The many problems with bad security patches
One might perhaps accuse me of getting overly worked up about bad security patches. Is it really such a big deal if a security patch has a flaw?
My answer is yes, because there are a number of bad consequences when security patches are untrustworthy:
- it discourages people from installing them. As we've seen repeatedly,
having more insecure systems around endangers everyone, whether
it is on the Internet or behind your firewall.
- a broken but 'secure' machine is not really an improvement over a
functional but insecure machine. In both cases the overall system
is not functional, assuming that you consider security as part of
the overall system functionality.
(Of course the devil is in the details, specifically what broke and what the security issue was, and also how important security is; in some environments being completely turned off is preferred to being insecure. I am assuming here that the breakage is in something relatively important.)
- you can't use security patches to solve the security issue right
now, because you have to put patches through testing in order to
see if they broke anything this time and if so, what. At best you
can use the release of a security patch as a signpost that your
system really is vulnerable to some general issue, and that you
need to get working on some sort of a fix.
(Yes, yes, test everything. Wouldn't it be nice if you didn't have to? And in theory that is the promise of security patches; the only change they are supposed to introduce is a security fix, and thus they should be safe to apply under almost all circumstances.)
- they increase the overhead of security in general, in both people's
time and in hardware needs. All else being equal, this overhead has
to come out of somewhere, in actual useful work not getting done
and machines not getting used for useful things.
- if sysadmins believe vendors and do rush installs of what turn out to be bad patches, we lose credibility and thus our overall ability to influence people. This is bad because there are security things that people should listen to you about; you really don't want to be the sysadmin that cried wolf.
Collectively, this set of consequences is pretty bad news. Hence my strong opinions on the issue.