Massive Releases of Security Fixes and Vendor Responsibility

for a couple of years now microsoft adopted a system of releasing patches periodically and systematically — once a month.

there are things to be said both for and against their system, such as:
for – allows you to organize accordingly, allocate resources, feel secure in the knowledge you can plan your work for the following month without too many disruptions, develop policy to implement patches, estimate time for full implementation, etc.
against – you need to deal with several patches at once, stop everything you are doing for massive work, waiting for patches while you are vulnerable rather then getting them as-soon-as-possible, etc.

to be honest i like microsoft’s system (if i am to ignore how long it takes them to actually release patches. with one of the latest vulnerabilities it took one hundred and sixty two days for a patch to be released — and for what, a font handling vulnerability?)

[anyone here cares to wager how long it took oracle to release some of its new patches? i'll give you a hint, we can count it in years.]

still, some don’t follow microsoft’s good example of monthly releases. as an example, take oracle.
once in a blue moon they come out with so many patches it is difficult to count them. one such time was this week.

even though i disagree with david litchfield on his way of putting things in absolute extreme terms and then calling it an “opinion”, people should read what he has to say about oracle’s way of handling vulnerabilities. he knows what he is talking about.

putting oracle’s ability aside for a moment, i would like to just tell oracle one thing:
a thousand patches released at once is horrible, get a grip!

if i am to follow dave’s lead about oracle’s history, i suppose we will soon find out how many of them actually work…

try releasing them a bit more responsibly. we should forget about responsible researchers, responsible disclosure and all that shizzle and start talking aboutresponsible vendors.

if the vendors are not responsible, how can they expect researchers to be?

gadi evron,
ge@beyondsecurity.com.

Share
  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    You think the EOT vuln is bad, check out eEye’s upcoming page, where there are three MS vulnerabilities waiting unpatched, one of which is 200+ days from report. Microsoft just doesn’t have a fucking clue. Bottom line.