• United States



Have we all become “Patch Crazy?”

Dec 03, 20073 mins
Core Java

While catching up on my daily tech reading and conducting a poll with my Apple friends, I was told that I’d only heard from my PC friends “this is good, but there are a few bugs, I can’t wait until the next service pack!” That statement made me stop and think for a second. Is that where the state of software is now? Do product teams simply release a product that’s “good enough” then expect to be able to fix the bugs in the first Service Pack? Product teams seem to be leveraging the ubiquity of the internet as a crutch for releasing what could otherwise be considered a beta.

I certainly felt this way when I installed my freshly pressed version of Vista. Now Apple users are plagued by the same plight with Leopard. I am employed by a software security testing company and we are testing more and more “auto-updating” pieces of software which allow the software vendors to silently slipstream bug fixes into binaries without users knowing. Unfortunately, these pieces of software also increase the attack surface for a user’s computer. What if a malicious attacker could create a rogue update server and push down a patch they created to all the users of a certain product that everybody has installed, like Windows, Firefox, Flash, Acrobat, etc. Just last week I was playing around with my mom’s laptop, four reboots and seven updates later (I counted) Mac OS X, Firefox and Microsoft Office were finally up to date.

Don’t get me wrong, though; I fully understand the need for patching. Nobody can create bug-free software  but this is getting a little out of control. (On a side note, I just tried to validate my theory and opened Firefox –  it is downloading version right now which includes fixes for three high impact security vulnerabilities. After which it ironically takes me to a page that assures me Firefox is “The Safest Way to Surf” – Update: four days later Firefox released another patch,, that fixed issues that they broke in!)

Software vendors need to step up to the plate and properly test their software before release. This means the elimination of statements like “it’s ok if development slips a bit, we’ll make it up in testing.” This means not relying on patching for future bug fixes. The words “we’ll fix that in the first SP” shouldn’t pass software team’s lips. This means properly integrating security throughout the SDLC, including the proper use of Threat Modeling, Static Analysis, Code Reviews and Unit Testing. A good place to start is getting a fresh set of eyes on the code and application through and internal red team or third party audits.  No author in their right mind would publish a book without having an editor look at it first – so why do we think it’s a good idea to release software blindly?

 –Joe Basirico 

Joe Basirico - Security Analyst Joe studies security and develops tools that assist in the discovery of security vulnerabilities and general application problems. His primary responsibility at Security Innovation is to deliver security courses to software teams in need of application security expertise. He has trained developers and testers from numerous world-class organizations, including Microsoft, HP, EMC, Symantec and Joe is also responsible for participating in customer security process assessments as well as security engineering activities such as security design reviews, security code reviews, and security testing and security deployment reviews. Joe holds a B.S in Computer Science from Montana State University. John Carmichael - Security Researcher John leverages his strong lab development, programming and security process skills to deliver factual and useful training courses to testers and developers. John is a skilled software and Web developer with deep expertise in several different languages and environments. He has made many contributions to the open source software community by developing an open source structured drawing tool implemented in Python, testing several release candidates of the Sarge installer for the Debian Linux distribution, and writing a soon to be released Windows OS crash analyzer product. John has a B.S. in Computer Science and Business Administration from the University of Vermont and is currently working toward an M.S. in Computer Information System Security from Boston University.