| PATCHES | |
.
| INTRODUCTION | After completing
reading this unit, and listening to the lecture in class, students will
have information about:
o Why
they exist
|
| KEY
POINTS |
"Patches" Why they exist
It is mainly a consequence of the competitive environment. Most large and medium sized IT companies are often forced to release products on the market before they are thoroughly tested - due to the pressues of the Competitive Environment. As a result, there are often bugs, glitches, errors, etc in these programs. However the developers of the programs are not too concerned because they trust that the most profficient customers will be involved in circumstances where these errors will be found - and then complain to "tech support" - whereupon a "patch" can be made and then released. |
 |
Prof. Richardson
made a simple "intro to patches" video in class (MRK619) March 8th 2010
- thanks to Stephanie who held the camera.
In his narrative, Richardson used the analogy of a TV commercial describing how a car could be broken in to - watch it to understand how this relates to the way people are informed about patches. |
| . | |
https://www.itworldcanada.com/article/canadian-websites- temporarily-shut-down-as-world-scrambles-to-mitigate- or-patch-log4shell-vulnerability/....... |
Patches 2021
Federal and provincial departments including the Canada Revenue Agency, Employment and Social Development Canada and the Toronto region transportation system Metrolinx took their websites offline over the weekend to deal with the critical log4j2 Java library vulnerability UPDATE: This morning (2021 Dec 14) the CRA said most of its digital services have now been restored. Only a page for order forms and publications was still offline. |
Microsoft is famous for sending
out many patches for their bugs and if you follow the sequence of some
of the screen captures below you can see how it happens.
.
Patches: How do you hear
about them? How are you informed a Patch is required?
There are a select small
number of institutional, associations, and government and academic web
sites within which security topics are discussed in an intelligent and
authoritative manner.SANS Institute is considered one of the elite sources
of IT security information. One can subscribe to their email list for patch
info, and a typical message looks like the screen capture below.
c
| "Patches"
resources What is a patch?
|
.
What is a patch? "A patch can be an upgrade (adding increased features), a bug fix, a new hardware driver or update to address new issues such as security or stability problems." "While most patches are free to download, ultimately the developer will determine which versions of their software will be updated for free (older releases of a program usually get fewer updates). In some cases, only registered users may get certain upgrades, and at other times the only way to upgrade is to purchase the newer version at a discounted upgrade price (and requiring a reinstallation of the program). Typically, a patch can be installed over the top of an existing program, but again this will depend on the supplier and the nature of the patch." The site softwarepatch.com have a note on their site that gives permission to anyone to do a basic link to their site. Emailed them in May 2005 and Scott gave permission to use a screen capture for the course. Copy of the email on file in the permissions binder. |
 |
This page
is a great resource for patches |
Anielyn B., a UTM student in MGD415 in March 2007 sent an informative and useful email about how patches are used / ignored at UTM |
 |
| . | Anielyn wrote
I was reading through the Patches section on the website and realized that there wasn't much information about how consumers felt about them. So, I thought I should share my two cents. From my experience, many people don't even bother to download patches – specifically students. At UTM, if students want to connect to the UTM wireless network, they have to pass the ESP (Endpoint Security Policy System) scan. This scan checks whether the student's laptop has all Microsoft updates and a working antivirus program. Since I've been working at the UTM library, I've realized that most laptop problems come from insufficient Microsoft updates, which result in failing the ESP scan. When I asked students why they didn't just update it normally (since there are messages that pop up telling people to update their computer when new patches are available), they usually replied by saying they simply ignored it because (1) they didn't have time
to do it,
Essentially, the only reason these students updated their computers was to have Internet access, not because they wanted to fix security issues. If anything, they found having to update their computers a hindrance, not a benefit. It wasn't unusual for me to be updating a student's computer for over an hour. |
| . | Anielyn concludes
Although patches are supposed to be important, some users may feel that they don't make a difference. If anything, they take space and time – lots of time for the students who were missing over 10 patches. Unless it's an absolutely critical patch, downloading a new, small patch isn't worth the hassle. Funny enough, sometimes people don't even download critical patches as long as their system appears to be working fine. Take care, Anielyn |
| "Patches"
Where you get them |
.
"The vulnerability involves what's known as an "unchecked buffer" in the Remote Data Services (RDS) component of MDAC. The faulty code is in a function called the RDS Data Stub, which is used to pull information from incoming HTTP requests and create RDS commands, according to Microsoft. An attacker could exploit the security weakness by sending an improperly formatted HTTP request to the Data Stub that contained extra data. The surplus would cause the buffer to overflow, and in the process would place and run the attacker's data on the victim's PC." Permission to quote from Yahoo!, use the Yahoo! logo, and use screen captures, was given in an email by Debbie Macleod, Yahoo! Marketing Manager Jan 21st, 2005. Copy of the email is kept in the permissions binder |
.
| "Patches"
- they aren't keeping pace with the threat |
.
Original Article by Jay Lyman, NewsFactor Network, August 16, 2002 www.newsfactor.com/perl/story/19023.html
Lyman, quoting "Koetzle stressed that companies are too shorthanded in IT to keep up, but she also blamed software vendors for failing to flag software patches and communicate the need to install them. "Software vendors -- and Microsoft is a big culprit here -- give you a lot of patches, and they issue them frequently," Koetzle said. "It's for you to figure out which ones you need, which ones are important. You also have to test them." Giga Information Group research director Mike Rasmussen agreed that the sheer quantity of patches is perhaps the biggest challenge to keeping software holes closed. " |
| KEY
POINTS |
There is a problem with
software not being "done right" in the beginning so we have to have a patch
- and this problem is compounded with the scenario that there are too many
patches, and it is too time consuming to install them all.
The problem is simply a consequence of the competitive environment - this is a competition thing not a technical thing. If the software vendors were not in such intense competition with each other, they could take more time, before a product is released, to check it for bugs so a patch would not be necessary. |
|
|
CONTACT I MAIN PAGE I NEWS GALLERY I E-BIZ SHORTCUTS I INT'L BIZ SHORTCUTS I MKTG&BUSINESS SHORTCUTS I TEACHING SCHEDULE |
| . | |
| MISTAKES ITEXTS USED I IMAGES I RANK IDISCLAIMER I STUDENT CONTRIBUTORS I FORMER STUDENTS I | |
| . |
