Why did that security patch take so long? part 1

I used to get asked all the time why it takes so long to put out a security patch. While it doesn’t happen all that often now (more on that in part 2), I thought I’d spill the beans on how we categorize and work on security bugs around here.

Probably the single most important classification for determining the process we use when rolling out security fixes is public vs. private. That is, is the vulnerability known about publicly, or is it (presumed to be) known only within Sun and perhaps by the friendly (aka willing to be quiet while we work on it) person/group that reported it to us? We consider a vulnerability publicly known if:

• It’s been mentioned about in a chatroom, website, IRC, article, etc.
• Somebody has posted an advisory.
• There’s any evidence or indication that it has been exploited anywhere.
• We know customers have been told about it.
• We know that miscreants/black hats/unfriendlies/(pick your term) know about it.

When a vulnerability is publicly known, we will:

• Post a Sun Alert immediately, even if we all we can tell customers is ‘there’s a vulnerability and the only workaround is to turn it off.’
• Release patches as soon as they are ready (regardless of which version is patched first).
• Release T-patches or IDRs (Interim Diagnostic & Relief) if they’re ready before patches.
• If needed, and reasonable, waive some patch testing, soak time etc.

Not surprisingly, we’re happier when we know about things before they become publicly known. When a vulnerability is privately known, we’ll actually hold off on releasing any patches until we have patches ready for all supported versions of the impacted software (for Solaris this means patches available for Solaris 2.7,2.8,9,10 both sparc and x86). We’ll follow the same testing/soak time procedures we use for all patches, and the Sun Alert won’t go out until everything is ready. This is also true if we’re doing a coordinated release with either a security company, a group like CERT/CC or other vendors.

But wait a minute, doesn’t keeping this stuff quiet and not telling customers about it, put them at risk? Perhaps, but we don’t think so. We know the bad guys are always looking for new ways to break into computers and we try very hard not to make it easier for them. If we went public with information as soon as we had it, we would be pointing the bad guys at least in the general direction of where to start looking for a way in.

Of course, if at any time an issue that was classified as private goes public, all bets are off and we release what we have at that time and put out a Sun Alert.

The bottom line is it can take a lot of time to put out patches that have the level of quality Sun is used to delivering. If we believe we can safely take that time we will. Many of the people who report things to us understand this and are willing to wait, sometimes a couple of months, while we get everything ready.

In a couple of days I’ll write part 2 about the decisions and tradeoffs between speed vs. quality.

Posted at 03:16PM Jun 08, 2005 by drscholl in Security Coordination  |  Comments[0]