[ISN] Security UPDATE--Search Engines Increase Web Site Security--January 19, 2005

[InfoSec News]

Forwarded from: matthew patton <pattonme at yahoo.com>
 
> ==== 3. Security Matters Blog ====
>    by Mark Joseph Edwards,
> http://www.windowsitpro.com/securitymatters
> 
> Check out these recent entries in the Security Matters blog:
> 
> The Race to Protect Customers
>    Ever wonder what goes on inside a company that provides security
> solutions on "Patch Tuesday"? Learn about the scramble that takes
> place in order to protect customers before exploits are turned loose
> on the unsuspecting public.
>    http://www.windowsitpro.com/Article/ArticleID/45063

from the article:
"The engineers have 24 hours to meet service-level agreements with
their customers to determine what has changed in the software and to
deliver tests that the customers can use to decide whether their
systems need to be patched."

Now I can understand wanting to know what MS changed in a patch but if
there is a critical or important patch released, on what possible
basis would you NOT patch it unless you think you've mitigated the
risk or bought yourself some time thru other methods, or you flat-out
don't trust MS to break your box? Why would you think the patch
doesn't apply to your system? If you run a service that has a new
patch out, it's trivially obvious that the patch applies to you and
needs to be applied. Why would you need a tool written in less than
24hrs by over-caffinated coders to tell you the software on a box was
the vulnerable version? If it's not patched, of course it's bloody
vulnerable. I don't get what the "program to test to see if you're
vulnerable" buys anybody. Sure, it's useful if you're in the
vulnerability scan market and you want to release a signature
overnight. Do IT shops really have no clue what resources they
supposedly are responsible for that they launch a vuln probing tool
every patch Tuesday+1 to get a list of boxes they gotta fix?