Oli said:
It depends on the vulnerability, really. If the vulnerability is
obscure (i.e. it's not likely to be found and exploited quickly) and
person who discovered it has worked closely with Microsoft in
responsibly reporting the problem, then making sure the patch is of
the highest quality and is fully tested is very important.
If the vulnerability is a potential denial of service problem and
Microsoft (or any vendor for that matter) rushes out a patch without
testing, there is a risk that the patch will do more damage than any
exploit ever would.
So, it's a balance where the seriousness of the vulnerability, the
chance of exploit, and the risk of the patch causing issues in itself
all come into play.
One would assume that MS wouldn't issue a patch to the gov't, before it
was fully tested. I doubt the Air Force want to be a Guinea Pig. So
since the US Gov't is getting patches a month earlier than the rest of
us get it, and considering that MS can't control the release of
exploits, it seems like they could give an exploit writer a considerable
head start at writing an exploit for the hole, before the patch is
released to the General Public. Hell, the State department lost a
couple of laptops in recent years, and the Dept. of Engergy has had a
hell of a time securing facilities that hold nuclear secrets, so how in
the world are they keep MS patches released to them early underwraps.
1.) I never agreed with MS's policy of waiting for specific time every
month to release patches, as it leave more time for holes to be
exploited before patch release.
2.) Waiting ever longer so the US Gov't can plug its holes before
everyone else will leave an even bigger window of opportunity, and
possibly get into the wrong hands to be able to find exploits in the
patch itself.
Computer security is nothing to wait around for. Once tested, critical
updates should be immediately released, not according to a set schedule,
or given out to one sector of our society before any other. If the net
goes down because of an exploit and because home users and businesses
are still waiting for their turn to get the patch to plug the hole, it
ain't gonna matter much that the gov'ts computers are protected, if they
can't communicate with each other.
--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"