Identifying the flaw

Learn about techniques for identifying flaws in this excerpt from Chapter 1 of "The complete patch management book."

Get a glimpse inside the e-book "The complete patch management book" by Anne Stanton, president of Norwich Group,...

and Susan Bradley, Microsoft Small Business Server MVP. This series of book excerpts will help you navigate Chapter 1, "What is patch management?," courtesy of Ecora. Click for the complete book excerpt series.


Identifying the flaw

Very briefly, software vulnerability begins when someone looks at code or attempts to reverse engineer code. While Linux and its variants work under the open source licensing model wherein the source code accompanies the product, Microsoft does not release its source code. Thus, many security researchers use various techniques to identify flaws. In some cases, the interaction and connectivity needed between a UNIX or Linux system may provide clues to a researcher for potential flaws. Other freely available tools include Dave Aitel's SPIKE, Todd Sabin's DCE-RPC tools, Netcat, Ethereal, and many of the utilities at the Sysinternals Web site.

If the researcher or security company agrees to responsible disclosure techniques, it contacts the software vendor ahead of time and allows the vendor to correct the flaw or respond to the issue. Eeye.com is one vendor that notifies but does not disclose a flaw publicly at any time prior to the release of a security update. Irresponsible vendors and security researchers post the vulnerability to listserves such as Full Disclosure along with information that provides a "proof of concept" that has later been exploited by others and turned into automated exploits. Once contacted, the vendor reviews the reported information to see if the issue truly is a security flaw. If there is an issue, the process of building the patch and testing the patch begins.

Click for the next excerpt in this series: Why do we patch?


Click for book details or get more information from Ecora.

Dig Deeper on Patches, alerts and critical updates

PRO+

Content

Find more PRO+ content and other member only offers, here.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

  • VDI assessment guide

    Wait! Don't implement VDI technology until you know your goals and needs. A VDI assessment should consider the benefits of a VDI ...

  • Guide to calculating ROI from VDI

    Calculating ROI from VDI requires a solid VDI cost analysis. Consider ROI calculation models, storage costs and more to determine...

  • Keep the cost of VDI storage under control

    Layering, persona management tools and flash arrays help keep virtual desktop users happy and VDI storage costs down.

SearchWindowsServer

SearchExchange

Close