Standards of operations in our industry – current status
[updated a bit to underline important points, as well as clarify my meaning]
after the whole wmf “thingie” was over (at least an official patch was released, don’t know how over it really is), i came out with a revelation and posted about it in microsoft, patches and what we really learned from the wmf 0day. i believe my explanation of it was lacking and as i feel it is important, shall strive to do better.
microsoft did nothing wrong, in fact, they did great. microsoft is an easy choice in this case because even though each case varies and some vulnerabilities are much more difficult to handle, they showed a capability here to deal with issues much faster than usual.
now, the point i am trying to make is not ms-specific, but rather about our standards in the industry. i may at times be a critic of microsoft, but i have nothing against them.
as an example, take false positives. a huge problem i[dp]s experts try and deal with every day, invest a lot of time in, and yet can’t solve… therefore we got used in the industry to a level of false positives.
same goes to vulnerability scanners.. false positives appear as a way of nature.
and yet, some vendors are different than others. in i[dp]s as well as vulnerability scanning. with some vendors, they invest less in features and more in eliminating false positives. they treat them as full-blown bugs rather than “something to live with”. it works — at least better than with others.
same goes as to patches.
in the oracle discussion on bugtraq a few months ago i was in complete agreement with dave that oracle’s handling of vulnerabilities is pretty bad, to say the least. but my opinion was that the medium was wrong, and in some cases – the medium is the message. that’s something dave and i would have to disagree on.
in this case though, it is once again about standards. microsoft shows oracle is not alone in being irresponsible an unresponsive, although they [microsoft] achieved amazing progress, especially in the last couple of years.
if a reliable patch can be put through full testing and released within days when it is taken seriously enough and resources are invested – no matter for what reason, i see no reason myself that this can’t become common practice. that is if this patch really was fully tested.. but that’s beside the point (for this post which does not discuss beta patches, that can only be of use to those who want them).
we should be practical in our demands, but if in practice this can be done in days like in the wmf case (however relatively simple it might have been — not all vulnerabilities and patches are born equal), surely vendors can step it up a notch on critical issues.
microsoft runs on most of the computers on this planet, therefore they are to be treated different for better and for worse. a year+ of waiting for a patch while people might be exploited and are indeed exposed is unacceptable according to standards we should be upholding now that we know what is possible.
more over, a hundred or more days of waiting should have been completely unacceptable even before the wmf 0day case.
[side note: i do not mind the once a month release of patches microsoft has, for example (that is a great system), but rather that it be done a few months less on cases that so far have been dealt with in a ridiculous amount of time.]
simple buffer overflows that still appear in products every other day as well as other examples are more issues to consider as unacceptable these days, but as the vendors seem to be dictating what the industry standards are and what we should expect, i don’t really foresee a change in the near future.
we are like a toad. throw us into boiling water and we would jump right out, screaming. slowly raise the temperature of the water and we might not even notice it.
then suddenly.. we see bright light, and that is that standards in the industry are too low.
this is my opinion — i may be wrong and would like to hear some thoughts on the subject but whatever else, it is now clear there is something better and practical for us to strive for.
any unaddressed problem is one more solution to sell, sometimes even an entire new market to explore which deals with problems another did not solve or create (patch management is one example, application firewalls is another). any unaddressed problem that is accepted by the market as unavoidable is one less expense to deal with.