Patching without Details Difficult to Justify
The recent leak of DNS vulnerability details is leading to a lot of discussion about how well security professionals can keep the lid on such details. Efforts by Dan Kaminsky and others to quietly patch a severe vulnerability in DNS are generally lauded but some system admins have justifiable concerns about patching such a fundamental network service without details. Today it's DNS, tomorrow it could be a database. What should DBAs do?
Working with large, complex databases can give DBAs a strong sense of "if it isn't broken, don't fix it." Patches can break things in unexpected ways and when this happens in database servers the results can be particularly difficult to clean up the mess if the integrity of data is compromised. This is why DBAs read patch release notes like a talmudic scholar. This is in direct opposition to the strategy employed by Kaminsky.
Cutting to the chase, there is no good solution to this problem. Dennis Fisher has summarizes the pros and cons of withholding vulnerability details and concludes withholding details does not bring sufficient long term benefits. I suspect if similar warnings went out about a vulnerability in a major commercial database without details it would send attackers on the hunt for it while leaving many DBAs waiting for details before patching, which is really the worst of all possible worlds.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
