Print 30 comment(s) - last by foolsgambit11.. on Dec 30 at 5:14 PM

Is hurrying a patch the right answer when it could compromise quality?

Mozilla representatives sharply rebuked a report earlier this month which pointed to Firefox as being the "most vulnerable app" to businesses.  In its rebuke, Mozilla cited its rapid rate of patching and criticized Microsoft as being too slow when it came to patches, particularly for Internet Explorer.  The result is an interesting debate -- should patches be rushed to market or be given time to be fully tested.

Blog site Cheap Hack offers an insightful analysis of this issue.  Observing the Mozilla/Bit9 squabble, it notes that Mozilla has had a couple major problems arising possibly from rushed patches.  One patch for Firefox earlier this year introduced a stability problem.  Another batch of patches in an update left off an important Firefox 2 patch, though Mozilla maintains that this was an "administrative error", not an omission due to the rushed rate of patches.

On the other hand, Mozilla's patches do indeed hit the market faster.  This may lead to a lower security risk for its customers.

The real dilemma for companies like Mozilla and Microsoft when it comes to patching is the question of how much time to devote to thorough testing.  Typically, a security flaw such as the recent major vulnerability found in Microsoft's Internet Explorer, can be analyzed and a patch created with only a couple of days.  However, testing the patch and its implications to overall functionality is much harder.

For Mozilla, which has leaned towards leaner testing, at times falling short in this department, this is a trouble spot.  For Microsoft, this issue is perhaps even tougher as it is the industry leader and has a much greater business market share, thus its moves are scrutinized to a greater extent.  Microsoft must test its patches with a multitude of Windows configurations and look for compatibility issues.

Another problem arises in cases such as the WMF code in Windows GDI, where quick patching can ignore a broader architecture problem which yields more similar undiscovered flaws.  A great deal of time can be wasted creating very similar patches, while missing that the patches are all caused by the same underlying issue.  In the case of the WMF code multiple patches were released that were remarkably similar.  And while a fix-all systematic solution might not be possible in this case, Microsoft may have failed to check into it in an effort to roll out patches faster.

When it comes to hurried patches, Mozilla may indeed be more troubled than Microsoft.  However, another issue is when patches arrive far too slow.  For example, an SQL bug in some version of Microsoft's SQL projects has existed known and unpatched since April.  Microsoft may have wanted to include the patch in a service pack, but it should have acted far sooner, when an appropriate bundle failed to come along.

The latter extreme -- patching far too slow -- is an especially big problem for Apple.  Apple systems have traditionally been rarely targeted by hackers and malware writers, however, the machines are beginning to have more problems with malicious assaults.  This has led Apple to urge its users to get antivirus protection.  However, Apple's leisurely pace of patching in its programs such as Safari, something it attributes to thorough testing, may place its users in danger.  Apple has at times been praised for thoroughly testing its patches.  However, no antivirus program can safeguard users entirely on a poorly patched system, and its slow patching may do more harm than good.

In all patching philosophies differ dramatically by company.  Mozilla features an ultra-quick patching cycle, while Apple features an extremely slow one.  Microsoft falls somewhere in the middle; a little more towards the slow end.  In the end the debate over how much time to allow between security flaw discoveries and patch releases remains a tricky question unlikely to be solved in the near future.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Pre-patch fix?
By Pudro on 12/29/2008 2:07:58 PM , Rating: 2
I wonder if sometimes it wouldn't be too difficult for Microsoft to release a tool that doesn't do any patching, but instead monitors the vulnerability to check if it is being abused (until it gets patched). Or rather, provide a program that does this live monitoring and release new definition updates for new vulnerabilities as they are found, like an antivirus program.

Probably not as doable for Mozilla, but could work for Apple as well.

RE: Pre-patch fix?
By omnicronx on 12/29/2008 2:12:31 PM , Rating: 2
Half the time these fixes only require very small code changes. I wonder if they can merely re-release a patch to undo what the previous one did, and fix it properly. This would be the best of both worlds.

RE: Pre-patch fix?
By TomZ on 12/29/2008 2:31:33 PM , Rating: 2
That doesn't really solve the problem, however, which is that a released patch might cause other problems like stability or compatibility issues.

