FYI, I just saw an opinion piece on Computerworld written by Bill Addington called "Slow down the security patch cycle". (See http://www.computerworld.com/printthis/2004/0,4814,92037,00.html for full story.) In the article, the author discusses some possible solutions for improving the distribution of vulnerability and patch information.
For example, he says, "In one possible scenario, software owners would subscribe to an automated patch service. Those without a subscription would receive the patch through current means, but it would expose those users to greater risk. Subscribers would receive a predeployed, encrypted version of the patch. At a predetermined point, a decryption key would be passed to a patch installer on all subscribed systems." Now, I'm not at all convinced that this would solve any problems -- IMHO, it would create more than it solves. In particular, he's advocating this slowing down of patch distribution in response to the recent Witty worm, which hit the net just a day or so after ISS put out their patch for the vulnerabilities in their products. Also, I believe that the author is too focused on an operations-only solution set to vulnerability issues, IMHO. Cheers, Ken van Wyk http://www.krvw.com
