Slashdot Mirror
Windows 24 Hr Vulnerabilty Patch - Would It Help?
super_ogg asks: "In light of the recent Windows infection rate problem, it prompted me to ask the question: if Microsoft was able to guarantee a 24-hour-patch for a vulnerability (and hell didn't freeze over), how much would it affect the rate of infection seeing that a lot of people don't patch their systems? Would the rate of infection increase dramatically?"
Last time I checked it didn't cost much to get into hell.
Don't slashdot editors read things?
How would such a patch work? The idea itself is just impossible... unless you have no network connection.
I cant see how providing patches faster would increase infection rate.
Releasing patches that quickly would probably make the releases smaller, which means people would be less likely to cancel the download in disgust when they see it would take 2+ hours to complete. Having said that, given the users I've encountered, MS would need something like "Automatically Apply Patches without Prompting Me" as one of the initial options or users would just "X" out of the warning pop-up, as they do nowadays.
Would the rate of infection increase dramatically?
That simply *has* to be a typo, you most certainly would expect the rate of infection to decrease quite quickly if everyone had automatic updates enabled...
-- If I were a fish, I'd be wet
I dont think that the rates of infection would increase much. Just b/c microsoft gurantees a 24 hr patch doesnt mean the people will patch it. Virus writers will know this and will not increase the amount of viruses written. I think that everything would all stay the same as it is now.
"Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive." - C.S. Lewis
Even if Microsoft could guarantee a 24-hour patch release (and the submitter's remark about the cold snap in Hell is pretty much on the mark here), I really don't see it making that much difference...unless systems were configured to apply patches immediately upon release, without being authorized by the sysadmin first. I don't think I'm the only sysadmin here who prefers to test patches on guinea pig machines before releasing them to the rest of my systems.
____
~ |rip/\/\aster /\/\onkey
What is a "24 hour patch for a vulnerability"? Are you asking if MS will guarantee a computer will be vulnerable for 24 hours? Or the patch will only last 24 hours?
If the issue is folks not updating systems and applying patches, then how will any patch affect the rate of infection? Isn't that the issue? Patches don't work if they're not used.
How would MS issuing patches cause the rate of infection to increase dramatically? Are you saying hackers are using security updates as guides for exploiting security weaknesses? Do you propose software companies stop issuing patches as a way to dramatically decrease infections?
What was super_ogg smoking when he asked this question, and why isn't he sharing?
Patches only work when they're installed. Many people don't install patches until they realize they've been hacked. Even if they are aware of new patches, system admins and users might be hesitant to install a brand new untested patch on an already working system.
For big businesses, it wouldn't help. They are already on top of these things checking their firewalls and such, trying to prevent infections. (Note: if this isn't the case, they fit in with group 2)
Then there is individuals. I can't tell you how many people's PCs I've found with basically NO updates applied (for whatever usually pointless reason). These are the people where such a quick patch could make a difference (since it tends to be home computers and those under the care of someone who doesn't know what they're doing), but they won't get the patch because these people don't patch in the first place.
MS's best solution at this point would be to force automatic updates to be on for all copies of XP Home, with no way to turn it off (short of registry editing). That way, the computers would get the updates they need, but the few people who want to turn it off would probably know enough to run their computers safely if they knew where to find the instructions and how to change the registry. (I'm ignoring the point that anyone with half a brain that was a "power user" would want XP Pro over XP Home).
A 24 hour turn around would be great, but I don' think it would make that much of a difference. Forced updates (especially if expanded to include XP Pro that isn't being managed by a domain controller/active directory to cover those one machine businesses and such) would probably go a farther way.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
The rate of infection would go down. Why? Because it's already commonplace for Microsoft to put out patches that break things. The added time pressure would only increase this.
The rate of infection would go down because broken computers are less easily infected.
Most of the Vulnerabilities happen weeks to months after a patch is released. It's just getting the patch on the machine that's a problem.
.Net 2003 SP1 and firewall the internet until windows downloads all the critical patches. This would stop the 12 minute problem pretty quickly.
As XP SP2 starts to overtake XP SP1 and SP0 sales, it should get better, since SP2 screams and yells if you turn off automatic updates. This is going to take a while since most people are paranoid of SP2 or MS won't let them install it cause their OS is a pirate.
