According to Symantec it would seem that security flaw + patch in 5 days = result. Certainly compared to the average 140 days it takes Microsoft to patch a vulnerability it’s to be applauded, but only with one hand. 5 days is 119 hours and 55 minutes too long in my book. In the wise words of singing tech gurus Tavares (or Take That for our younger readers) ‘it only takes a minute girl, to infect your PC’. Well, I might have taken liberties with the lyrics, but no more than security vendors take with the integrity of my data, resources and identity whenever product exploits emerge.
I’m not advocating, for even that single minute, that a rushed solution is any solution at all. However, I’m not prepared to join the throng of gushing commentators eager to praise the speed with which this patch has been released. Words such as remarkable and masterful have been bandied about, even the totally ridiculous ‘break neck speed’. Sorry Symantec, but I’ll argue until the cows come home that 5 days is not an acceptable length of time for a vendor of the size and stature of yourself to leave customers in a security threat limbo. The Microsoft comparison doesn’t hold water; the products are poles apart in complexity and lines of code alike. A better metric would be that of OopenBSD and SSH, for whom a day is considered a long time for a patch to get into the upstream distribution chain, a few hours is the norm.
Would you leave the door to your office unlocked for a week while a new lock can be found that fits it, working on the principle that if nobody knows it’s unlocked then nobody will break in? Of course not, you’d shore things up the best you can while waiting for the lock to be delivered. Yet Symantec seems happy with the time taken to release this patch, on the understanding that there were no known attacks that could exploit the flaw. Sometimes, well often actually, the naivety of the IT security market leaves me gob-smacked.
If you are a business customer, the patch (which ahs to be downloaded and applied manually) to update the stack overflow flaw in Client Security 3.0 and 3.1, and AntiVirus Corporate Edition 10.0 and 10.1 can be downloaded from Symantec. But only if you are an English language customer, others have to wait even longer their patches to become available. Home users need not panic as the Norton range was not caught up by this particular hole.
Oh, and wish me luck: I’ve made it down to the finals of the UK ‘IT Security Journalism’ awards. Of three entries in the ‘Best Security Feature’ category, one is all my own work and another co-authored by myself. I’ve also managed to get down to the final three writers up for the overall ‘IT Security Journalist of the Year’ title. The winners will be announced at a lunch ceremony in London on 11th July, so keep your fingers crossed for me!