Tuesday, January 13, 2015

OS's - patching and support

In the past few weeks Microsoft has appeared a bit peeved with Google's disclosure policy.  They had a patched planned for Patch Tuesday (today) and the information about it hit the 90 day mark back at the end of December and was released by Google. 

There have been a number of threads going on the different lists I'm on, some supporting this saying Microsoft knew their policy and knew the dead line, while others upset at google who knew a patch was in the plans and released the data anyway.

I've been back and forth on Full Disclosure vs Responsible Disclosure over the years.  I see both sides and understand the needs.  I do believe the security researchers that find these bugs and push the vendors to get patches out the door are important, but I also believe a lot of these researchers (not all, but a lot) haven't had to support large organizations and deal with the "headache" these things cause.

In the end, supporting or trying to secure a large organization is tough to start with, made tougher by the numerous pieces of software and hardware that may be out there and made even tougher when you don't have total control over what is on your network (at least in the .edu space).  Add to that screwed up patches that get pulled and 3rd parties disclosing things "days" before a patch is due out, its almost enough to make you pull your hair out some days.

Microsoft has the problem of trying to make sure that things are backwards compatible, supporting things from 10+ years ago.  Google on the other hand just drives forward with a new OS and dropping support for older ones.

Case in point:
https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior

As we see more and more devices built on the Android OS and their support just ending, due to carriers not doing upgrades, or whatever, it will be interesting to see how things plays out in the future.  Will Google actually be the one that takes the heat or will the carrier (from the public).  Or will the idea of just throwing the old equipment away and constantly upgrading continue to be the norm?

I'm still running an old 2.3.x "smart" phone.  I don't surf the net with it, it gives me phone access and it gives me my calendar stuff.  It works for what I need, but I know its limitations and security implications if I surf the web with it.  How many users do?  Should we really be forced to spend that much every 2 years to replace older tech?  Maybe things change constantly, it isn't like when I started and we used to get new AV definitions every 6 months anymore :)  But I hate to see us continue to throw away perfectly working tech that could be patched.

Oh well, I digress.  Another Patch Tuesday is upon us and another will come next month.  Changes will continue to happen and those that have to support systems will continue to adapt or short of that move on to other things!

2 comments:

xnih said...

http://threatpost.com/google-passes-on-older-android-patches-930-million-devices-vulnerable/110342

Sheesh 930 million devices vuln?

I've always hated Apples "life of hardware" scenario, but IMHO that is better than 16 month support from google currently.

We live in interesting times.

xnih said...

Interesting counter point to MS's cry of foul.

http://blog.erratasec.com/2015/01/a-call-for-better-vulnerability-response.html#.VLVMsivF9HU