A better approach I think is for these companies to dedicate more staff to fixing and testing these types of patches. That way you can have your cake and eat it too. Microsoft's sales last FY were over $60B - somehow I think they can find enough budget to release patches that are both timely and well-tested at the same time.

That said, I think some of the criticism being made against Microsoft and some of the others in terms of releasing patches too slowly is a bit unfounded. What is important is that patches are widely deployed before they are abused which seems to be happening in most cases.

RE: Pre-patch fix?
By omnicronx on 12/29/2008 2:49:56 PM , Rating: 2
MS does usually wait until their patches have been thoroughly tested, but in cases such as last weeks IE7 vulnerability, I would rather a patch with a few issues, than no patch at all for a week. When a huge percentage of systems worldwide are affected, patches are required immediately regardless of the consequences. We are talking Billions of dollars in potential losses compared to a few headaches here and there.

I do think a better system is needed though.

RE: Pre-patch fix?
By TomZ on 12/29/2008 2:56:37 PM , Rating: 2
We are talking Billions of dollars in potential losses compared to a few headaches here and there.

That statement could go either way - right? In other words, billions of dollars in potential losses due to a mistake made in a patch compared with a few security headaches here and there.

Microsoft rightly knows it has to be careful with patches. There is a lot at stake on both sides - releasing too soon or too late.

RE: Pre-patch fix?
By omnicronx on 12/29/2008 2:58:14 PM , Rating: 2
Very true. Kind of a double edged sword though isnt it? Damned if they do, damned if they don't.

RE: Pre-patch fix?
By Mitch101 on 12/29/2008 3:26:52 PM , Rating: 2

Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

RE: Pre-patch fix?
By TomZ on 12/29/2008 9:33:41 PM , Rating: 2
Do you think that will somehow help with OS patches?

RE: Pre-patch fix?
By MrDiSante on 12/30/2008 1:43:45 AM , Rating: 2
I agree with TomZ's post above and would like to add that it's called "leaving UAC on". It doesn't completely sandbox, but it does do a good job for protecting IE, which is the biggest trouble-maker. As well, it makes sure that only your account gets trashed in case someone does exploit your system.

Second of all, for the most part I find that Microsoft seems to get it just about right with patches. I would prefer that the occasional critical flaw get patched out-of-cycle and in a more rushed manner than usual, but aside from that they tend to find the flaws before the go zero-day.

RE: Pre-patch fix?
By Mitch101 on 12/30/2008 8:03:46 AM , Rating: 1
A lot of people in here are anti-Vista for one reason or another and boxie is a good solution for them.

As for patching we all know we want the patch sooner than later. Patching really only happens when the exploit is known. In the time before it is a known or documented issue someone may have been using the exploit for some time.

I recommend boxie because its a bit simpler than running another OS within a VM. If you shut down without saving the changes any exploit that may have been applied to your VM would be gone the next time you fire up the VM.

RE: Pre-patch fix?
By tastyratz on 12/29/2008 3:34:06 PM , Rating: 2
I actually really like the idea suggested earlier, that they have updates similar to an AV program. Security patches are a necessary thing and I think Microsoft's is still too slow to market. I think they are so afraid of the press for doing it wrong that they wont release it until they know its perfect. Very rarely do you see a newer revision of a patch pushed out. I think Microsoft should offer opt in preliminary patches. These would have elementary levels of testing and refinement (between beta to rtm - not alpha quality) but are sent out quick to market. They can focus on revised patches going out once available. This would allow them to have their cake and eat it too. People who require the stable revision of patches can wait but people who want a quick fix right away can be satisfied as well.

I also think they should ditch the standard usual patch release schedule. Trickle them out as they are made, don't just release them in batches to be convenient. If the person needs convenient they can install them in batches (or sys admin only release them in batches)

RE: Pre-patch fix?
By gmyx on 12/29/2008 3:59:09 PM , Rating: 2
They recently implemented such a thing. I sit on a comity every month to analyze MS patches. They added an index (I forget it's name) that says how either it's unlikely to be exploited, likely to be exploited or is exploited. It's very basic but add it to all the available information, and you know if something is being attacked or not. I remember a stat saying that my employer was targeted thousands of times a day and not a single breach from it. It used to happens (Code Red?) and they fix the process issues.

By shabby on 12/29/08, Rating: 0
RE: ...
By Integral9 on 12/29/2008 1:32:24 PM , Rating: 4
They should just rip the heart out IE and replace it with something more useful... Like a baked potato.
"You have 3 seconds to live."

