Patches a bad idea?



More content will be added to fill this space at some point in the future.

home :: Diary :: commentary :: newsBBC :: 3485972.txt

Tue, 02 Mar 2004

Patches a bad idea?

Hackers exploit Windows patches

It appears that hackers are reverse-engineering the patches that come out of Microsoft in order to produce attacks against them. I can believe that, it is hard work to find a hole, particularly if you don't have a copy of the source (though people do manage it, as people report holes to Microsoft in the first place).

That said, it does not appear to be the solution to either not release the source, or to not release the patch. Sure, there will be fewer large virus outbreaks, but there will still be people who are able to take advantage of the holes that were there in the first place, they just wont make it well-known, and their method of entry will nto be discovered.

This stinks of the articles that we got last month when Microsoft mislaid some of the Windows source-code. There was a fit of people saying how terrible it would be for the source-code to fall into the hands of hackers who would be able to use it to exploit the code. Well, maybe if the code was better written and security audited in the first-place, there would be less chance of them being able to exploit it. Wouldn't it be terrible if the source to the software that runs most of the Internet infrastructure and servers got into the open. There would be a massive spate of attacks, the Internet would collapse? Well, no, Apache is Open Source, Bind is Open Source, Linux is, FreeBSD is, We can go on for a while. OK, so none of this software is exploit-proof, but there are no more exploits in this code where the source is in the open, than in the Microsoft Code that is kept safely away from the eyes of nasty hackers. Oh, and the software is updated much faster than the Microsoft holes (though they are getting better these days), and you can fix holes in old software without having to upgrade your infrastructure to the bleeding edge version that has support, potentially breaking your custom apps. I have seen people not upgrade an insecure system because their vendor wouldn't support their database, for example, on the new platform.

Last updated: 12:00, 02 Mar 2004 Link..