Patch Management

You are currently browsing the archive for the Patch Management category.

Comments on Patch Tuesday

September 8, 2009 in Patch Management, Vulnerabilities

patchtuesday

The second Tuesday of the month is always a busy day for IT and security pros.  That, of course, is the day Microsoft releases their regular security updates.  And this month’s list of advisories reminds me how far we have to go before we get an upper hand on the bad guys who exploit vulnerabilities for a living.  Microsoft, like so many other software vendors, continues to release vulnerable software and we continue to apply patches to fix those vulnerabilities.  All the while, systems are exposed and often get compromised due to this game of reactive patch management.

Microsoft released 5 security advisories today to address 8 vulnerabilities:

  • – addresses a vulnerability in Jscript (KB 971961)
  • – addresses a vulnerability in Microsoft Windows (KB 956844)
  • – addresses a vulnerability in Microsoft Windows (KB 973812)
  • – addresses a vulnerability in Microsoft Windows (KB 967723)
  • – addresses a vulnerability in Microsoft Windows (KB 970710)

The first three patches address vulnerabilities that allow a malicious web site to compromise an unpatched machine simply by browsing the web site.  These drive-by exploits are undoubtedly already setup on rogue web servers, compromising vulnerable systems even as I write this.  Microsoft rated MS09-045 and MS09-047 as critical and MS09-046 as important.

The other two, MS09-048 and MS09-049, are more interesting and potentially more problematic.  Both of these vulnerabilities are rated as important by Microsoft, but I would not be surprised if exploits for these two end up doing more damage than the others.  The reason for this is that both of these patches address vulnerabilities in the network stack and do not require any intervention by the end user for exploitation.  This makes them good candidates for exploitation via a worm which increases the criticality of these advisories.  Microsoft believes these vulnerabilities are most likely to be exploited via a denial of service attack as it is difficult to reliably achieve remote code execution.  But denial of service attacks can be very damaging and it is not inconceivable that someone could write a exploit that can smash the stack, resulting in remote code execution.

Microsoft is not alone in releasing regular security patches and expecting us, the end users, to manage the process of performing the updates.  Apple, Adobe, Red Hat, Sun and every other software vendor does the same thing.  While I understand that software development is a complex endeavor, vendors must get better at implementing security testing and vulnerability analysis into their software development life cycle.  But until they do, keep applying those patches.

Losing the Patching Game

July 22, 2008 in Patch Management

In my last article I wrote about the need to keep systems up-to-date with the latest security patches from software vendors. This includes not only operating system patches, but patches for third party applications as well.  I have only three computers at my home and at times I find it daunting to keep up with all the patches that need to be applied on a regular basis.  And I’m a security professional with many years of system administration experience.  I imagine that the average computer user has neither the time nor the patience for such matters.  He just wants to use his computer and not worry about such mundane tasks as patch management.  Nor should he have too.

Even if we all acted responsibly and diligently scoured all the security web sites for vulnerability information and proactively installed security patches in a timely manner, we still would have systems getting compromised.  This is because the process of patching flawed software is a little like playing a game of whack-a-mole: by the time one patch is released and installed to fix a vulnerability, another vulnerability has been discovered.  And the time between vulnerability notification and exploit release has decreased dramatically over the last few years.  Estimates vary, but it is safe to say that exploits are typically available within days of the announcement of a vulnerability while it often takes weeks for patches to become available.  And this does not even take into account zero-day exploits for which no patch is available.   The end result is a never ending cycle of software updates that most home users can’t possibly manage.  For that matter, most enterprises don’t do a very good job of patch management either.

So what is the solution?  The long term answer is that software vendors need to enforce secure coding practices in their SDLC (software development life cycle).  Right now there is very little financial incentive for them to do so because we have no legal recourse to damages that occur due to vulnerable software.  If this were to change and vendors could be held legally liable for damages resulting from software vulnerabilities, manufacturers would go to much greater lengths to ensure their software was developed with proper controls in place to minimize security vulnerabilities.

In the meantime, keep applying those patches.  Install host-based firewalls and host intrusion prevention software if possible.  And vote with your pocketbook by patronizing companies with good track records of writing secure code while rejecting those that do not.

The Patching Game

July 21, 2008 in Patch Management

A new study released last week by the SANS Institute’s Internet Storm Center that found that an unpatched computer running Windows XP will be compromised in under 5 minutes if directly connected to the Internet. German PhD candidate and co-founder of the German Honeynet Project, Thorsten Holz, found during his tests that it takes closer to 16 hours for an unpatched PC running Windows to be compromised. In either case, this is bad news.

One could argue with their methodologies and in fact, the conclusions aren’t all that surprising given the configuration of the PCs. First, the PCs were installed with Windows XP without any service packs or security updates. That basically makes the system equivalent to a system installed in 2001 since that is when Windows XP was first released. During the past 7 years numerous worms have been written that take advantage of the vulnerabilities in Windows XP including Sasser, Bagle and Blaster just to name a few. There is little doubt that it is one of these worms that is compromising unpatched systems.

The second issue contributing to the quick compromise of the systems in this study is the fact that they are directly connected to the Internet. This means there is no firewall in front of them to protect them from the worm attacks. This certainly is rare in corporate environments and even in many homes. Nearly all companies use firewalls today as do many home users. Doing so provides a level of protection from infected hosts attempting to worm their way into other vulnerable systems.

It seems clear that patching is an absolute necessity in today’s world. If managing an enterprise network, use patch management tools to keep the systems patched. Home users should take advantage of Windows Automatic update. Enabling this feature will ensure the PC downloads the latest operating system security patches when they are released and will help keep them safe from many of the threats on the Internet today. But don’t stop there, every application installed on the computer must also be kept up-to-date on patches because vulnerabilities in third party applications can also lead to system compromise. This includes applications such as Adobe Acrobat Reader, Microsoft Office, Java, IM Clients, Skype, and any other software installed on the machine. The attackers are frequently targeting these applications as vulnerabilities in Windows are getting harder to find and even harder to exploit.

Sounds like a lot of work, doesn’t it. Well it is. And in my next article I will discuss why this model of patch and pray is flawed.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved