Have we all become "Patch Crazy?"

While catching up on my daily tech reading and conducting a poll with my Apple friends, I was told that I’d only heard from my PC friends “this is good, but there are a few bugs, I can’t wait until the next service pack!” That statement made me stop and think for a second. Is that where the state of software is now? Do product teams simply release a product that’s “good enough” then expect to be able to fix the bugs in the first Service Pack? Product teams seem to be leveraging the ubiquity of the internet as a crutch for releasing what could otherwise be considered a beta.

I certainly felt this way when I installed my freshly pressed version of Vista. Now Apple users are plagued by the same plight with Leopard. I am employed by a software security testing company and we are testing more and more “auto-updating” pieces of software which allow the software vendors to silently slipstream bug fixes into binaries without users knowing. Unfortunately, these pieces of software also increase the attack surface for a user’s computer. What if a malicious attacker could create a rogue update server and push down a patch they created to all the users of a certain product that everybody has installed, like Windows, Firefox, Flash, Acrobat, etc. Just last week I was playing around with my mom’s laptop, four reboots and seven updates later (I counted) Mac OS X, Firefox and Microsoft Office were finally up to date.

Don’t get me wrong, though; I fully understand the need for patching. Nobody can create bug-free software  but this is getting a little out of control. (On a side note, I just tried to validate my theory and opened Firefox -  it is downloading version 2.0.0.10 right now which includes fixes for three high impact security vulnerabilities. After which it ironically takes me to a page that assures me Firefox is “The Safest Way to Surf” – Update: four days later Firefox released another patch, 2.0.0.11, that fixed issues that they broke in 2.0.0.10!)

Software vendors need to step up to the plate and properly test their software before release. This means the elimination of statements like “it’s ok if development slips a bit, we’ll make it up in testing.” This means not relying on patching for future bug fixes. The words “we’ll fix that in the first SP” shouldn’t pass software team’s lips. This means properly integrating security throughout the SDLC, including the proper use of Threat Modeling, Static Analysis, Code Reviews and Unit Testing. A good place to start is getting a fresh set of eyes on the code and application through and internal red team or third party audits.  No author in their right mind would publish a book without having an editor look at it first - so why do we think it’s a good idea to release software blindly?

--Joe Basirico