I've always been blunt expressing my opinion about enterprise software vendors promoting patching as the only viable security solution. While vendors make it a habit to take offense at my postings and arguments that claim that patches are complementing to 3rd party security, they consistently provide more and more arguments to prove my point.
Last week, as an Oracle customer, I got an email from the Oracle support system, urging me to download and apply a new version of the April CPU patch (for HP systems only). It turns out that the original patch had an adverse effect on some of the functionality provided by Oralce products. As you can see, if you follow the link above, there are NO workarounds to solving this issue - which of course makes sense: it is a part of the Oracle product functionality and cannot be replaced (even temporarily) by a 3rd party solution. Security flaws, more often than not, can be mitigated using 3rd party solutions (sometime called "Virtual Patching"). Therefore it would be a far better strategy to first mitigate security risks using a 3rd party solution and then apply a patch after it has been tested rigorously in the enterprise test environment and its side effects are better understood. See also http://www.networkworld.com/news/2008/061108-mac-bug-forces-mozilla-to.html?page=1 for yet another beautiful example.
- Amichai
Leave a comment