Posted Feb 23, 2009 16:22 UTC (Mon) by ortalo (subscriber, #4654)
Parent article: Forcing updates
"But, the problem remains that there are lots of systems that are not getting updated and are thus vulnerable to a wide variety of exploits."
Well, the first time I remember hearing this remark was in 2000 (at the RAID symposium) and made by the main CERT/CC coordinator (and founder IIRC - sorry I cannot find his name again).
Most proeminently, I remember him presenting figures such as "20% of the systems never get patched - at all" as a state of fact, not as a complaint.
IMHO, we should think about how to deal with this state of fact rather than try to force updates on systems. In fact, I've always been reluctant at trying to improve security patch flows and, the more I get involved with growing computer security responsibility, the more I would like to see totally alternative approaches to security be explored.
Of course, my favourite alternative is: not introduce security bugs at all in the first place, but I confess I may be satisfied by guaranteed limited impact of security failures too... (Oops, shouldn't have said that...)