Wednesday, November 19. 2003
Why the patch strategy doesn't work - but we gotta keep doing it
Microsoft's updates for the Workstation Service were released earlier this month - and a day later, the exploits were released on the Internet. Get this patch and apply it now.
This is, however, the wrong strategy. Every patch carries some risk with it, which is why even large enterprises with strong IT staffs get Slammed and Blasted. Long experience with the patches has taught systems administrators that extensive testing has to be done before the patches are applied to production systems - causing a long window of vulnerability which is being exploited by virus and worm writers. The correct strategy is one of code review and extensive testing before release - completely antithetical to Micro$oft's historical business practices.
In another interesting development, it turns out the IE patch - labeled 'Critical' by M$ - contains patch files that are months old. So Micro$oft knew of the problems long ago, and didn't release the fix. If this meant that M$ was extensively testing the patch to insure operability, I could understand it. But it's full of nasty little bugs.
Also, Microsoft Exchange servers, which long ago had configuration parameters added to prevent Spam relaying, can easily be accidentally opened for relay - simply by enabling the guest account. This isn't theoretical, it was found because a spammer was doing just that.
Gimme a Linux box, Mozilla, and Postfix. Even if SCO is threatening to sue me.
This is, however, the wrong strategy. Every patch carries some risk with it, which is why even large enterprises with strong IT staffs get Slammed and Blasted. Long experience with the patches has taught systems administrators that extensive testing has to be done before the patches are applied to production systems - causing a long window of vulnerability which is being exploited by virus and worm writers. The correct strategy is one of code review and extensive testing before release - completely antithetical to Micro$oft's historical business practices.
In another interesting development, it turns out the IE patch - labeled 'Critical' by M$ - contains patch files that are months old. So Micro$oft knew of the problems long ago, and didn't release the fix. If this meant that M$ was extensively testing the patch to insure operability, I could understand it. But it's full of nasty little bugs.
Also, Microsoft Exchange servers, which long ago had configuration parameters added to prevent Spam relaying, can easily be accidentally opened for relay - simply by enabling the guest account. This isn't theoretical, it was found because a spammer was doing just that.
Gimme a Linux box, Mozilla, and Postfix. Even if SCO is threatening to sue me.
JaBbA's Hut - Geeks and Rants Why does the world continue to chase after the Microsoft bug? I find it extreamly frustrating how a company can make such an inferior product and use the media to make people think that...
Tracked: Nov 19, 22:46