Hopefully in longhorn, they do the same thing they did with
In Soviet Russia, Trojan exploits YOU!
I thought we were all suppose to be nerds here? Can't people figure out what the submitter actually meant? Here's what it should really say:
In light of the recent Windows infection rate problem, it prompted me to ask the question... if Microsoft was able to guarantee a 24 hour patch for a vulnerability (and hell didn't FREEZE over), how much would it affect the rate of infection seeing that a lot of people don't patch their systems? Would the rate of infection DECREASE dramatically?
Now can we just drop it and actually answer the question? Thank you.
Unless, of course, someone exploited the patching mechanism.
If we were living in a world where Microsoft provided patches and people actually downloaded them, we'd probably be in a world of highly "seemless" updating. Microsoft would default enable automatic updates on Mom and Pop boxes or work desktops hooked up to highspeed connections, and exploiting a mechanism used nearly by everyone would be a disaster.
That's the only way it could really increase. I agree.
Increase dramatically? Well, I know one of MS' claims is that the descriptions for the patches might show malware authors new exploits that they didn't know about. I think most of the major worms were produced long after patches had already posted, though I don't know if that was because the malware authors saw the bugfix notes, or if they used info gleaned from other sources. That said, I doubt it would change the infection rate at all.
/.er will correct me on that last point.
I was doing retail computer repair up until November of last year. Even in November of '04, it was still exceedingly common to see recent infections of Sasser or Blaster worms, which had been around for over a year before that point. These were worms, mind you, which exploited bugs that had been patched months prior to their first appearance.
After all is said and done, I think the vast majority of users both business and home would rather have a patch that was worked on for a week or so than one that was rushed out the door. The clueless won't install it even when it's already out. The security conscious already have a decent firewall in place that should hold them for that brief time. Additionally, I'm not aware of a recent major worm or virus that exploited a known bug before the patch arrived, so the security people probably don't have much to worry about as far as worms/viruses are concerned. Of course, I'm sure some more knowledgeable
and it is: no.
Microsoft has spent so many years breeding a developer and user culture of ignorance, complacency, irresponsibility, negligence, incompetence, stupidity, insecurity, instability, undebuggability, unusability, and inconsistency that they are either beyond hope or they will take another decade to correct their course.
Windows 24 Hr Vulnerabilty Patch - Would It Help?
Immediate Answer Without Thinking: No.
Answer After Thinking A Little About It: The question is nonsense because it is based on a silly premise.
Answer After Thinking More About It: Waste of Time Because No Matter What You Do Windows is Going To Remain the Giant Petri Dish of The Internet.
Some very severe problems may require a significant refactoring of a software system's code. Indeed, it would most likely be very counterproductive to try to force such changes that quickly. You may just end up introducing five or six times the number of bug and security issues than had a proper solution, perhaps taking several days, been delivered instead. Quick hackery meant to prevent security violations is itself often a source of massive security hazards in the future.
Cyric Zndovzny at your service.
While we are wishing for the impossible, why do we not simply wish for Microsoft to guarantee no bugs?
NO vendor - not Microsoft, not IBM, not Sun, no one - can guarantee a "N" hour response time for 100% vulnerabilities (for 0 <=N<=1000, say).
There will ALWAYS be bugs for which it takes TIME to fix them - and the only way to deal with them until they are fixed is to shut the affected software down - and once again, that is not JUST Microsoft, but ANY software.
www.eFax.com are spammers
The vulerabilities they find now have usually been there for half a decade or longer. They weren't a threat until someone discovered them.
Now, figure the average time someone goes between applying patches. Some update daily, but a lot of people update weekly, if at all. And suppose a vulnerability is discovered every 3 days. If patches were released the day they were completed, you'd be exposed about 70% of the time, if someone took the time to use the patches to locate the vulnerabilities. Now, if patches were released monthly, and vulnerability details were kept secret until a patch was available, you'd ony be exposed about 12% of the time.
It seems alright to hold back a bunch of patches to release all at once after a couple months so long as they can be released early in the event of public discovery or disclosure of a vulnerability.
