|
||
 |
||
|
| Digital Duct Tape |
 Email This
 Print ThisView My Personal Library |
|
Internet & E-mail Safety April 2002 • Vol.8 Issue 4 Page(s) 98-100 in print issue |
Digital Duct Tape Publishers Scramble To Fix Program Vulnerabilities | ||
 For software publishers, the issue of creating and deploying updates, patches, and fixes for their products is a complex one. Periodic updates are accepted as a standard method of delivering product enhancements; because these updates (theoretically) benefit the end user, publishers usually charge a fee for them. On the other hand, publishers often need to issue a patch or fix at their own expense when someone discovers a serious flaw. Issuing an unscheduled patch is analogous to printing a retraction; it is a public statement that the publisher made a mistake too serious to be overlooked. If the patch or fix is related to security, the statement is even stronger because issuing a patch is tantamount to taking responsibility for any security breaches related to the problem. In addition, the issuance of a patch publicizes the vulnerability, and crackers could use that information to exploit users who are at risk and haven't yet installed the patch. For software publishers, the result is a mad scramble to keep up with problems and issue patches while, at the same time, exercising a certain amount of damage control. For users, the challenge is to stay up to date on the patches and fixes available for all the products they use.  Complex By Design. A PC application is a unique and complex product, and software engineering is a practiced science similar to civil or mechanical engineering. A great deal of thought, design, analysis, and production goes into an aplication such as Microsoft Word or Corel WordPerfect. A variety of disciplines join forces to create a package that rivals the complexity of an automobile, and thousands of interacting components must work together to produce the desired results. It should come as no surprise that occasionally a bug or a programming error causes some unexpected behavior in such a complex program. Even with the most rigorous testing, some bugs are bound to go undetected and end up in the copy you install on your home computer. It's hard to remain objective when a bug affects your ability to complete your work. In addition to complexity, a number of other factors affect the quality of a software product. One of the more notable factors is the unrelenting financial pressure for software publishers to produce more with less. Increased competition drives prices down and reduces the available pool of qualified programmers. Shortened test cycles and a relaxation of quality-control measures contribute to the problem, and it is nearly impossible for a publisher to test a product's compatibility with every possible hardware and software combination available. Other design flaws, which are invisible to the user, can let crackers access your PC and its resources without your knowledge. This is often done by transmitting a virus to your system through e-mail or tricking you into downloading an infected file from a Web site. How Much They Know Can Hurt You. There are two different views on the subject of how much information should be made public about a software flaw, especially when it relates to compromised security. Some people believe users have the right to know a great deal about the vulnerabilities associated with the flaw so they can form their own opinions about the potential threat. The practice of releasing complete details about a flaw is called full disclosure, and those who promote this concept believe publishers and IT professionals won't take security threats seriously unless the threats are well documented. When it's too much. A vast majority of IT (information technology) professionals, however, believe if too much detail is provided, crackers will use it to exploit the weakness before some users can install the patch. According to this view, the Code Red virus of 2001 is a classic example of too much information in the public domain. The flaw, which had existed for almost four years, was actually discovered in mid-May, but it wasn't brought to the public's attention until June 18, 2001, the day Microsoft released security bulletin MS01-033 along with a patch. That same day, eEye Digital Security, a California-based company, published its own advisory and included details so precise that many felt it was nothing less than an instruction manual for would-be crackers. Twenty-four days later the Code Red virus struck and eventually infected more than 350,000 Windows-based Web servers around the world that had not been properly patched. There was plenty of blame to go around: Microsoft released the flawed software in the first place, eEye provided the details, the author or authors actually wrote the Code Red virus, and IT managers failed to implement a well-publicized and readily available patch. Code Red illustrates another problem associated with patches and fixes, especially those for servers. Many IT managers are reluctant to install a patch until they have had ample opportunity to test them on a nonproduction system. Because software publishers often create patches under intense time pressure from computer security companies, a patch may correct one problem but create a new, more serious flaw. In the world of high-volume, production-oriented servers, the saying, "If it's not broke, don't fix it" is taken very seriously.
