Hard language from Alan Paller today:
Microsoft's delay is inexcusable," said Alan Paller, director of research at computer security group SANS Institute. "There's no excuse other than incompetence and negligence."
This language was so harsh that I figured I had to put it up. As a quick aside though, why is Microsoft "negligent and incompetent" for not fixing this during the three days it's been public whereas Oracle has left critical security bugs unpatched for years and nobody cares?
Anyway, as I said yesterday, there's a reason that patches go through a QA process and that most enterprises don't replace pieces of the operating system in vendor-unsupported ways. It's a question of reliability vs. security - SANS assumes, since security's their purview, that security is the number 1 priority. If that's true - that security is the most important thing, then Microsoft's failure to release a patch is, as they said, "incompetent and negligent". However, if stability and reproducability are the top priorities (with security perhaps a close second), then releasing a patch without appropriate QA or ability to support it is the negligent action. I'm with Microsoft on this one - security should support stability, not vice versa.
Security is not an end. The goal of security is to protect assets, reduce downtime, and save money. Things that increase downtime and cost money (through extra administrative overhead) while providing some small benefit in the area of asset protection are more "insecure" in my opinion than being vulnerable to the "sploit du jour". Trust me, installing an unsupported operating system component against the advice of the vendor is asking for trouble.
The "install the patch now" folks are right - there could be hell to pay from staying vulnerable. On the other hand, if you're the typical enterprise you'll have tons of vulnerabilities from yesteryear that still aren't fixed in the nooks and crannies of your systems; is it worth "leaping into the fire" by pushing out unsupported software globally in order to guard against what *could* happen?
Posted by Ed at January 4, 2006 03:21 PM