Microsoft Increases Security By Patching Less
from the counter-intuitive dept
Let’s see if we can follow the logic on this one. Because Windows systems need to be patched on a very regular basis, people are concerned about its security. Microsoft has responded to this by announcing they’ll now release fewer patches. Sounds counter intuitive. However, the reasoning isn’t that bad. Basically, most folks don’t patch their system that often, because the day after you patch, it seems like another patch gets released – and if you’re just going to spend your days updating your system, why bother at all? Thus, the thinking is that if they only release patches once a month, it will be a bigger deal (patch party!) and people will be more willing to install the patch. Of course, that does mean that security holes and bugs will remain open longer for those who normally do patch quickly. Microsoft claims that many hackers are using the patches as a blueprint for exploits – so getting more people to patch regularly, rather than patching often, should protect more machines. Not sure if things will actually work that way, but it’s an interesting theory.
Comments on “Microsoft Increases Security By Patching Less”
No Subject Given
I think there’s a few ways they could actually make that sort of thing work.
The key thing is that if an exploit is out in the wild, you have no choice but to release the patch.
Re: No Subject Given
Yeha. I like the laughable idea that the fixes are being use to make exploits. No, but the exploits may be used for the fixes. It’s all about the source code, people, and one of them’s open.
Re: Re: No Subject Given
Not laughable at all: disassembling a patch gives an exact map to what was wrong with the old code.
It’s almost — but not quite — the same as publishing an exploit.
No Subject Given
Reminds me of how MS “fixed” UAEs by renaming them GPFs.
Re: No Subject Given
Reminds me of how MS “fixed” UAEs by renaming them GPFs.
Or how Microsoft fixed RPC DCOM in MS01-048, MS03-026 and MS03-039, only to have it come out again this week that RPC DCOM is vulnerable to the same bug, just that the mechanism to get to it has changed. I swear, Microsoft appears to be fixing the code solely to make the exploit not work, not actually fixing the vulnerability!
Just another reason why close-source security being more secure than open-source security is a farce, if the open-source folks fixed the exploit instead of the vulnerability, then everyone could see that they are idiots. With close-source, only the bad guys can see that they are idiots, but they are still idiots.
Instutionalized Patching? It could work.
Let’s designate Monday as patch day and move the work week to 4 days. With the rank-and-file getting Monday off and the Techies doing the patching getting Friday off. That will move the *real* work (interfacing with managment/rank-and-file) to three days a week…. it will be paradize, trust me.
Critical Updates ...
Wasn’t the automatic notification of needed patches supposed to solve this problem ? I have my workstation set to alert me to when critical updates are available but I always review them before proceeding.
On the other hand though, I sort of like the idea that Microsoft appears to be leaning towards a defined distribution of patches. If we have to slog our way through constantly patching the product @ least we can make it a part of our monthly tasks and schedule appropriately for this task. As it stands now, every time there is another security issue we get stuck having to place everything else on hold in order to attempt to protect ourselves.