How Do You Want Your Patches: Sooner or Later?

The security world has been rather quiet over the past week. One significant event that did occur was that Microsoft released its first Windows 2000 (Win2K) security hotfix. The hotfix corrects a problem with the Win2K Indexing Service and Windows NT 4.0 Index Server.

Although some readers might wince at the fact that Microsoft has already released a security hotfix for a brand-new OS—an OS not even on store shelves yet—there is no cause for alarm. We can expect to see bugs in Win2K are to be expected, especially security bugs, because hackers spend more time banging away against security subsystems than they do against other system components.

I've noticed that some technologists have hammered Microsoft over the past week because a security patch actually beat the new OS to market. I think those people are being shortsighted. Expecting a perfect set of code from day one is incredibly unrealistic.

I appreciate the fact that a security patch is already available for Win2K. I'd rather have a patch than a hole in my OS, and the sooner I get that patch the better. Most of you realize that bug-free software is unlikely, and Win2K is no exception. Odds dictate that other security risks are present in the Win2K code, so the question is, "Where are the risks and how soon can we find them?"

Obviously, no blanket answer exists for that question. We can expect hackers and crackers alike to try most of the commonly known Windows-related exploits against the new OS and any services running on the new platform. The Indexing Service risk is a good example; similar path revelation problems have appeared in the past, and I'd be willing to speculate that at least one or two other security bugs have carried over from older NT 4.0-based code as well. Only time will tell.

On another note, starting this week, we launch the first of several new columns scheduled on the NTSecurity.net Web site. The first column, The Ultimate Security Toolkit, is a biweekly column by Steve Manzuik. Every other week, Steve will review a new security product. Steve offers his professional, from-the-trenches opinion about each tool and his personal recommendation to help you make buying decisions. This week, Steve reviews eEye's Retina security scanner, so be sure to check it out. Until next time, have a great week.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish