This brings the question: Are Mondo-sized patches like MS04-011 a good idea or a bad idea? On the one hand, they correct a lot of problems, in a way very friendly to most users. One of the big headaches is the ignorant users, who end up worm-bait, botnets, spam relays, stepping stones, etc. Allowing them to easily be up to date is a good thing. Additionally, it removes some of the judgement calls on patch severity/urgency, because there is probabyl going to be at least one "you better patch it now", so there is less likely to be an "Microsoft only rates this as important because you have to be authenticated in the domain..." moment. But on the other hand, the probability of the superpatch causing problems is exacerbated. If each normal patch has a probability P of causing problems, then an N-fold patch has probability (1 - P)^N of NOT causing a problem. Thus the probability is 1 - (1 - P)^N that the N-way patch will have an issue. For real-world numbers, if P = .1 (10% chance the patch may be problematic) and N is 10, then the patch has a 65% chance of being a problem. Even if P is .01, there is still a nearly 10% chance of problems from a 10-way superpatch. This is now worse as the attackers have finally started waking up to the reality of worms. With vulnerabilities like the ones in the superpatch, and with attackers demonstrating a <48 hour turnaround time between disclosure and worm (Witty) or exploit and worm (Sasser), these superpatches leave an adminitrator in a bind: Apply the superpatch immeditely and accept the significantly increased probability of failure, or don't apply the patch and accept the vastly high probability of a worm in the near future. -- Nicholas C. Weaver nweaver@cs.berkeley.edu
