Get a glimpse inside the e-book "The complete patch management book" by Anne Stanton, president of Norwich Group, and Susan Bradley, Microsoft Small Business Server MVP. This series of book excerpts will help you navigate Chapter 1, "What is patch management?," courtesy of Ecora. Click for the complete book excerpt series.
Identifying the flaw
Very briefly, software vulnerability begins when someone looks at code or attempts to reverse engineer code. While Linux and its variants work under the open source licensing model wherein the source code accompanies the product, Microsoft does not release its source code. Thus, many security researchers use various techniques to identify flaws. In some cases, the interaction and connectivity needed between a UNIX or Linux system may provide clues to a researcher for potential flaws. Other freely available tools include Dave Aitel's SPIKE, Todd Sabin's DCE-RPC tools, Netcat, Ethereal, and many of the utilities at the Sysinternals Web site.
If the researcher or security company agrees to responsible disclosure techniques, it contacts the software vendor ahead of time and allows the vendor to correct the flaw or respond to the issue. Eeye.com is one vendor that notifies but does not disclose a flaw publicly at any time prior to the release of a security update. Irresponsible vendors and security researchers post the vulnerability to listserves such as Full Disclosure along with information that provides a "proof of concept" that has later been exploited by others and turned into automated exploits. Once contacted, the vendor reviews the reported information to see if the issue truly is a security flaw. If there is an issue, the process of building the patch and testing the patch begins.
Click for the next excerpt in this series: Why do we patch?
Click for book details or get more information from Ecora.