Thursday, April 24, 2008

Patches Pose Significant Risk

Well - i guess that's understood, eh? At least for me!

I was reading interesting article on Security Focus about researchers saying that Patches pose significant risk. I quote from this article:

“ When Microsoft releases a patch, what they are saying -- from a security standpoint -- is, 'Here is an exploit.' ” - David Brumley

I personally think that's understood. Of course, when there is new vulnerability available in any software it is actually a exploit. When any organization release the patch for that specific vulnerability - they do states the severity rating as well and in their advisory they clearly state that it should be deployed accordingly to its severity. Now , if the organization doesn't have proper patch management process then why blame Microsoft or specific software vendors?

I don't agree with David Brumley comments. In fact, releasing a patch does pose significant risk but deploying the specific patch in due time also reduce the significant risk.

Well, when we will stop whinging around about the exploits? We should start thinking practically and try to worry about the real problem which is patch management and deployment.

2 comments:

Roger Halbheer said...

Hi Shoaib,
you asked me to comment on that. Sorry, it took a little bit longer but I am happy to do this: http://blogs.technet.com/rhalbheer/archive/2008/04/25/security-updates-and-exploits.aspx
Cheers,
Roger

Shoaib Yousuf said...

Hi Roger,

Thanks for your valuable comments.

As always your comments and views are very important and informative.

Cheers

Shoaib