It's Not The Number of Patches, But the Effect
Microsoft released updates today that patch 23 vulnerabilities in Windows, Internet Explorer, Excel and a host of other software the company makes.
Microsoft patches 'insane' number of bugs
To quote:
More dangerous than the sheer number of patches, however, is the fact that nearly half fix flaws that are already being exploited or are publicly known in enough detail to craft working exploits. In some cases, sample attack code is available...
"What really caught our eye is the large number of exploits that are already available," said Wolfgang Kandek, chief technology officer at security company Qualys Inc. "Out of the 23, there are 10 exploits or [flaws] that have proof-of-concept. This is a huge deal and shows just how much the patch window is shrinking." ...
That's exactly why this month's patches are so important, [Andrew ]Storms said -- not because the quantity is a "giant leap" from the past three months, but because of the in-the-wild exploits and the proof-of-concept code samples publicly available. "Once Microsoft releases the patch, what's in there is what they've fixed, and [attackers] can more easily see where their exploit code is working and not working. It lets them create code that's more exploitable more often," he explained.
Insanity? Indeed. First, patching offers a perverse incentive for software manufacturers: it allows software makers the opportunity to "re-negotiate" contract terms buyers could not negotiate in the first place (recall Windows Media Player, XPSP3, and everytime iTunes patches a vulnerability). Second, patching allows cyber attackers to optimize their techniques, promoting exactly the behavior patching is intended to discourage (patching is meant to take away an attacker's capability, not refine it). In either case, the effect is less that satisfactory.
The problem here is that neither software manufacturers nor cyber attackers can self-correct without an external stimulus; that is, neither will consciously make themselves worse off by altering current behavior unless they are pressured to do so. Software manufacturers will not forego a powerful tool that allows them to optimize their market and legal protections (no matter the argument that fixing bugs in production is 100 times more expensive than in development); cyber attackers will not forego the benefits of exploiting software vulnerabilities in tens of millions of computer systems.
We have a choice. We can attempt to change the incentives for an unknown number of globally-distributed, un-indentified cyber attackers through increased law enforcement and frenetic patching, or we change the incentives of a few thousand well-known software executives and encourage them to stop supplying attackers with new vulnerabilities on a continuing basis.
One choice might be less insane than the other, and the effect, far more desirable.
Comments