About 15 Minutes

So… (you can tell I work for Microsoft I start sentences with “so”) when you design software, you typically try and design out the “known vulnerabilities”, however that is by its nature a process that can never be perfect, and what is “’safe’ today might be shown to be ‘unsafe’ tomorrow’”.  In not being perfect it will always have flaws some of those flaws can be exploited, making you the user vulnerable that means after its shipped, you require a security update from the software manufacturer.  Some vulnerabilities are not patchable per-say they require a fundamental change in the underlying structure of the software in order to make it safe, this in turn causes many changes  to ‘cascade’ through out the software in question that you would have to “rebuild the software from scratch”.

As a result any particular release of software will have some vulnerabilities against which it is built to defend against, some which it can be patched against and some which will require the “next release” (or additional measures of defence in depth)  to defend against, because, it lacks the underlying infrastructure to make an internal defence feasible.

Why am I talking about this, because, we recently announced that we would be keeping XP SP3 in extended support until 2014, and I am being asked by people if “it’s ok not to upgrade from XP?”, well the answer is not a simple one and depends on a balance of issues, cost of implementing an upgrade being one of them, but my view would be upgrade to the latest version of software you can, because intrinsically you will have less vulnerabilities to worry about.

While on the topic of security updates, I would like to relate a story, on holiday recently my friends niece asked me to look at their laptop, because they could not connect to the wireless network, so I did a brief check on Windows Update as I always do and found dozens of unapplied updates, so I asked them why they hadn’t applied them… the answer “I didn’t know I was supposed to” shocked me… I suppose that it shouldn’t have, but, because I work in the security space I  just assume that everyone gets the fact that they should apply updates and do so as quickly as they can… oh and the wireless card was unfixable, also not actually present…

I know that many organisations want to test an update before they apply it, but, a lot of people (over 500 million) world wide apply updates, most of those are trouble free… so testing against “word” for compatibility issues isn’t likely to buy you very much in a real sense except a delay, I’m not saying don’t test, but focus that testing against your actual mission critical or custom built apps… and get the update out there ASAP, get protected…



One Response to “About 15 Minutes”

  1. Stuart Says:

    And when "we go out of band" (normally updates are done on the 2nd Tuesday of every month) we are doing so because it is a very serious issue in active use…. http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx, so you might want to be super dillgent in getting the update out and deployed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: