Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Bug Operating Systems Security Software Windows Worms

Windows 24 Hr Vulnerabilty Patch - Would It Help? 70

Posted by Cliff from the don't-hold-your-breath dept.
super_ogg asks: "In light of the recent Windows infection rate problem, it prompted me to ask the question: if Microsoft was able to guarantee a 24-hour-patch for a vulnerability (and hell didn't freeze over), how much would it affect the rate of infection seeing that a lot of people don't patch their systems? Would the rate of infection increase dramatically?"
This discussion has been archived. No new comments can be posted.

Windows 24 Hr Vulnerabilty Patch - Would It Help? More

Windows 24 Hr Vulnerabilty Patch - Would It Help?

Comments Filter:
  • Last time I checked it didn't cost much to get into hell.

    Don't slashdot editors read things?

  • Unlikely to increase (Score:3, Insightful)

    by Craigj0 ( 10745 ) on Tuesday July 05, 2005 @09:25PM (#12990478)
    Would the rate of infection increase dramatically?


    I cant see how providing patches faster would increase infection rate.

    • Unless, of course... (Score:3, Interesting)

      by Ieshan ( 409693 )
      Unless, of course, someone exploited the patching mechanism.

      If we were living in a world where Microsoft provided patches and people actually downloaded them, we'd probably be in a world of highly "seemless" updating. Microsoft would default enable automatic updates on Mom and Pop boxes or work desktops hooked up to highspeed connections, and exploiting a mechanism used nearly by everyone would be a disaster.

      That's the only way it could really increase. I agree.
      • Yes, that and these small patches would allow the intruders to see more easily where the vulnerabilities were in the first place. This is especially relevant if the vulnerabilities being patched were not yet observed in the wild. Now they will be!
    • A big problem that Microsoft faces is that when they release a patch it is reverse engineered to find the vunerability that it fixed. Since a huge number of individual users don't patch regularly (if ever) and corp. users want time to test the patch before rolling it out there is a lag between the patch release and it's deployment.

      This of course means that the hole that the patch fixes (which may not have been known about before the patch) can be used to exploit systems for some time. Hence frequent, unsch
    • I cant see how providing patches faster would increase infection rate.

      I assumed that was a typo, and he meant "decrease". "[A]nd hell didn't free over" is probably a typo, as well, although I'm sure Richard Stallman is still typing a furious GNU/missive to Cliff right now...

  • Users are users... (Score:4, Insightful)

    by rpbailey1642 ( 766298 ) <robert.b.prattNO@SPAMgmail.com> on Tuesday July 05, 2005 @09:25PM (#12990480)
    Releasing patches that quickly would probably make the releases smaller, which means people would be less likely to cancel the download in disgust when they see it would take 2+ hours to complete. Having said that, given the users I've encountered, MS would need something like "Automatically Apply Patches without Prompting Me" as one of the initial options or users would just "X" out of the warning pop-up, as they do nowadays.
    • Sorry to respond to my own post, don't take that as an endorsement that people should blindly accept patches or anything from Microsoft, it was just one thing MS could/would conceivably do to get users to patch their systems.
    • Having said that, given the users I've encountered, MS would need something like "Automatically Apply Patches without Prompting Me" as one of the initial options or users would just "X" out of the warning pop-up, as they do nowadays.

      Isn't automatic updates already an option for windows update?

      • I think it still prompts you to install the patches, even if you automatically download them. Some people just can't be bothered. I haven't touched a Windows machine since Windows 98, so someone please correct me if I am mistaken. (Nanogator would have a brilliant and biting comment here)

    • Releasing patches that quickly would probably make the releases smaller, which means people would be less likely to cancel the download in disgust when they see it would take 2+ hours to complete.

      Only if they patched on a regular basis. Otherwise, instead of seeing one patch that takes 2+ hours to complete, they'd see 200 patches that take 2+ hours to complete altogether. In which case, they'd still cancel.

    • 2+ hours to complete? What?! SP2 only took about 30 minutes, most of that was the install not the download. I know there are some slow pipes out there, but those computers probably aren't the big problem (unless botnets are being built mostly w/ dialup users?)
    • The current default is for patches to be downloaded automatically, applied instantly (if they can be) or at next reboot (if they can't). As the majority (un-sysadmined) Windows boxes are shut down at night by their home users, this works pretty well.

      All the PCs set up _before_ this was standard practice (XP SP1, I think) default the other way, and there are still an awful lot of those about.

  • hang on a minute (Score:2, Insightful)

    by sycotic ( 26352 )
    Would the rate of infection increase dramatically?

    That simply *has* to be a typo, you most certainly would expect the rate of infection to decrease quite quickly if everyone had automatic updates enabled...
  • I dont think that the rates of infection would increase much. Just b/c microsoft gurantees a 24 hr patch doesnt mean the people will patch it. Virus writers will know this and will not increase the amount of viruses written. I think that everything would all stay the same as it is now.
    • Actually it might bring forth a sort of competition.
      "How many machines can we infect in 24hours or before a patch is released".

  • Interesting thought experiment... (Score:3, Insightful)

    by TripMaster Monkey ( 862126 ) * on Tuesday July 05, 2005 @09:27PM (#12990497)

    Even if Microsoft could guarantee a 24-hour patch release (and the submitter's remark about the cold snap in Hell is pretty much on the mark here), I really don't see it making that much difference...unless systems were configured to apply patches immediately upon release, without being authorized by the sysadmin first. I don't think I'm the only sysadmin here who prefers to test patches on guinea pig machines before releasing them to the rest of my systems.
    • The biggest problem here is with the home users, not the sysadmins. You're probably aware that most of them don't use "guinea pig" machines, and have little reason to do so. I do believe a 24-hour release guarantee, plus the Windows default being automatic download and install of patches would certainly help. As for large networks, that option would usually be disabled..
  • What is a "24 hour patch for a vulnerability"? Are you asking if MS will guarantee a computer will be vulnerable for 24 hours? Or the patch will only last 24 hours?

    If the issue is folks not updating systems and applying patches, then how will any patch affect the rate of infection? Isn't that the issue? Patches don't work if they're not used.

    How would MS issuing patches cause the rate of infection to increase dramatically? Are you saying hackers are using security updates as guides for exploiting sec
    • I assume the guy meant MS would release a patch to fix a vulnerability within 24 hours of its discovery.
    • The summary states that 24 hours of vulnerability would increase infection rates. This is, of course, correct.

      Slashdot gets it right for once. While hell is freezing over Microsoft will also provide 24 hour turnaround on providing patches for vulnerabilities.
  • Patches only work when they're installed. Many people don't install patches until they realize they've been hacked. Even if they are aware of new patches, system admins and users might be hesitant to install a brand new untested patch on an already working system.

  • No (Score:4, Interesting)

    by MBCook ( 132727 ) <foobarsoft@foobarsoft.com> on Tuesday July 05, 2005 @09:30PM (#12990517) Homepage
    Here is my theory, based on my observations and opionions.

    For big businesses, it wouldn't help. They are already on top of these things checking their firewalls and such, trying to prevent infections. (Note: if this isn't the case, they fit in with group 2)

    Then there is individuals. I can't tell you how many people's PCs I've found with basically NO updates applied (for whatever usually pointless reason). These are the people where such a quick patch could make a difference (since it tends to be home computers and those under the care of someone who doesn't know what they're doing), but they won't get the patch because these people don't patch in the first place.

    MS's best solution at this point would be to force automatic updates to be on for all copies of XP Home, with no way to turn it off (short of registry editing). That way, the computers would get the updates they need, but the few people who want to turn it off would probably know enough to run their computers safely if they knew where to find the instructions and how to change the registry. (I'm ignoring the point that anyone with half a brain that was a "power user" would want XP Pro over XP Home).

