Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Update Can Hurt Security

Posted by kdawson on from the manufacturing-exploits-on-internet-time dept.

An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

4 of 220 comments (clear)

  1. Re:Quiz by xjlm · · Score: 0, Redundant

    6) "All of the above" I don't usually pay any attention whatsoever to these Windows Security updates except for comedic value. I use Debian behind two firewalls so it really doesn't affect me.

    --
    The Tea Party is just the GOP with a bag over its head.
  2. Re:Quiz by MacDork · · Score: 0, Redundant

    6) "Profit"?

    (7) Cowboy Neal.

  3. Re:Doesn't matter by What+Would+NPH+Do · · Score: 1, Redundant

    Because in Linux you only need to reboot if you're messing around in the kernel. Everything else can be patched and then restarted. Why Windows needs to reboot for something that isn't kernel related is rather odd to me.

  4. Staggered patch distribution is VERY imporant by Thornburg · · Score: 1, Redundant

    You can't have everyone everywhere past patched at the exact same time, and even if it were possible, it is not a good idea.

    Let's suppose that someone did come up with a good way to distribute patches to the whole world instantaneously & simultaneously.

    Now let's suppose that Employee X at Microsoft accidentally put the wrong version of the latest patch into the system, and that this version of the patch fixes the targeted problem, but breaks the MS TCP/IP stack in the process.

    What would happen if every single Windows box in the entire world simultaneously lost all network connectivity?

    Scenario 2: Employee Y at Microsoft deliberately puts a maliciously edited patch into this instant distribution system, and now has a rootkit on every windows box in the whole world?

    Somehow I think it is a good thing that some victims... I mean people get patches before other people do.