Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Update Can Hurt Security

Posted by kdawson on from the manufacturing-exploits-on-internet-time dept.

An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

5 of 220 comments (clear)

  1. Quiz by Lord+Grey · · Score: 5, Funny
    Fill in the blank:

    Windows _____________ Can Hurt Security
    1. 1) "Applications"
    2. 2) "Network Connectivity"
    3. 3) "Update"
    4. 4) "Users"
    5. 5) ""
    --
    // Beyond Here Lie Dragons
    1. Re:Quiz by 4D6963 · · Score: 5, Funny

      Fill in the blank:

      Windows _____________ Can Hurt Security

      1. 1) "Applications"
      2. 2) "Network Connectivity"
      3. 3) "Update"
      4. 4) "Users"
      5. 5) ""

      1. 6) "Profit"?
      --
      You just got troll'd!
    2. Re:Quiz by Gewalt · · Score: 2, Funny

      I think FTA is wrong Here, Here! I am also a firm believer that F'ng T A is just plain wrong. No one should do that.
      --
      Modding Trolls +1 inciteful since 1999
  2. No prob... by Last_Available_Usern · · Score: 2, Funny

    Just roll the entire i386 directory into every patch.

  3. Re:From the PDF: by Seth+Kriticos · · Score: 2, Funny

    Fast Patch Distribution: basically leveraging technologies like P2P to insure that patches are rolled out...well...fast. Problems again include off-line hoists, as well as hosts who have the misfortune of being on ISPs that take a dim view of P2P.

    Why not use the bot nets for this kind of stuff? I mean, previous article today already showed, that they have a quite effective way of patching arbitrary systems and distribute mass content.