    A 24 hour turn around would be great, but I don' think it would make that much of a difference. Forced updates (especially if expanded to include XP Pro that isn't being managed by a domain controller/active directory to cover those one machine businesses and such) would probably go a farther way.

    • Re:No (Score:3, Interesting)

      by bergeron76 ( 176351 ) *
      I can't tell you how many people's PCs I've found with basically NO updates applied (for whatever usually pointless reason).

      Here's my pointless reason: My unpatched Win2k (SP1) box has been working dutifully since 2002 _without any re-install_.

      I've had several _other_ Win2k boxes that had "Automatic Windows Update", and *EVERY SINGLE ONE OF THEM* has died for reasons "unknown".

      My theory is that there are many more virus writers (kiddee's) these days then there were a few years ago. They aren't targeti

    • MS's best solution at this point would be to force automatic updates to be on for all copies of XP Home, with no way to turn it off (short of registry editing). That way, the computers would get the updates they need, but the few people who want to turn it off would probably know enough to run their computers safely if they knew where to find the instructions and how to change the registry. (I'm ignoring the point that anyone with half a brain that was a "power user" would want XP Pro over XP Home).

      I hav

    • Re:No (Score:1)

      by mce ( 509 )
      MS's best solution at this point would be to force automatic updates to be on for all copies of XP Home, with no way to turn it off (short of registry editing). That way, the computers would get the updates they need, but the few people who want to turn it off would probably know enough to run their computers safely if they knew where to find the instructions and how to change the registry.

      I have an XP Pro machime, from which one critical driver update and one non-critical driver update have on purpose

  • The rate of infection would go down. Why? Because it's already commonplace for Microsoft to put out patches that break things. The added time pressure would only increase this.

    The rate of infection would go down because broken computers are less easily infected.

    • Microsoft patches typically don't break Microsoft products, and at a minimum they wouldn't break the core functionality of the OS. So the computer is not going to be "broken". The patches do break 3rd party apps, especially products that are bending the APIs in order to achieve some other unforseen purpose.

  • Not much. Yet. (Score:3, Informative)

    by Deathlizard ( 115856 ) on Tuesday July 05, 2005 @09:33PM (#12990536) Homepage Journal
    Most of the Vulnerabilities happen weeks to months after a patch is released. It's just getting the patch on the machine that's a problem.

    As XP SP2 starts to overtake XP SP1 and SP0 sales, it should get better, since SP2 screams and yells if you turn off automatic updates. This is going to take a while since most people are paranoid of SP2 or MS won't let them install it cause their OS is a pirate.

    Hopefully in longhorn, they do the same thing they did with .Net 2003 SP1 and firewall the internet until windows downloads all the critical patches. This would stop the 12 minute problem pretty quickly.
  • I thought we were all suppose to be nerds here? Can't people figure out what the submitter actually meant? Here's what it should really say:

    In light of the recent Windows infection rate problem, it prompted me to ask the question... if Microsoft was able to guarantee a 24 hour patch for a vulnerability (and hell didn't FREEZE over), how much would it affect the rate of infection seeing that a lot of people don't patch their systems? Would the rate of infection DECREASE dramatically?

    Now can we just drop it
  • Increase dramatically? Well, I know one of MS' claims is that the descriptions for the patches might show malware authors new exploits that they didn't know about. I think most of the major worms were produced long after patches had already posted, though I don't know if that was because the malware authors saw the bugfix notes, or if they used info gleaned from other sources. That said, I doubt it would change the infection rate at all.

    I was doing retail computer repair up until November of last year.

  • The answer is obvious (Score:3, Interesting)

    by ignorant_coward ( 883188 ) on Tuesday July 05, 2005 @09:49PM (#12990645)

    and it is: no.

    Microsoft has spent so many years breeding a developer and user culture of ignorance, complacency, irresponsibility, negligence, incompetence, stupidity, insecurity, instability, undebuggability, unusability, and inconsistency that they are either beyond hope or they will take another decade to correct their course.

  • Mod Article Down (Score:3, Funny)

    by the eric conspiracy ( 20178 ) on Tuesday July 05, 2005 @09:55PM (#12990678)
    Windows 24 Hr Vulnerabilty Patch - Would It Help?

    Immediate Answer Without Thinking: No.

    Answer After Thinking A Little About It: The question is nonsense because it is based on a silly premise.

    Answer After Thinking More About It: Waste of Time Because No Matter What You Do Windows is Going To Remain the Giant Petri Dish of The Internet.
  • Some very severe problems may require a significant refactoring of a software system's code. Indeed, it would most likely be very counterproductive to try to force such changes that quickly. You may just end up introducing five or six times the number of bug and security issues than had a proper solution, perhaps taking several days, been delivered instead. Quick hackery meant to prevent security violations is itself often a source of massive security hazards in the future.

  • ...if Microsoft was able to guarantee a 24 hour patch for a vulnerability....

    While we are wishing for the impossible, why do we not simply wish for Microsoft to guarantee no bugs?

    NO vendor - not Microsoft, not IBM, not Sun, no one - can guarantee a "N" hour response time for 100% vulnerabilities (for 0 <=N<=1000, say).

    There will ALWAYS be bugs for which it takes TIME to fix them - and the only way to deal with them until they are fixed is to shut the affected software down - and once again, th

    • Your point is accurate, of course, but that doesn't really mean that the question has no merit. Microsoft could EASILY set an internal goal that, for example, 70% of bugs are patched within 72 hours of first discovery. Such a goal should be difficult, but not impossible to achieve. Any bugs that are not patched within the desired 72 hours, are patched ASAP. Now, as the original poster asked: Would such an initiative cause a noticeable decrease in infections? An increase? And such a timetable would mean anyt
  • The vulerabilities they find now have usually been there for half a decade or longer. They weren't a threat until someone discovered them.

    Now, figure the average time someone goes between applying patches. Some update daily, but a lot of people update weekly, if at all. And suppose a vulnerability is discovered every 3 days. If patches were released the day they were completed, you'd be exposed about 70% of the time, if someone took the time to use the patches to locate the vulnerabilities. Now, if patches
  • If they can beat 12 minutes [slashdot.org], then we're talking.
  • Is everyone missing the point of this question? Microsoft's ability to release a patch in 24 hours is the assumption of the question, that's not really up for debate. The real issue is, do general users, Windows users in particular, do they patch their systems quickly? The answer is... probably not. So we know Microsoft can't release zero defect software (it's an imposibility folks, the business demands are too great and the software is too complex). So the question is really do users need to change the

  • Cut down the number of installers! (Score:5, Insightful)

    by AnamanFan ( 314677 ) <anamanfan&everythingafter,net> on Tuesday July 05, 2005 @10:36PM (#12990880) Homepage
    Warning: Apple reference ahead, but no where does it state the fix is to buy an Apple computer.

    What would help the situation is if roll-ups or service packs were released in conjunction with hot fixes, limiting the number of total patch installers.

    Let's take Apple for example. In a nutshell, there's the retail box release (10.4.0), then a few security patches as needed (Denoted as: date of post). Let's say there are three of such fixes.

    Active Patch Installers: 3 (1 reboot)

    Eventually a point release is made (Denoted as: 10.4.1). This point release includes all of the previous security patches as well as other fixes usually along the lines of 'recommended' as Microsoft would put it.

    Active Patch Installers: 1 (1 reboot)

    After 10.4.1 is released, a few more security holes are found and patched, each with a date of release. We'll say there's two.

    Active Patch Installers: 3 (1 reboot)

    When 10.4.2 comes around, Apple releases two versions of the update:
    A smaller file size for systems with 10.4.1 installed
    A larger file if 10.4.0 (Retail) installed.

