Barry Irwin
SensePost
Here is the abstract of the paper I submitted to ISSA 2006 today. It's mostly cut & paste from the introduction to one of my thesis chapters. I really should hand that in sometime. After Ben Nagy pointed out the awful flaws in my last attempt, I came up with some better arguments, but you only get to see those at or after the conference. I think they're pretty good.Monthly Patch Release Schedules: Do the Benefits Outweigh the Risks?
Dominic White, Deloitte
Barry Irwin, Rhodes University
Effective policies are not only the responsibility of the users of software (end-users), software vendors must have a clear understanding of how they manage the patches they release and the best way to release them. Historically vulnerability disclosure and responding to vulnerabilities has proved difficult to standardise, with a high level of confusion and antagonism between security researchers and vendors. To combat this and ensure meaningful and useful interaction between researchers and vendors several disclosure policies have been suggested; a resource dedicated to collecting publications related to disclosure lists a total of twenty two different disclosure policies published between 1999 and 2004 [1] by vendors, security researchers and third parties. This confusion makes it difficult for vendors to standardise on a release policy, and instead the responsibility for formulating an effective patch management policy is passed onto the end-user. As will be demonstrated in this paper, this is because the type of disclosure has an impact on the effectiveness of a patch release policy.
In an effort to ease the administrative burden of patching on end-users some vendors have decided to move to a predictable patch release schedule. The first vendor to announce such a move was Microsoft. Soon afterwards Oracle and Adobe announced they would also move to a predictable cycle. John Pescatore of Gartner believes predictable patch release schedules are on their way to becoming and industry standard [2]. However, simplifying a patch release cycle ignores the complexities that the full disclosure debate has introduced. In both Microsoft and Oracle's case, the reactions to the announcements were varied. Some security experts were for the move, others against and the majority were silent, the lack of consensus indicated a shortage of research and understanding as to the possible effects. Since then both Microsoft and Oracle have both come under heavy criticism, and received praise for their patch schedule implementations by security professionals commenting on the same events. Propagating this policy to other vendors without a thorough analysis and with little understanding of the effects would not be desirable.
Surface observations of the implemented schedule have revealed both successes and failures. This paper provides a detailed argumentative analysis of patch release schedules, and their effectiveness. By examining examples of how various types of disclosure affects the risks faced by end-users, recommendations on how patch schedules should be implemented and when they are effective, or not, are formulated. In addition, lessons learned from recent public security incidents are used to suggest additional improvements to the process. The resulting observations are used to describe a method for other vendors to implement such a cycle that will both minimise risk and help ease the burden of patching on administrators.
REFERENCES
[1] Vulnerability disclosure publications and discussion tracking. University of Oulu, Electrical and Information Engineering Department (May 10, 2005).
Available at: http://www.ee.oulu.fi/research/ouspg/sage/disclosure-tracking/
[2] McMillan, Robert. Adobe Adopts Monthly Patch Cycle. IDG News Service (December 15, 2005).
Available at: http://www.pcworld.com/resource/article/0,aid,123935,pg,
Schneier on Security: Friday Squid Blogging: Preserving Giant Squid
03/23/2006 05:34:30 PM
Do a friend a favour and hijack a blog today
So can your friends ever hijack an entry on your blog? This entry certainly comes close. Notice how many relevant comments there are. I have to say I have my fair share of the blame to carry :), even though it was a one Charmaine Jelbert who lead from th