http://arstechnica.com/business/news/2012/04/rise-of-ics-forever-day-vulnerabiliities-threaten-critical-infrastructure.ars
This post is a follow-up to my post from last week about bugs in critical infrastructure systems, such as factories and water treatment plants. It turns out that there are much more systems that contain gaping vulnerabilities than just the one company that I mentioned last week. It also turns out that, in the case of many of these vulnerabilities, the companies do not intend to have the software patched to make it more secure.
Because the software used in these specific situations is often quite old, companies are simply refusing to have it patched. This means that, now not only are these security flaws known, but they are not even going to be fixed. This is a very bad and disturbing trend; whenever any important system has a security flaw, it should not only be patched, but it should be patched quickly.
These never-patched bugs are referred to "forever day" bugs, because they're never fixed, even when they're known and acknowledged by the software developers responsible for them. These developers usually choose to take the easy way out, and instead of patching their software, just add information in user manuals informing the user how to avoid the threat. This type of laziness should not be tolerated, and in my opinion should not even be legal, especially since this is software that is being used in situations where safety is of the utmost importance.
No comments:
Post a Comment