Security Patches Too Bloated To Use?

Here’s amusement – a Wintel-using colleague just mailed out the following:

I mentioned to this to a few people earlier last week. Do NOT feel obliged to install the recently released Win dows XP Service Pack 2 (for Home Edition only, Professional Edition released on the 25th August). The BBC have this article on their website:

[news.bbc.co.uk]

… indicating security experts have found ways of getting around the service pack security updates … We already know of the weaknesses of M$, however I write to you only to save you the effort and time of having to download the hefty pack (80mb!) and update your WinXP Home Edition systems again in the future … Perhaps they will fix it up in time for the Professional Edition of WinXP … ? Perhaps ! 😉

Of course the matter of such insecurity is moot to me (My home is a MacOS/Linux shop) but as a security consultant I find this rather scary, reminiscent of some corporate enterprises that I have visited where some machine’s configuration is considered too mission-critical to have security patches applied.

Re-read that – some machines are considered by some to be too important to have security bugs fixed.

Now, for important, read the patches as being too untrustworthy or uneconomic.

I suppose this was mostly covered in my whitepaper from 1995 [www.crypticide.com] but even still, it is nice (huh? or maybe pleasingly consistent?) to see the same sort of problems starting to apply to the home user.

Maybe Sun/Apple’s combination of dinky little patches and ueber-globby huge ones really is the best of both worlds, as opposed to doing just really big flag day updates.