I bet some sort of randomizing compiler and linker would work wonders in preventing people from reverse engineering vulnerabilities from patches. Different addresses. Slightly different but equivalent machine code.
If they can beat 12 minutes, then we're talking.
Is everyone missing the point of this question? Microsoft's ability to release a patch in 24 hours is the assumption of the question, that's not really up for debate. The real issue is, do general users, Windows users in particular, do they patch their systems quickly? The answer is... probably not. So we know Microsoft can't release zero defect software (it's an imposibility folks, the business demands are too great and the software is too complex). So the question is really do users need to change their behavior (either through education or force... in this case auto-updates by default) or does Microsoft need to reduce the security defects in their software by some percentage.
Of course the answer is both. Windows users should have to turn off auto-updates for serious security fixes. Turning these off should be relatively easy of course, and configurable for real sysadmins who manage many boxes. But Grandma shouldn't have to worry about this kind of thing or even have to make a choice. Microsoft of course should do a better job of releasing their software w/ fewer security defects, but they're never going to release 0 defects and actually release a modern competive product.
I wonder why Windows doesn't keep track of the ports, and libraries a user uses so that when a patch is about to be applied an educated guess can be made about the impact. If I never use port 110, but it's open and vulnerable then a patch shouldn't be a problem, but if I use librar_x all the time and the patch changes a few things in the library then maybe it will be a problem and I could be notified that the patch may have a side effect of breaking my software and I can either go forward w/ the upgrade or not, and if I do go forward w/ it then the software would give me clear instructions on how to roll it back (hopefully w/ one button).
Warning: Apple reference ahead, but no where does it state the fix is to buy an Apple computer.
What would help the situation is if roll-ups or service packs were released in conjunction with hot fixes, limiting the number of total patch installers.
Let's take Apple for example. In a nutshell, there's the retail box release (10.4.0), then a few security patches as needed (Denoted as: date of post). Let's say there are three of such fixes.
Active Patch Installers: 3 (1 reboot)
Eventually a point release is made (Denoted as: 10.4.1). This point release includes all of the previous security patches as well as other fixes usually along the lines of 'recommended' as Microsoft would put it.
Active Patch Installers: 1 (1 reboot)
After 10.4.1 is released, a few more security holes are found and patched, each with a date of release. We'll say there's two.
Active Patch Installers: 3 (1 reboot)
When 10.4.2 comes around, Apple releases two versions of the update:
A smaller file size for systems with 10.4.1 installed
A larger file if 10.4.0 (Retail) installed.
Active Patch Installers: 2 - Only one needed (1 reboot)
Here's the key point: From the retail version of the software, you only need to install one service pack release, and maybe 3 to 5 security patches at any point in time. Not 50 which branching restart cycles; One to five patches, one restart.
Obviously there's some variation here and there. Apple will have a lot more than five updates at a time for all the other non-OS software, but the underlining concept is there:
The fewer the installers and restarts, the easier patches are for the normal user.
AnamanFan - Trying to find the Truth, one post at a time.
If Service Packs were more frequent, if users' browsing practices were more informed, and if the already discovered exploits were acted on more swiftly by Microsoft and the larger/corporate-market antivirus companies like Norton (notorious for deciding some things, like certain trojans, just aren't worth detecting of fixing - just cross reference shinwow.java here and here, it gets priveleges from the BYTEVERIFY.java exploit).
<rant>
Norton gives removal instructions - but what the site doesn't mention is NORTON PRODUCTS ON WINDOWS DO NOT DETECT THE PRESENCE OF THE VIRUS. Kaspersky, eTrust EZArmor, and others do detect the virus. Which begs the question, why doesn't Norton's latest home AV package?
</rant>
Basically, a guarantee from MS of 24 hour patching wouldn't be an end in itself IMHO. Also, it's easy to make Microsoft look bad if they've got so many exploits that they've got a rapid deployment of patches. Basically, I want Windows Updates the way my Mac updates, click the Apple->Software Update done. I've used it for just under 7 months, so far I've had 10.3.[7-9] and 10.4.[0-1]. In the same time Windows is Service Pack 2, and the only other notable change was the recent auto update about a change to auto update.
