Mon. Aug 18, 2003
Patch and Pray
Patch and Pray – Given the recent debacle of the LovSan Worm attacking Windows XP systems that hadn’t been updated in the previous 6 weeks, this article seems most pertinent: “Patching no longer works. Partly, it’s a volume problem. There are simply too many vulnerabilities requiring too many combinations of patches coming too fast. Picture Lucy and Ethel in the chocolate factory – just take out the humor.”
“ ‘We’re between a rock and a hard place,’ says Bob Wynn, CISO of the state of Georgia. ‘No one can manage this effectively. I can’t just automatically deploy a patch. And because the time it takes for a virus to spread is so compressed now, I don’t have time to test them before I patch either.’ ”
“One patch, for example, worked fine for everyone – except the unlucky users who happened to have a certain Compaq system connected to a certain RAID array without certain updated drivers. In which case the patch knocked out the storage array.”
“Yet for many who haven’t dealt directly with patches, there’s a sense that patches are simply click-and-fix. In reality, they’re often patch-and-pray. At the very least, they require testing. Some financial institutions, says Shawn Hernan, team leader for vulnerability handling in the CERT Coordination Center at the Software Engineering Institute (SEI), mandate six weeks of regression testing before a patch goes live. Third-party vendors often take months after a patch is released to certify that it won’t break their applications.”
“All of which makes the post-outbreak admonishing to ‘Patch more vigilantly’ farcical and, probably to some, offensive.”
The article is primarily tilted towards corporate systems, but it is no more certain for the home user. Given the hoopla last week, I did an overdue “Windows Update,” and it took almost half and hour to download and install the updates … via DSL. For the average dialup user, that translates to somewhere between four hours and infinity. Between those who are simply unaware of the need for updates, and those who are very aware of how long it takes, it is little wonder there are so many unpatched systems out there.
Heck, they arrive that way. I literally took a brand new system out of the box the Monday the LovSan worm really took off, a system that had been “burned in” mere days before, and it was vulnerable from the moment it was turned on.
Even Dell doesn’t patch their systems before they ship them. What’s a consumer to do?