Home / Blogs

Fixing Holes

According to press reports, DHS is going to require federal computer contractors to scan for holes and start patching them within 72 hours. Is this feasible?

It’s certainly a useful goal. It’s also extremely likely that it will take some important sites or applications off the air on occasion—patches are sometimes buggy (this is just the latest instance I’ve noticed), or they break a (typically non-guaranteeed or even accidental) feature that some critical software depends on. Just look at the continued usage rate for Internet Explorer 6—there are very valid reasons why it hasn’t been abandoned, despite its serious deficits of functionality, standards compatibility, and security: internal corporate web sites were built to support it rather than anything else.

In other words, deciding to adopt this policy is equivalent to saying “protecting confidentiality and integrity is more important than availability”. That’s a perfectly valid tradeoff, and very often the right one, but it is a tradeoff, and the policy should recognize it explicitly. I imagine that there will be a waiver process (and the headline says “begin fixing” holes), but the story doesn’t say—and of course, if there are too many waivers the policy is meaningless.

One more point: sometimes, hardware upgrades are required. For example, Windows XP support ends in 2014; security bugs past that point require switching to something more modern. Most older computers can’t support Windows Vista or Windows 7—will the agencies have enough budget to do that?

Oh yes: this problem of long-delayed patch installation isn’t peculiar to the government. After all, the private sector is at least as far behind when it comes to, say, getting rid of IE 6. Again, there are reasons for such things to take a while, but that doesn’t mean they should be allowed to drag on indefinitely.

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under


IT patch compliance / monitoring is usually a bit more nuanced than that Suresh Ramasubramanian  –  Jun 20, 2012 1:23 PM

Like, patches can be graded for severity, and different “classes” of systems get different timelines for patching.  End user laptops vs production servers, servers that are on an intranet versus those that are internet connected etc.

And exception procedures too, for cases where a particular patch can’t be applied.

I seriously doubt that this DHS notification simply means “run windows update”.

What will Microsoft suggest to be run Phil Howard  –  Jun 20, 2012 6:25 PM

What will Microsoft suggest to be run on older hardware?  Linux?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com