Slashdot Mirror
The Costs of Patching
prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."
IMHO getting hacked is much more expensive.
Sometimes I wish there was the equivalent of Windows Update for Linux. If it wasn't worth the effort I wouldn't be using it, of course, but the asymmetry between the Windows patches and Linux patches doesn't seem to matter much when all the Windows patches are applied in one go and the Linux patches require individual attention.
After reading this post, I checked windows update and found two brand new criticals... That makes five in three weeks. If they'd get it right the first time...
The only decision for some security patches is how long do you wait before deploying it.
That's not quite the only choice--you have two other choices: adopt Linux; adopt Macs. If the cost of patching is really that great, it raises the cost of the machine--until maybe purchasing a Mac isn't all that expensive after all.
--
$tar -xvf
apt-get upgrade
That's what I do, and I'm not sure what all the fuss is about. Things get fixed, usually before I ever knew they were broken, deamons get restarted, nothing gets interrupted, life goes on ... If I took the trouble to make it a cron job, I'd never even know.
Is Mr Fiebig telling us that things don't go so smoothly if you use MS products? Or that MS can't keep up with a bunch of amatures? Do MS patches break non-MS apps? Could all this be why so many worms and viruses manage to spread across unpatched MS products? Could it be that MS patches are as bad as the bugs they fix? SAY IT AIN'T SO, CRAIG!
See what I've been reading.
Bell labs(now lucent) and various hackers have made string functions that do the same thing but are buffer safe. They are made to create more secure apps.
My question is if gcc or visualc for that matter switched to more buffer safe libraries would it make a difference? Trusted Debian is compiled with buffer safe string functions.
It may be time gnuc did this by default assuming all the apps could be recompiled without a problem.
This would seem to get rid of %90 of holes in user as well as kernel space.
http://saveie6.com/
That is exactly the issue we face at my large coorporation. We finally got to the point that we download the patches centrally, create a mega-patch consiting of the various Qxxxxxx patches from MS, and then test those on a staging server that minics various vital functions thoughout the enterprise. We had problems with loose cannons going around and appling windows-updates to production servers that then had problems with a certain piece of software, or what not. Anyways... you right.. half the time spent by MS techs is quality testing the patches.
It isn't a lie if you belive it.
Apart from the Music dowload, uh, stuffff, at their web-store, SoftwareUpdate is the right way to do it.
The download sites are controlled by Apple (and Akamai for all I know) but Apple really serves up the content.
Also they have a better, more secure OS that's conservatively designed and carefullly implemented so viri scouring and bug fixes aren't quite so desperately required by the system owners.
M$ may be too anal-retentive for their client base's own good. The only thing they want to conserve is their cash flow.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
" Is there any OSS system with automated patching "
yes
"that people are willing to trust?"
errr.. no.
change it to
"that corporations are willing to trust?"
yes..Windows 2003.
The Kruger Dunning explains most post on