Commentary: Patch holes, pressure companies

By John Pescatore, Gartner analyst

As 2001 draws to a close, the pace of discovery of software vulnerabilities shows no sign of slowing.

Microsoft has announced what it defines as three critical security flaws in the Internet Explorer version 5.5 and 6 browsers embedded in Windows 2000 and Windows XP. Sun Microsystems and IBM had to issue patches for Solaris and AIX after a serious buffer overflow vulnerability, which could allow an attacker to log in with "superuser" privileges, was found in those Unix variants.

	See news story: Microsoft rushes to close IE security hole

Gartner's Internet Vulnerability Risk Rating methodology identifies both the Windows and Unix security flaws as "high risk." Therefore, businesses should immediately apply the appropriate patches to all affected servers running AIX or Solaris, and all PCs running Internet Explorer versions 5.5 or 6.

The odds are high that a Nimda-style worm will be launched within the next six weeks that looks to exploit unpatched systems. To prepare for that threat, businesses should patch all affected systems as soon as possible and perform backups of server software configurations--that way, the version in backup storage has the patch. In addition, businesses should update all tools used to monitor configuration compliance to require the latest patched version.

Businesses should elevate security as an evaluation criterion when making major platform or upgrade decisions. Without marketplace pressure on software companies to provide more secure products, businesses will remain in a vicious cycle of hacks, patches and more hacks.

Gartner recommends that Type B businesses (middle-of-the-road adopters of mainstream technology) not upgrade to new releases of software until at least nine to 12 months after general release. Type A businesses (aggressive adopters of leading-edge technology) should require extensive company support in security testing before committing to Internet-exposed production use of new releases. Where prototype testing and company competitions are held for new software products, companies should demonstrate evidence of security testing by outside experts.

A bill before the U.S. House of Representatives--H.R. 2970, also known as the Securing America Investment Act of 2001--would permit expenditures for qualifying security devices (including computer systems) to be allowed as deductions for the tax year in which the devices were purchased. However, Gartner believes that the bill contains a fatal flaw because it encourages spending to fix security problems rather than avoid them. Adding a security system to protect a Web server with security vulnerabilities would be rewarded with a tax break, while buying a more secure product would not be.

Businesses should use their purchasing power--and the government should use proposed legislation--to force software makers to develop and ship more- secure products. Simply spending more money on bandages is not a great strategy when the patient has a severed artery.

(For a related commentary on H.R. 2970, see Gartner.com.)

Entire contents, Copyright © 2001 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.