|
The Becsta.NET Third Rant - Security PatchesGod, I love security patches - not. There are so many of them being released every day that it's almost impossible to keep up with them - but keep up you must. Service Packs One of my biggest bug-bears with security patches is that major companies release the security fix as part of a "service pack", which happily contain extra "features", designed to increase your security experience (according to marketing hype). More often than not (and I have experienced this first hand) the "features" themselves contain security vulnerabilities, and quite often break existing functionality. For instance, we were having problems with a firewall, and conveyed the issues to the firewall vendor. Some time later, they release a "service pack", and recommend that we install it, as it will fix the bugs we were experiencing. After the install of the service pack, we found that some existing services broke (namely ftp), so we had to back out of the service pack, and wait for them to fix the bugs in the service pack. If they could only release hotfixes instead of huge service packs full of wonderful new features. The moral of this story is to do extensive testing of these service packs and bugfixes before rolling them into production. Get with the program guys! When I apply a security fix, I don't want extra features! I want a patch which fixes the security vulnerability and no more. It certainly should not break existing functionality, for which we sometimes depend on. If I want extra features, I'll upgrade the entire product. Service packs are for fixing bugs, not introuducing features. When I get my car serviced I expect the car's bugs to be fixed. I don't expect to drive away with an automatic car when I put a manual car in for service. Security Patch Laziness We hear every day about sites getting hacked, web pages being defaced etc (if you want to know, go to the Attrition mirrors). Most of these hacks are done by script-kiddies using exploits found on the Internet. Most of these exploits would be ineffective against up-to-date systems running latest patches and software. So, why are these attacks still successful? There is no easy answer. One answer would be that most IT systems administrators don't have a clue when it comes to keeping systems up to date. Sure they might know about NT service packs, but do they know about the regularly released Microsoft hot-fixes? I doubt it. Another answer might come from sysadmin laziness - "she'll be right mate, I'll do it tomorrow", which is too late. It could be due to lack of security awareness (either they don't know a thing about security, or they get information from the wrong sources). It's not that hard to implement a policy (with a set of procedures to back the policy up) of maintaining current patch-levels. It only becomes a burden when systems fall way behind in revision, that implementing latest patches introduces risks (of breaking stuff). Microsoft is pretty good at releasing hot-fixes for bugs brought to their attention, as are most Linux distributions. |
