A couple of weeks ago, I was asked what I wanted for Christmas, anything at all, in an Information Security context.

That particular wish list of mine is rather long, but there was one wish that stood out:

A humble, impartial, well designed, all encompassing, open and extensible Package Manager, for Microsoft Windows.

Yes I realise that it's a big ask which requires a change of heart, architecture and development methodology, however attempts already exists in the form of Pkgmgr.exe & DISM. It's fundamentally doable, and worth the effort.

Why?

Many good reasons really, but here's one for starters:

While Microsoft do a good job of patching their Operating Systems and Applications monthly, if you're a non-Microsoft vendor however, then patching your Windows applications with similar reliability is a real pain. Many vendors opt for including their own installer application adding bloat and another vector that can be attacked.

Essentially this situation leads to duplicates of the same resources. Some applications and libraries being patched, while others are still vulnerable. Ultimately the host in question is left in a state of risk.

Imagine this scenario replaced with one central package manager technology, that allows vendors to add their own trusted repositories, that compliment those supplied by Microsoft. As soon as patches are available from any vendor and published to their online repository, the host package manager knows about it, and applies the patch. No bloat. No duplication. Just bug and security fixes applied.

Lets take this week's U3D memory Adobe vulnerability for Adobe Reader and Acrobat (ESB-2011.1199). It could "allow an attacker to take control of the affected system". A patch for this vulnerability should be available by 12 December 2011, and when it's available it should be applied without delay.

Waiting on a user to apply this patch may take a while, depending on their skill level. A package manager could apply it in no time, limiting the exploit exposure.

Pie in the sky?

This week another kind of PDF viewer called evince had some patches applied (ESB-2011.1193), and because it lives as a package in a repository, it was updated on countless hosts across the globe, thanks to package management technology.

Social engineering cannot be prevented thanks to package managers, and this week AusCERT observed a vigorously widespread Australian Tax Office phishing scam (ASB-2011.0109) (SSO-AL2011-030). The malicious sites appeared to want to harm users multiple ways with malware infection as well as identity theft.

Enjoy your Christmas shopping this weekend. At least you know what I want :)

Marco