, SecurityFocus 2005-09-13
Microsoft's decision to cancel a security fix after finding problems with the patch has security experts questioning whether waiting for the fix to come next month might leave them open to attack.
Expand all |
Post comment
Maiffret may be a critic of scheduled updates, but he doesn't articulate the reasoning for his dislike of scheduled updates.
The matter of "customer convenience" in an environment lacking an imminent threat is in fact equivalent to "customer security". Most companies must commit sizeable resources to deployment of security updates, particularly large ones. If they can pre-schedule such updates, this tilts the preparation vs. response equation considerably in favor of security. Obviously, if you have a zero-day vulnerability with a full-blown public announcement, exploit, worm, whatever, you don't delay. But there are times when it does make sense.
For the record, the time-to-patch problems at Oracle and Microsoft didn't just suddenly appear when the companies adopted scheduled release timeframes. They've been an issue for both companies almost since day one.
The problem with Microsoft's patch regime isn't that its updates are scheduled, but that they're delayed. The huge timeframes (6-12 months) are terrible. Bottom line. But that has nothing to do with the delay to patch.
Same is true here. If Microsoft regularly released patches within 15-30 days, another 30 day delay would mean only a 45-60 day patch cycle -- still acceptable by most standards.
Once again, the veiled anti-Microsoft agenda misses the mark. Microsoft certainly deserves criticism for its promptness on patching. But let's put that criticism in the right place.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/11313/32457#32457