The many problems with bad security patches

June 30, 2008

One might perhaps accuse me of getting overly worked up about bad security patches. Is it really such a big deal if a security patch has a flaw?

My answer is yes, because there are a number of bad consequences when security patches are untrustworthy:

  • it discourages people from installing them. As we've seen repeatedly, having more insecure systems around endangers everyone, whether it is on the Internet or behind your firewall.

  • a broken but 'secure' machine is not really an improvement over a functional but insecure machine. In both cases the overall system is not functional, assuming that you consider security as part of the overall system functionality.

    (Of course the devil is in the details, specifically what broke and what the security issue was, and also how important security is; in some environments being completely turned off is preferred to being insecure. I am assuming here that the breakage is in something relatively important.)

  • you can't use security patches to solve the security issue right now, because you have to put patches through testing in order to see if they broke anything this time and if so, what. At best you can use the release of a security patch as a signpost that your system really is vulnerable to some general issue, and that you need to get working on some sort of a fix.

    (Yes, yes, test everything. Wouldn't it be nice if you didn't have to? And in theory that is the promise of security patches; the only change they are supposed to introduce is a security fix, and thus they should be safe to apply under almost all circumstances.)

  • they increase the overhead of security in general, in both people's time and in hardware needs. All else being equal, this overhead has to come out of somewhere, in actual useful work not getting done and machines not getting used for useful things.

  • if sysadmins believe vendors and do rush installs of what turn out to be bad patches, we lose credibility and thus our overall ability to influence people. This is bad because there are security things that people should listen to you about; you really don't want to be the sysadmin that cried wolf.

Collectively, this set of consequences is pretty bad news. Hence my strong opinions on the issue.

Written on 30 June 2008.
« Why user exposure matters for Linux distributions, especially on desktops
Why reverse proxies are good for big web applications »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Jun 30 23:56:06 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.