Friday, May 30, 2003

Patching in the Air Force

The 28 May SANS NewsBites reported:


Air Force Service Evaluates Patches (19 May 2003)

The Air Force has established the Enterprise Network Operations Support Cell (ENOSC), a software patch service. Patches are tested by the Air Force Computer Emergency Response Team which assesses its effectiveness and assigns it a number indicating its likelihood of interfering with other software. The patch along with that information is placed on the site and administrators can decide if it's an appropriate patch for their systems. ENOSC supports Windows 9x, NT 4.0, 2000 and XP, as well as Exchange Server and Internet Explorer. It also supports Sun Solaris and plans to add Linux and HP-UX.
http://www.gcn.com/22_11/security/22059-1.html


This sounded suspicious to me, as the original article says:


"When a patch comes out for those OSes or applications, the Air Force Computer Emergency Response Team judges its effectiveness—that is, does it in fact fix the problem? A nine-member ENOSC team evaluates the patch’s impact on the OS and on the applications likely to be running under it."


One of my friends at the AFCERT confirmed that the AFCERT is NOT testing patches. The ENOSC performs the testing, while the AFCERT issues compliance orders. The AFCERT is not equipped to test patches, and that is not its primary mission anyway.

No comments: