Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Nonsensical Proposal - Beta Patches

Published: 2006-04-04
Last Updated: 2006-04-04 02:09:11 UTC
by Tom Liston (Version: 1)
0 comment(s)

"A little nonsense now and then, is cherished by the wisest men."
                                                                            -[W|B]illy Wonka

The Oompah Loompahs are, once again, hard at work, cooking up a fresh new batch of Everlasting Hack-Stoppers (i.e. IE Patches) in Billy Wonka's Redmond Chocolate factory.

Good for them.

These fresh, new Everlasting Hack-Stoppers are aimed at fixing two unpatched vulnerabilities in Wonka's World-wide Web Browser (i.e. IE).  Just like back in January, exploits are a'circulatin' while we wait for the Oompah Loompahs to complete their tasks.

"So much time, and so little to do! Strike that, reverse it."
                                                                            -[W|B]illy Wonka

I, personally, have a whole lot of respect for the Oompah Loompas and for the tasks that Billy Wonka has placed before them-- but let's get serious.  Microsoft has been slinging Windows code for around a decade and a half now, and we still find ourselves waiting weeks for the other shoe to drop while security patches are tested and translated into every modern language and Latin (Quidquid latine dictum, altum videtur.)

The problem is: every admin worth his salt will be re-testing that same patch once it's released.  And that, my dear friends, means that even when the patch is released, the corporate world will still be waiting.

"We are the music makers, and we are the dreamers of dreams"
                                                                             -[W|B]illy Wonka

Why should there be even more delay before the actual application of patches with public exploits-- by several additional days beyond their release date?  Why should the Oompah Loompahs get all of the patch-testing fun?

I, a dreamer of dreams, have a modest proposal for Mr. Wonka.  Release your Everlasting Hack-Stoppers twice.  When there are public exploits in circulation, release un-supported beta patches as early as possible.  Let the end users have a crack at testing them CONCURRENTLY with your Oompah Loompahs.  You can put all kinds of onerous click-through "WE ARE NOT RESPONSIBLE" verbiage on them, and let 'em rip.  You could even create a return pathway for the testing public to send reports back to Redmond.  That would give your testing program a wider range of real-world experience than all the Oompah Loompahs in Redmond could provide. Finally, when the Oompah Loompahs are through testing, release 'em for real.

With two sets of zero-day IE flaws hitting thus far in 2006, don't you think the current state of the patch cycle is worth a little dreaming?

Finally, before I bid you my fond farewell as Handler of the Day, I'll pull out my Nostradamus beanie and leave you with a prediction: Crpk wep xpdw apvk, up uohh fpp v svtck OP fpqgkowa offgp qvgfpi na wep gxqcgjhoxl cz VqworpD qcip igp wc wep Pchvf jvwpxw.

Good night, Mrs. Calabash-- wherever you are.



Tom Liston - Intelguardians

Keywords:
0 comment(s)
Diary Archives