So 5 updates to Panther/Tiger, maybe one I noticed for Windows. I wouldn't have any greater impression of security on Windows if daily patches were an option, I think it'd just be something for the CVS users to Beta test with no prospect of an Alpha, unless Longhorn is going to do that by RSS too :-)
I have to agree as well. (Linux plug coming up, though in a suggestive fashion, not a "use Linux" because it is better way.)
...etc...) I know which I prefer. So Microsoft really needs to look at this angle of things as it is possibly a cause of the lack of regular updating on the side of home users and sys admins.
:|
We have a Ubuntu Linux test box here at work for our proxy (which has a similar configuration). We click the nice little red icon in the top right hand corner and then click update. This is followed by all of the hard work of forgetting about it completely and going onto more important things while it automatically does everything (updating etc) for us, which let me tell you is a huge strain compared to how easy Windows Update is... (*Ahem*)
Though the ability to only have two or three small patches at a time allows us to _directly_ notice and quickly find out which patch caused the problem on our test box. This means we are far more willing to update as soon as patches are out to test them on our box and then - if they work nicely - update our main ubuntu proxy.
When it comes to fighting with Windows Update or having a very nice and smooth update with Aptitude (or RPM, or Emerge, or
I personally think people are also looking at this the wrong way. If Microsoft had a 24 hour turn around it means they _would_ patch their software, some thing I could only dream of as a sysadmin...
Open security holes that have no chance of being patched in msie anyone?
My point of view - as a sys admin of a mainly Windows with some UNIX and Linux servers network - is that if Microsoft started releasing patches and fixes to start with (and then maybe we could look at doing it regularly) the web world and Windows itself would be a safer place.
Also less stressful, though I guess my sanity isn't their concern...
I ate your fish.
The current default is for patches to be downloaded automatically, applied instantly (if they can be) or at next reboot (if they can't). As the majority (un-sysadmined) Windows boxes are shut down at night by their home users, this works pretty well.
All the PCs set up _before_ this was standard practice (XP SP1, I think) default the other way, and there are still an awful lot of those about.
My Journal
Slightly askew of the topic I noticed Microsoft seem to have recently release 'Microsoft Update' (Office and Windows Update rolled into one) for Windows 2000 users. So I now have Windows Update and Microsoft Update in my Start Menu. It crashed IE the first time I used it.
Automatic updates doesn't seem to work well for me on 2000 either (the only time i've seen it notify me there are updates available is just now after doing a manual Microsoft Update).
Forget prompt 24 hour updates, Microsoft can't even produce a decent update delivery system.
Wouldn't Hell have to malloc over before it could free over?
What would the quality of such a quickly turned around patch be? About the only thing they'd be able to truely gaurantee is that you could install it. They couldn't have tested it very thoroughly to ensure it performed the intended functionality, much less that it didn't create more problems than it solved.
I think as long as there's 1 main OS that the majority of people on the internet use, we simply have to accept the fact that it's going to be a target for malicious code.
Brian
Here's something that WOULD help a lot:
A way to easily download patches WITHOUT loading anything but a minimalist, self-protecting, OS with only one network application available - one that connected to Microsoft to download the patch.
You can do this easily enough with DOS or Linux, just throw in modem and network drivers and an NTFS driver to write the patch files to the hard disk.
Of course, MS would rather use XP. I'd recommend a stripped down version that boots into a "safe mode with networking and modem drivers only" mode, with the built-in firewall set to block all incoming traffic and all outgoing traffic to anywhere but www.microsoft.com. Patch the disk drivers so it will only allow read-write access to \patches on any disk. When you boot with this CD, it asks you if you want to dial up, use dhcp/autoconnect, or manually configure your network, then it connects to MS, downloads the patches, and reboots. It would also give you the option to delete files in the \patches directory/ies if needed to save space.
Regular XP in turn would be modified to treat x:\patches as read-only and ignore any file not signed by MS.
For added fun, the patching CDrom could allow copying of MS-signed files into the \patches directory from any source.
Hmm, using Bart's Prebuild Environment builder, this may be 90% doable today without help from Microsoft.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Not free as in beer.
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA