Security impact ratings considered harmful
Authors:
Jeff Arnold,
Tim Abbott,
Waseem Daher,
Gregory Price,
Nelson Elhage,
Geoffrey Thomas,
Anders Kaseorg
Abstract:
In this paper, we question the common practice of assigning security impact ratings to OS updates. Specifically, we present evidence that ranking updates by their perceived security importance, in order to defer applying some updates, exposes systems to significant risk.
We argue that OS vendors and security groups should not focus on security updates to the detriment of other updates, but sho…
▽ More
In this paper, we question the common practice of assigning security impact ratings to OS updates. Specifically, we present evidence that ranking updates by their perceived security importance, in order to defer applying some updates, exposes systems to significant risk.
We argue that OS vendors and security groups should not focus on security updates to the detriment of other updates, but should instead seek update technologies that make it feasible to distribute updates for all disclosed OS bugs in a timely manner.
△ Less
Submitted 26 April, 2009;
originally announced April 2009.