Monday, March 19, 2007

Why are Some Software Vendors So Security Unaware?

It seems odd to me that software vendors are releasing products that have vulnerabilities, and that they do not do anything to patch them. In fact in some cases, patching the host operating system breaks certain of these errant applications, and the remedy from the software vendor is to put the original, vulnerable file right back in its place. For example, a security patch is released from the operating system vendor. The minute it is applied, another third party application that relies on these files breaks. Instead of the software vendor releasing a patch for its own product, it relies on a “self repair” method that just restores previous, vulnerable versions of the files that need to be fixed.

Clearly, the software vendors are not talking to each other. Or they just don’t care that they aren’t fixing their applications to keep up with the threats. Either way, these companies are causing more work for IT department security people, and they are putting systems at risk. In Part 2 of my series on investigating false positives and other security anomalies, I discussed just such an instance - where a manual, self researched, and self developed fix had to be applied because the software vendor had no intention of fixing their product. This was clearly a case where the vendor did not care that they were injecting vulnerabilities into my environment. Good thing I'm not mentioning who it is here, eh?


Related Links:


No comments: