Competing computer security vendors racing against each other to find and publish new software vulnerabilities are pushing sysadmins to the brink. They need to grow up and start getting responsible about the way they release information into the community, AusCert director Graeme Ingram has warned.
Ingram said that the sheer volume of vulnerabilities, exploits and patches being created on a daily basis had now reached the unworkable state where sysadmins are being forced to take unacceptable risks just to keep their networks up and running.
"The dilemma for system administrators is 'do I patch today and hope that it doesn't break something' or 'do I wait and hope that the worm doesn't hit'. That's like being caught between the devil and the deep blue sea, what are you supposed to do? When you start making those sorts of critical decisions it becomes a matter for senior management. It's killing the system," Ingram said.
Asked whether security researchers and companies ought to abide by a code of nondisclosure to allow people more time to patch properly, Ingram said he was completely not opposed to the idea - but flatly declined to name any of the security companies he saw as offenders.
"These days I'm not sure it's necessarily only the hackers you have to worry about. It's some of the professional research laboratories as well. If you are producing vulnerabilities at the rate of 4000 a year, and these are serious and have to be patched, it becomes a real issue because you can't keep up," Ingram said.
More than aware of the merry patchwork hell they have been created, security vendors have taken Ingram's warning on the chin. Trusecure's Asia Pacific business development manager Chy Chuawiwat backed Ingram's warning as apt and relevant.
"At then end of 2003 there were a total of 15MB worth of patches Windows users could download which shows the whole patch issue gets out of control. Patching a network costs serious time and money," Chuawiwat said, recommending users cast a critical eye over new vulnerabilities to save money and heartache. "When using a patch, wait until the problem or threat gets serious - to the stage where something that was once a vulnerability becomes an actual threat and act when the exploit code is available."
Paul Ducklin from anti-virus and data security firm Sophos said the dilemma of whether to patch or not is one that has faced industry and organizations for many years, leaving IT managers and system administrators feeling that sometimes patches and operating system updates are a cure worse than the disease.
"One man's virus is another man's non-entity. It all comes down to whether or not you trust your vendor - or with open source, the community developing the product. It's reasonable to believe a vendor who delivers product that works is more likely to deliver patches that work right out of the box - and more likely to deliver real time fixes," Ducklin said.
Even Symantec's regional sales director Greg Wyman conceded it was hard to know when to apply patches given the lightening speed with which worms viruses exploded. "If you do not have a virus, there's not an urgency in obtaining a particular patch. But if there is an urgency the patch has to be rolled out as soon as possible. It is a traumatic experience for a network administrator, especially given the scenario that a patch that wasn't relevant to anyone ten minutes ago is now urgent," Wyman said.