GSM Gaining Ground In North America
Going Out On A Limb: Camera Phones Will Catch On

Microsoft Increases Security By Patching Less

Overhype

from the counter-intuitive dept

Thu, Oct 9th 2003 5:05pmMike Masnick
Let's see if we can follow the logic on this one. Because Windows systems need to be patched on a very regular basis, people are concerned about its security. Microsoft has responded to this by announcing they'll now release fewer patches. Sounds counter intuitive. However, the reasoning isn't that bad. Basically, most folks don't patch their system that often, because the day after you patch, it seems like another patch gets released - and if you're just going to spend your days updating your system, why bother at all? Thus, the thinking is that if they only release patches once a month, it will be a bigger deal (patch party!) and people will be more willing to install the patch. Of course, that does mean that security holes and bugs will remain open longer for those who normally do patch quickly. Microsoft claims that many hackers are using the patches as a blueprint for exploits - so getting more people to patch regularly, rather than patching often, should protect more machines. Not sure if things will actually work that way, but it's an interesting theory.
7 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    w.h., 9 Oct 2003 @ 8:19pm

    No Subject Given

    I think there's a few ways they could actually make that sort of thing work.

    The key thing is that if an exploit is out in the wild, you have no choice but to release the patch.

    link to this | view in thread ]

  2. identicon
    Home Delivery, 9 Oct 2003 @ 10:37pm

    No Subject Given

    Reminds me of how MS "fixed" UAEs by renaming them GPFs.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 9 Oct 2003 @ 11:56pm

    Re: No Subject Given

    Yeha. I like the laughable idea that the fixes are being use to make exploits. No, but the exploits may be used for the fixes. It's all about the source code, people, and one of them's open.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 9 Oct 2003 @ 11:56pm

    Instutionalized Patching? It could work.

    Let's designate Monday as patch day and move the work week to 4 days. With the rank-and-file getting Monday off and the Techies doing the patching getting Friday off. That will move the *real* work (interfacing with managment/rank-and-file) to three days a week.... it will be paradize, trust me.

    link to this | view in thread ]

  5. identicon
    AMetamorphosis, 10 Oct 2003 @ 7:36am

    Critical Updates ...

    Wasn't the automatic notification of needed patches supposed to solve this problem ? I have my workstation set to alert me to when critical updates are available but I always review them before proceeding.
    On the other hand though, I sort of like the idea that Microsoft appears to be leaning towards a defined distribution of patches. If we have to slog our way through constantly patching the product @ least we can make it a part of our monthly tasks and schedule appropriately for this task. As it stands now, every time there is another security issue we get stuck having to place everything else on hold in order to attempt to protect ourselves.

    link to this | view in thread ]

  6. identicon
    LittleW0lf, 10 Oct 2003 @ 2:25pm

    Re: No Subject Given

    Reminds me of how MS "fixed" UAEs by renaming them GPFs.

    Or how Microsoft fixed RPC DCOM in MS01-048, MS03-026 and MS03-039, only to have it come out again this week that RPC DCOM is vulnerable to the same bug, just that the mechanism to get to it has changed. I swear, Microsoft appears to be fixing the code solely to make the exploit not work, not actually fixing the vulnerability!

    Just another reason why close-source security being more secure than open-source security is a farce, if the open-source folks fixed the exploit instead of the vulnerability, then everyone could see that they are idiots. With close-source, only the bad guys can see that they are idiots, but they are still idiots.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 12 Oct 2003 @ 5:37pm

    Re: No Subject Given

    Not laughable at all: disassembling a patch gives an exact map to what was wrong with the old code.
    It's almost -- but not quite -- the same as publishing an exploit.

    link to this | view in thread ]


GSM Gaining Ground In North America
Going Out On A Limb: Camera Phones Will Catch On
Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

Friday

19:39 Important Announcement: Techdirt Is Migrating To A New Platform (0)
More arrow

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.