    Active Patch Installers: 2 - Only one needed (1 reboot)

    Here's the key point: From the retail version of the software, you only need to install one service pack release, and maybe 3 to 5 security patches at any point in time. Not 50 which branching restart cycles; One to five patches, one restart.

    Obviously there's some variation here and there. Apple will have a lot more than five updates at a time for all the other non-OS software, but the underlining concept is there:

    The fewer the installers and restarts, the easier patches are for the normal user.

    • I have mod points and would have given you +1 Insightful, but I'd rather post an "Amen, brother!" instead.

      You are absolutely right, the way patches are handled on Windows is a friggin' mess, and Apple definitely does it a better way with their "delta" and "combo" updaters, plus the fact that there's no such thing as a reboot-requiring patch that insists on being installed separately from everything else-- no matter how many updates you've got listed in Software Update, you can do them all at once and reboo
    • I have to agree as well. (Linux plug coming up, though in a suggestive fashion, not a "use Linux" because it is better way.)

      We have a Ubuntu Linux test box here at work for our proxy (which has a similar configuration). We click the nice little red icon in the top right hand corner and then click update. This is followed by all of the hard work of forgetting about it completely and going onto more important things while it automatically does everything (updating etc) for us, which let me tell you is a
    • The problem for Windows is the brain damaged file locking mechanism. Files that are opened can not be deleted by Windows. That means, any programs and services that are running while you try to install a patch will prevent those files from being overwritten. Updating a program in UNIX involves deleting the old version and installing the new executable (or patch, delete, rename) and restarting whichever programs were using that file. If Windows had the ability to delete these locked files, most IE update
      • Updating a program in UNIX involves deleting the old version and installing the new executable (or patch, delete, rename) and restarting whichever programs were using that file.

        You can even leave the old program running on the old files, if the old file's inodes can be left intact for a while.

        UNIX has stood the test of 30+ years of use, and much of it is basically the same, in principle. Windows is only now catching up on the basics, too (Windows is doomed to re-invent UNIX eventually...but poorly). Th

    • Microsoft releases Cumulative updates, which supersede and consolidate several previous stand-alone patches, on a fairly regular basis. These are pretty much equivalent to Apple's point releases.

      I recently installed a new XP system with SP2 integrated into the install, and after boot it only needed to download 5 patches. One of them was Cumulative update for IE May 2005 or something like that, and the others were non-IE patches. Only one reboot was required.

      Assuming you installed the original release of

    • (1 reboot) wow, typically my PC requires no-reboots when I fix holes, and most of the time I don't even have to leave the desktop, I just su to a admin account from my normal account and do all the work there.
  • Slightly askew of the topic I noticed Microsoft seem to have recently release 'Microsoft Update' [microsoft.com] (Office and Windows Update rolled into one) for Windows 2000 users. So I now have Windows Update and Microsoft Update in my Start Menu. It crashed IE the first time I used it.

    Automatic updates doesn't seem to work well for me on 2000 either (the only time i've seen it notify me there are updates available is just now after doing a manual Microsoft Update).

    Forget prompt 24 hour updates, Microsoft can't even pr

  • Geeky Hell (Score:1, Funny)

    by Anonymous Coward
    Wouldn't Hell have to malloc over before it could free over?
  • What would the quality of such a quickly turned around patch be? About the only thing they'd be able to truely gaurantee is that you could install it. They couldn't have tested it very thoroughly to ensure it performed the intended functionality, much less that it didn't create more problems than it solved.

    I think as long as there's 1 main OS that the majority of people on the internet use, we simply have to accept the fact that it's going to be a target for malicious code.
  • Here's something that WOULD help a lot:

    A way to easily download patches WITHOUT loading anything but a minimalist, self-protecting, OS with only one network application available - one that connected to Microsoft to download the patch.

    You can do this easily enough with DOS or Linux, just throw in modem and network drivers and an NTFS driver to write the patch files to the hard disk.

    Of course, MS would rather use XP. I'd recommend a stripped down version that boots into a "safe mode with networking and m

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close