatchTuesday for Critical flaws
>
> On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:
>
> > You Microsoft must officially agree that all flaws marked as 
> > "Critical" must have a patch within 7 to 14 days of public disclosure.
>
> OK... Nice try.
>
> Too bad you didn't add a requirement that the patch actually be *correct*.
>
> Also, you're totally overlooking the fact that *sometimes*, fixing a problem
> requires some major re-architecting - for instance, if an API has to be
> changed, then *every* caller has to be updated, and quite possibly
> re-designed, and the changes have an annoying tendency to ripple outward (if
> subroutine A has a 7th parameter added, then everybody who calls A has to be
> updated.  And it's likely that you'll find routines B, C, and D that have no
> *idea* what the correct value of the parameter should be, because they don't
> have access to the data - so now callers of B, C, and D have to pass another
> parameter that gets passed to A).
>
> Any company that will commit to a "must" on this one is nuts.  It's a good
> target, but making it mandatory is just asking companies to ship a
> half-baked patch that seems to fix the PoC rather than the underlying design
> flaw.
>
> And going back and reviewing the patch history on IE is instructive - more
> than once, Microsoft has released a patch for a known Javascript flaw, only
> to find out within a week that a very slight change would make the exploit
> work again.
>
> Is that *really* what you want?  It's certainly not what *I* want.  Waiting
> another 3-4 days past your arbitrary 14-day limit for a *good* patch is
> certainly preferable for those of us who actually have to deal with this
> stuff for a living, rather than hide out on a Yahoo group.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 
Nick Withers
email: nick () nickwithers com
Web: http://www.nickwithers.com
Mobile: +61 414 397 446

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/