Forever-Day Bugs
That’s a nice turn of phrase:
Forever day is a play on “zero day,” a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or “infinite days” by some researchers, forever days refer to bugs that never get fixed—even when they’re acknowledged by the company that developed the software. In some cases, rather than issuing a patch that plugs the hole, the software maker simply adds advice to user manuals showing how to work around the threat.
The article is about bugs in industrial control systems, many of which don’t have a patching mechanism.
sam • April 17, 2012 1:53 PM
Vendors should always fix security holes in new versions of software for new installations, but as far as patching a live industrial system, there’s a nasty trade off – industrial control systems are always expensive, and often safety critical, and even though a vendor may have tested the fix in 10,000 different configurations, every installation is different. So you get to choose between vulnerable software (which if you’re smart, is physically isolated from the internet) or the considerable expense of taking the system offline, installing the new software, hoping that the configurations you created years ago still work in the new version of the software, spending hours or days fixing the configurations that don’t still work, and recommissioning the system one module at a time testing that the new control software works correctly. And remember, you bought the industrial control system to increase factory productivity and up-time in the first place, so a “patch Tuesday” regime will never be the norm in this field.