<<< Date Index >>>     <<< Thread Index >>>

Re: After Ms patches last Wed ...



        This brings the question: Are Mondo-sized patches like
MS04-011 a good idea or a bad idea?


        On the one hand, they correct a lot of problems, in a way very
friendly to most users.  One of the big headaches is the ignorant
users, who end up worm-bait, botnets, spam relays, stepping stones,
etc.  Allowing them to easily be up to date is a good thing.

        Additionally, it removes some of the judgement calls on patch
severity/urgency, because there is probabyl going to be at least one
"you better patch it now", so there is less likely to be an "Microsoft
only rates this as important because you have to be authenticated in
the domain..." moment.


        But on the other hand, the probability of the superpatch
causing problems is exacerbated.  If each normal patch has a
probability P of causing problems, then an N-fold patch has
probability (1 - P)^N of NOT causing a problem.  Thus the probability
is 1 - (1 - P)^N that the N-way patch will have an issue.

        For real-world numbers, if P = .1 (10% chance the patch may be
problematic) and N is 10, then the patch has a 65% chance of being a
problem.  Even if P is .01, there is still a nearly 10% chance of
problems from a 10-way superpatch.


        This is now worse as the attackers have finally started waking
up to the reality of worms.  With vulnerabilities like the ones in the
superpatch, and with attackers demonstrating a <48 hour turnaround
time between disclosure and worm (Witty) or exploit and worm (Sasser),
these superpatches leave an adminitrator in a bind: Apply the
superpatch immeditely and accept the significantly increased
probability of failure, or don't apply the patch and accept the vastly
high probability of a worm in the near future.


-- 
Nicholas C. Weaver                                 nweaver@xxxxxxxxxxxxxxx