RE: ...
By omnicronx on 12/29/2008 2:10:57 PM , Rating: 5
Or in Apples case the title should read:

Debate Continues Over Whether Apple Should Patch for Vulnerabilities at all.

RE: ...
By icanhascpu on 12/29/2008 2:46:34 PM , Rating: 2
Yeah because they never provide security updates.

Do half the people bashing Apple these days even own an Apple computer? Or do they just assume things based on what their Apple bashing friends tell them?

I enjoy my PC more than I ever did my old Mac, but get a clue.

RE: ...
By omnicronx on 12/29/2008 2:57:10 PM , Rating: 2
I don't need to own an Apple computer, its common knowledge that Apple waits weeks sometimes months before patching known vulnerabilities. Many times these are cross platform vulnerabilities, that both windows and linux fix within a days not weeks and months.

By Motoman on 12/29/2008 1:08:38 PM , Rating: 2
...I just have to say that, when talking to corporate customers who ask why a new release didn't hit it's target date, I always tell them that "we're sorry we didn't release it when we thought we would, but we'd much rather miss a target date than put out code we know isn't working right."

That just flat-out makes sense. Whether it's a patch or a full release, I think it's a really bad idea to fling it out the door without an adequate amount of testing. Much less to release it to the wild with bugs you know are in there, just to hit your date. In all cases I would always prefer to get a customer a little miffed at me for missing a date and making them wait a little while longer than shipping them dodgy code that screws up their systems.

By TomZ on 12/29/2008 1:18:45 PM , Rating: 2
I agree, but you have to see this for what it is: the inability to successfully predict the outcome of the software development process. This tells me that we have more work to do in terms of learning how to manage software development in the industry in general.

By haukionkannel on 12/29/2008 3:36:55 PM , Rating: 2
IE is so defacto browser, that when MS does an patch, it has to be sure, that people still can goto to the net bank etc... Smaller browsers can do a ghanges quiker, because if something does not work, the solution comes quickly and in mean time you can use IE...
So it's big dilemma. For me the solution would be, that IE would not be so integral part of Windows, and every corporate and public web service would be tested for at least 3 different browsers. So when one is upgraded, at leat two will work properly... But this will newer happen in the word of IE dominant. It's "too expensive" to make aplications to work with different browsers...
Well actually there is solution even to this... Stardardised HTML... but as long as IE does not use it... Well you know how it is... If every internet page would be tested to work with standard HTML, any browser that is made to work with this standard would work, and having any two independed browser in you OS would allow the use of every aplication in the net even after very quick update.

By foolsgambit11 on 12/29/2008 6:12:34 PM , Rating: 2
Yes, that absolutely makes sense when a business is currently waiting for a new release, but can conduct their business safely with their current software (or lack of software). But with security patches, it's different. Waiting to get things right then must be weighed against the risks taken on by not waiting. Since both sets of risks are intangible and immeasurable, it's not an easy decision.

So instead of imagining a customer miffed that they didn't get their code when they wanted to, imagine that they're miffed because, after waiting a week for a patch to a known vulnerability, they are hacked and have their private data stolen. Okay, miffed isn't the right word for that case. But you get my point.

The debate of how to release patches isn't new, and isn't about to be solved any time soon. It's more a matter of security philosophy than security best practices. Because it's pretty much impossible to tell which practice is best in many cases.

By Motoman on 12/30/2008 12:50:20 PM , Rating: 2
The problem boils down to whether you're sure you're fixing the problem, or if you might be making it worse. Rushing a patch out the door without having done adequate testing is leaving yourself vulnerable to introducing new bugs.

While I certainly understand that a high-profile bug has to be patched ASAP, you have a certain amount of due diligence to go through before you can ship a patch to fix it.

By foolsgambit11 on 12/30/2008 5:12:25 PM , Rating: 2
Absolutely agree. But how much is that 'certain amount of due diligence'? Different companies may see it somewhat differently. Both the company that made the software and the company or companies that use(s) the software may evaluate the risk differently. So, as a company, you should evaluate whether you prefer Mozilla's or Microsoft's (or Apple's, or anyone else's) update methodology from a security standpoint. And pick the product that shares your risk philosophy. Neither philosophy necessarily is riskier, because it's hard to evaluate whether the risk of patching or not patching right away is greater in many cases. Critical vulnerabilities being the exception.

Outside the box
By jhb116 on 12/29/2008 3:14:11 PM , Rating: 1
Here is a thought - make the browsers leaner/easier. Simple things are much easier to test. Keep the tabs though - they rock.

Look at the consul wars - the XBOX360 and the PS3 are both much more advanced from a graphics standpoint than a Wii - aka eye candy, yet the Wii is still outselling both. Most consumers want stuff to work at a reasonable price first and foremost - the eye candy is for that extra zing.

RE: Outside the box
By foolsgambit11 on 12/29/2008 6:44:12 PM , Rating: 2
Except that you can pay absolutely nothing and get anything you want, from a full-featured browser to a text browser. So your "consul wars" analogy falls flat on its face.

People prefer products that can display the 'whole' internet, and that can do it quickly, safely, and with stability. The UI should be clean and responsive, and preferably customizable. All of those requirements add up to lots of code. Sacrificing any of those requirements will reduce the browser's market share. Like you illustrated, if they dropped tabs (which make browsers less lean), they'd lose you as a user. Same goes for any of the currently-supported elements of browsers. What if Opera dropped mouse gestures?

In the end, though, the critical security vulnerabilities are almost always with the core browser functionality - accessing the web and displaying the vast variety of content available. Let's face it, a browser that can't display Javascript, Java, or [obligatory iPhone dig], heaven forbid, Flash, isn't going to survive.

Hey, if you want a leaner browser, go download The Off By One Browser. I've never used it. Apparently it's 1.2MB - it could run from a floppy disk (if you still have a drive). It lacks Javascript, applet, or plug-in support (ergo, no Flash). But it does have the one feature you begged to keep, tabbed browsing. Or, you could try even smaller browsers, like Bluto, or the text-based Lynx. Or Dillo, if you're on *nix.

RE: Outside the box
By ViroMan on 12/29/2008 9:50:48 PM , Rating: 2
People prefer products that can display the 'whole' internet, and that can do it quickly, safely, and with stability.

I don't want or need the "whole" internet, all I want is a lean browser that does java(sun),graphics(pictures),and flash. I think that sums up pretty much 70% of internet pages. Not loading up the rest of the drivers/plugins (unless I add them in) to display the other 30% will save me plenty of start up time, be safer and much more stable.

RE: Outside the box
By Rockjock51 on 12/30/2008 11:00:56 AM , Rating: 2
I don't know about you, but Firefox launches basically instantly and I couldn't tell you the last time it crashed.

RE: Outside the box
By foolsgambit11 on 12/30/2008 5:14:43 PM , Rating: 2
I'm sure, with a little research and experimentation, you can find a browser that will meet your wish list. It may not come that way by default, but you'll be able to disable the things you don't want to use. Think of that customization work as the cost of getting a program for free.

Investor pressure
By JonnyDough on 12/29/2008 10:56:59 PM , Rating: 2
Microsoft has pressure from investors...a LOT of pressure. Mozilla does too, no doubt...but not like Microsoft does. Microsoft's bottom line isn't creating great software, it's about creating revenue. All businesses are designed to make money, but Microsoft doesn't put the consumer first. The XBox RROD issue was taken care of for PR reasons. They were simply righting a wrong because they had to, not because they wanted to. For the lead people at Microsoft, it's all about one thing. Money.

Smaller developers trying to break into new markets will always have a creative advantage, but they lack experiential strength and capital. Microsoft needs to get back to the basics and stop trying to compete all the time. They need to think creatively without being worried about what companies like Google and Mozilla are doing.

All about the money :)
By n0nsense on 12/30/2008 3:11:40 AM , Rating: 2
I totally agree that the first concern at MS is money.
Not you.
Look at the simple fact:
MS have to release patches for ONE version of browser only.
The number of platforms the have to support is basically 1.5
since the difference of XP, 2003 Server and Vista is ~0.5 :)
On the other hand Mozzila have to write and test the code for the same amount of Windows versions + Mac + Linux + Solaris + little bit more. And if its not enough, sometime they have to it for x86, x86_64, SPARC, ARM and many more.

"I modded down, down, down, and the flames went higher." -- Sven Olsen

Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki