This is the second of a two-part series I’m doing on the biggest security stories of 2006. Alan Shimmel of SSAATY asked me, along with several other people, to do a 60 second blurb on what we thought was the biggest security story of 2006, all of which has been incorporated into his podcast. Since 2006 had so many stories to choose from I actually chose two; ‘the rise of the bot ‘and ‘third party patches.’

Alan’s podcast #26 can be downloaded from Clickcaster here.

In 2006 we had a couple of vulnerabilities that were deemed critical enough that third parties chose to release patches to address them. The reason this is significant to me is because I absolutely abhor the fact that Microsoft makes statements to the effect of ‘we know there is a zero-day exploit floating around for one of our products but we aren’t seeing an attack on a scale wide enough to rush a patch.’ ‘Wide enough’ to Microsoft is ‘catastrophic’ to my little network, therefore I want the ability to make a ‘patch’ or ‘no patch’ decision my self. After all, I’m responsible for the security on my network, not Microsoft.

I think it was Johannes Ulrich of the ISC who first mumbled ‘beta patch’, a concept of Microsoft releasing beta patches that haven’t passed full regression testing but will correct the underlying vulnerability. That sounds like a great idea to me! Give me a patch to test in my environment so that I can make decisions about the security of my network, not Microsoft.

I’m hoping that the mere fact that companies are releasing third party patches prods Microsoft into a compromise such as this. That is the true value in third party patches, not the patch itself. In fact, I strongly discourage using third party patches unless you are completely forced to do so. However, if a third party patch is truly your only means of protection for a mission-critical asset then by all means, test and deploy it.

For more information about this topic

• No Related Post