backtop


Print 30 comment(s) - last by foolsgambit11.. on Dec 30 at 5:14 PM

Is hurrying a patch the right answer when it could compromise quality?

Mozilla representatives sharply rebuked a report earlier this month which pointed to Firefox as being the "most vulnerable app" to businesses.  In its rebuke, Mozilla cited its rapid rate of patching and criticized Microsoft as being too slow when it came to patches, particularly for Internet Explorer.  The result is an interesting debate -- should patches be rushed to market or be given time to be fully tested.

Blog site Cheap Hack offers an insightful analysis of this issue.  Observing the Mozilla/Bit9 squabble, it notes that Mozilla has had a couple major problems arising possibly from rushed patches.  One patch for Firefox earlier this year introduced a stability problem.  Another batch of patches in an update left off an important Firefox 2 patch, though Mozilla maintains that this was an "administrative error", not an omission due to the rushed rate of patches.

On the other hand, Mozilla's patches do indeed hit the market faster.  This may lead to a lower security risk for its customers.

The real dilemma for companies like Mozilla and Microsoft when it comes to patching is the question of how much time to devote to thorough testing.  Typically, a security flaw such as the recent major vulnerability found in Microsoft's Internet Explorer, can be analyzed and a patch created with only a couple of days.  However, testing the patch and its implications to overall functionality is much harder.

For Mozilla, which has leaned towards leaner testing, at times falling short in this department, this is a trouble spot.  For Microsoft, this issue is perhaps even tougher as it is the industry leader and has a much greater business market share, thus its moves are scrutinized to a greater extent.  Microsoft must test its patches with a multitude of Windows configurations and look for compatibility issues.

Another problem arises in cases such as the WMF code in Windows GDI, where quick patching can ignore a broader architecture problem which yields more similar undiscovered flaws.  A great deal of time can be wasted creating very similar patches, while missing that the patches are all caused by the same underlying issue.  In the case of the WMF code multiple patches were released that were remarkably similar.  And while a fix-all systematic solution might not be possible in this case, Microsoft may have failed to check into it in an effort to roll out patches faster.

When it comes to hurried patches, Mozilla may indeed be more troubled than Microsoft.  However, another issue is when patches arrive far too slow.  For example, an SQL bug in some version of Microsoft's SQL projects has existed known and unpatched since April.  Microsoft may have wanted to include the patch in a service pack, but it should have acted far sooner, when an appropriate bundle failed to come along.

The latter extreme -- patching far too slow -- is an especially big problem for Apple.  Apple systems have traditionally been rarely targeted by hackers and malware writers, however, the machines are beginning to have more problems with malicious assaults.  This has led Apple to urge its users to get antivirus protection.  However, Apple's leisurely pace of patching in its programs such as Safari, something it attributes to thorough testing, may place its users in danger.  Apple has at times been praised for thoroughly testing its patches.  However, no antivirus program can safeguard users entirely on a poorly patched system, and its slow patching may do more harm than good.

In all patching philosophies differ dramatically by company.  Mozilla features an ultra-quick patching cycle, while Apple features an extremely slow one.  Microsoft falls somewhere in the middle; a little more towards the slow end.  In the end the debate over how much time to allow between security flaw discoveries and patch releases remains a tricky question unlikely to be solved in the near future.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Outside the box
By foolsgambit11 on 12/29/2008 6:44:12 PM , Rating: 2
Except that you can pay absolutely nothing and get anything you want, from a full-featured browser to a text browser. So your "consul wars" analogy falls flat on its face.

People prefer products that can display the 'whole' internet, and that can do it quickly, safely, and with stability. The UI should be clean and responsive, and preferably customizable. All of those requirements add up to lots of code. Sacrificing any of those requirements will reduce the browser's market share. Like you illustrated, if they dropped tabs (which make browsers less lean), they'd lose you as a user. Same goes for any of the currently-supported elements of browsers. What if Opera dropped mouse gestures?

In the end, though, the critical security vulnerabilities are almost always with the core browser functionality - accessing the web and displaying the vast variety of content available. Let's face it, a browser that can't display Javascript, Java, or [obligatory iPhone dig], heaven forbid, Flash, isn't going to survive.

Hey, if you want a leaner browser, go download The Off By One Browser. I've never used it. Apparently it's 1.2MB - it could run from a floppy disk (if you still have a drive). It lacks Javascript, applet, or plug-in support (ergo, no Flash). But it does have the one feature you begged to keep, tabbed browsing. Or, you could try even smaller browsers, like Bluto, or the text-based Lynx. Or Dillo, if you're on *nix.


RE: Outside the box
By ViroMan on 12/29/2008 9:50:48 PM , Rating: 2
quote:
People prefer products that can display the 'whole' internet, and that can do it quickly, safely, and with stability.

I don't want or need the "whole" internet, all I want is a lean browser that does java(sun),graphics(pictures),and flash. I think that sums up pretty much 70% of internet pages. Not loading up the rest of the drivers/plugins (unless I add them in) to display the other 30% will save me plenty of start up time, be safer and much more stable.


RE: Outside the box
By Rockjock51 on 12/30/2008 11:00:56 AM , Rating: 2
I don't know about you, but Firefox launches basically instantly and I couldn't tell you the last time it crashed.


RE: Outside the box
By foolsgambit11 on 12/30/2008 5:14:43 PM , Rating: 2
I'm sure, with a little research and experimentation, you can find a browser that will meet your wish list. It may not come that way by default, but you'll be able to disable the things you don't want to use. Think of that customization work as the cost of getting a program for free.


"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki