This story is especially dedicated to all the new IT Pro friends I met in Budapest this past week. I had meant to share this story with you, but it got squeezed out by more important discussions…
With the Windows Vista release drawing more near each week, I’ve been thinking back to the release of Windows Server 2003, which had been through the earlier version of the SDL and was expected to improve security for customers quite a bit. Of course, it was inevitable that vulnerabilities would eventually be discovered and patched, but how long? Well, it turned out that it didn’t happen the first week – it took 6 weeks. MS03-020 was release on June 4, 2003, the 42nd day of availability for the product and it was a Critical patch.
As sometimes happens though, this got me to thinking. So, now, let’s imagine a story…
Imagine that you are a salesperson and you have a big new product launch coming up, so you schedule time to spend the first week with all of your top customers. Customers have high expectations of your new OS, due to some widely announced security enhancements at the core of your OS. Then, the big day happens and the product ships! Unfortunately:
- On the day of ship, your company issues 27 security advisories addressing 64 vulnerabilities
- 3 days later, your comapany issues a security advisory with fixes for your new “security enhanced” kernel, addressing 13 more vulnerabilities
Of course, thinking quickly on your feet, you spin this news as best you can on your customer visits, telling your customers that:
- Those patches on the first day are actually a good sign. That’s right, for issues found after release to manufacturing (RTM), your company was able to patch them on the very first day, so no days of risk at all, just a little automated patch work right after the installation. [BTW, you are hoping they don't focus too much on how 64 vulns were found and disclosed between RTM and GA.]
- The great thing about the patches for the 77 vulns is that they only contribute 0.34 days of risk, on average, since the product has only been out 3 days. [Even better, you think to yourself, if the *next* 77 vulns average 30 days of risk, these will bring the average down to 15. Awesome!]
- The really good news (you tell your customer) is that your company didn’t rate the severity of any of these issues as “Critical”, so the picture isn’t as bad as some people might want to paint it. [Deftly done, I might add. Good not to mention that 15 were rated as Important, which is also severe. Also shouldn't mention that 22 of the 77 were remotely exploitable vulnerabilities that were rated High severity by NIST.]
Now, in this story, if you worked for Microsoft, you’d be out of luck. Just imagine the news stories about all of these patches and the insecurity! And for a lot of people, this would just be proof positive of your insecurity.
It turns out, though, if you work for a different company, it isn’t so bad. How do I know? Well, because the first part of this story isn’t imaginary at all (though the speculations about the sales person is). If you want to see the security notices behind this story, just click here and check it out.