Windows Update Can Hurt Security

An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

Quiz

[Lord Grey]

Fill in the blank:

Windows _____________ Can Hurt Security

1. 1) "Applications"
2. 2) "Network Connectivity"
3. 3) "Update"
4. 4) "Users"
5. 5) ""

Re:Quiz

[4D6963]

Fill in the blank:

Windows _____________ Can Hurt Security

1. 1) "Applications"
2. 2) "Network Connectivity"
3. 3) "Update"
4. 4) "Users"
5. 5) ""

1. 6) "Profit"?

No prob...

[Last_Available_Usern]

Just roll the entire i386 directory into every patch.

Re:From the PDF:

[Seth Kriticos]

Fast Patch Distribution: basically leveraging technologies like P2P to insure that patches are rolled out...well...fast. Problems again include off-line hoists, as well as hosts who have the misfortune of being on ISPs that take a dim view of P2P.

Why not use the bot nets for this kind of stuff? I mean, previous article today already showed, that they have a quite effective way of patching arbitrary systems and distribute mass content.

Re:Quiz

[Gewalt]

I think FTA is wrong

Here, Here! I am also a firm believer that F'ng T A is just plain wrong. No one should do that.