Buyer Beware. Although most software doesn't come with a warranty, many reputable publishers accept the responsibility of making patches available to correct serious flaws, especially if a flaw compromises end users' data or privacy. A patch is usually posted on the publisher's Web site, and the publisher may even make an effort to contact registered users. For widely distributed products, such as Windows OSes (operating systems), individual notification isn't practical, but Microsoft devised another way to contact its users, as we will point out. In your hands. Even after a flaw has been detected, reported, and corrected, the final step of applying the patch to your computer is usually your responsibility. In order to apply the patch, you must first be aware that the patch exists. You must also be technically competent enough to download and install it. Sometimes patches are delivered as a single executable file. Once you run the patch, your software is fixed. These patches usually require a system restart as the final step, and even if they don't, it's always a good idea to restart to get everything refreshed and synchronized. More complex fixes may require manual editing of the Registry or other complex operations beyond the skill level of many PC users. This is where most people run into trouble because Registry files are no place for the inexperienced to be poking around. If a patch or fix asks you to do something you're not comfortable with, get help from someone who knows what they are doing. A mistake in the Registry could render the entire computer unusable. Ideally, software publishers should never release patches that can't be installed by even the most inexperienced users, but they do. If you run across this situation, it may be a signal it's time to look at competing products. Who's On First? A number of resources are available to help you stay on top of product versions and patches. You may have to draw on more than one resource to cover the specific variety of packages you use, but checking for updates should be a scheduled task, just like changing the oil in your car. Just like your car, the long-term effects of skipping routine maintenance could prove disastrous and expensive. One of the simplest ways to learn about product updates and patches is to take the time to register the software when you first install it. There's always the temptation to skip the registration process and dive right into a new application, but the process of registering usually adds your e-mail address to a customer database the software publisher can use to announce available updates and patches. Of course, unscrupulous publishers may also sell this list to others, but that's a chance you take anytime you give out your e-mail address. Automated Tracking. Another way to determine whether your software is current is to use an online service, such as Version-Tracker.com (http://www.versiontracker .com), provided by TechTracker. This Web site provides a list of new product updates divided into four different OS groups: Mac (prior to version X), Mac OS X, Windows, and Palm OS. Within each OS, you can select products from a list of categories (audio, business, games, and so on), or you can enter search to locate information about a specific product. An advanced search feature lets you perform Boolean searches and select specific search fields, software types (including freeware and shareware), and categories. The browser-based VersionTracker.com is adequate for infrequent use, but a downloadable client-server version, called TechTracker Desktop, makes routine tracking of your software a snap. It generates a customized inventory of the applications installed on your computer and displays proactive alerts whenever updates are available for these applications. TechTracker Desktop, which you can download from VersionTracker.com's site, also provides hyperlinks to reviews relating to the update or patch, if available. House Calls. In a perfect world, software would never have defects, and upgrades would arrive and install themselves during the night while you're asleep. Although we may never achieve defect-free software, some software publishers are willing to make house calls, and some even do it for free. Microsoft, the worldwide leader in software for personal and business computing, receives a lot of bad press when a defect is discovered in one of its OSes because the defect impacts so many people, but this same Microsoft has one of the best update strategies available for absolutely free. Windows Update. Beginning with its release of Windows 98, Microsoft included a feature in the OS called Windows Update. This utility has been carried over to Windows Me and Windows XP Home and Professional versions. If Windows Update isn't already on your Taskbar, create a shortcut to Wupdmgr.exe, which is located in your default Windows folder (normally C:\WINDOWS). The first time you run Windows Update, it creates an inventory of installed Microsoft products, enhancements, updates, and patches. When this process is complete, Windows Update connects to a Microsoft Web site to determine which updates, if any, you should install. A list of recommendations, or a To Do list, is displayed and you check off the items you wish to install. Because the service is being provided by the software publisher rather than a third party, your list of suggested components my include add-ons and newly released items that relate to a product you already have installed. After you have completed the checklist, click the Download button. Any necessary Registry modifications are performed automatically, and the only other action normally required is for you to restart your system when prompted. Another excellent update service is Symantec's LiveUpdate (http://www.symantec .com), which comes bundled with many Norton products, including Antivirus 2002. When connected to the Internet, LiveUpdate can operate in stealth mode and automatically download revised virus definition files and program updates whenever they become available. Sooner Rather Than The Alternative. You own a computer. You use software. Sooner or later you will encounter a bug. Limit your exposure by selecting brand-name products from companies that show a commitment to quality and customer satisfaction. In the final analysis, though, keeping things running smoothly and securely is largely up to you. If a software publisher releases a flawed product, shame on them. If they later release a free patch and you don't take advantage of this service, shame on you. by Dick Archer |
|
Home Copyright & Legal Information Privacy Policy Site Map Contact Us