Patch and Pray

Von Scott Berinato

"How do I know when I need to reapply a security roll-up patch? Do I then need to reapply Win2K Service Pack 2? Do I need to re-install hot fixes after more recent SPs?" Similar questions were posed to a third-party services company in a security newsletter. The answer was a page-and-a-half long.

There's also markedly little record-keeping or archiving around patches, leaving vendors to make the same mistakes over and over without building up knowledge about when and where vulnerabilities arise and how to avoid them. For example, AppleApple's Safari Web browser contained a significant security flaw in the way it validated certificates using SSL encryption, which required a patch. Every browser ever built before Safari, Hernan says, had contained the same flaw. Alles zu Apple auf

"I'd like to think there's a way to improve the process here," says Mykolas Rambus, CIO of financial services company WP Carey. "It would take an industry body--a nonprofit consortium-type setup--to create standard naming conventions, to production test an insane number of these things, and to keep a database of knowledge on the patches so I could look up what other companies like mine did with their patching and what happened."

Rambus doesn't sound hopeful.

There won't be a formal announcement of the fact, and no one really planned it this way, but Slammer has become something of a turning point. The fury of its 10-minute conflagration and the ensuing comedy of a gaggle of firefighters untangling their hoses, rushing to the scene and finding that the building burnt down left enough of an impression to convince many that patching, as currently practiced, really doesn't work.

Zur Startseite