Security isn't convinient..

I commented the WMF-issue with saying that Microsoft patching procedure, patch Tuesday, is essentially flawed. I can say that again now, as current "zero day", or more like "ten day" exploits are targeting Internet Explorer on the internet. I like Microsofts attempt to blog about the issue, but sadly enough.. I feel that they have huge flaws in their reasoning. Here's what they say on the upcoming release of a patch for the vulnerability:

Right now, the update is on schedule testing wise to be released (meeting the quality goals customers have asked for) as part of the April security updates on April 11, 2006. But as I said, we're actively keeping an eye on any attempts to utilize this in an attack. We'll release it sooner if warranted.

Ok, they are actively "keeping an eye" out for attacks.. which basically means that they are looking for automated attacks. What about the targeted? Do they not understand how easy it would be to use this vulnerability in a targeted scam? Just send a carefully crafted e-mail with an link to an external homepage - Anyone would go for it, it's just a matter of how much effort is put into crafting the mail (research about the receiver to find out what a relevant mail looks like for the person). By not releasing patches, and claiming that it isn't necessary due to the lack of active attacks, is like claiming that there are no need for laws against murdering, as there aren't currently alot of massmurdering going on. They counter this by saying:

I want to caution everyone that they should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code.

Do they understand what a difficult task this is for a network containing 100 - 10 000 hosts and users? Impossible..

Microsoft patching procedures is a result of administrators wanting an easier job. Few things with "patch tuesday" benefits security. It's created towards countering the attacks that are "convinient" to counter. The only way to counter a wide range of attacks is to release patches, alternatively releasing detailed information about the vulnerability so that for instance IPS can be used to prevent the attacks when they are going through the networks. But of course, this is not Microsofts "way to do it" either..

Jesus..


This entry was posted on March 26th, 2006 and is filed under Microsoft, Patches, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.

 
« Insomnia related matters
Migrating to Wordpress from Sphpblog »
 
 

2 Responses to “Security isn't convinient..”

  1. Home of Göran Sandahl » SANS recommends BETA-patches
    4. April 2006 at 09:04

    […] SANS seems to be taking the same route as I am on the Microsoft zero day issues by recommending Microsoft to release BETA-versions of their patches, so that customers can them selves decide to use them or not. Their argument is that the (very much necessary) testing phases is done at two times, and at separate moments, when customers could in fact aid Microsoft in testing the patches. I like what I hear.. […]

Leave a Reply