fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry 
« Back to blog
Viewed 6295 times
Favorited 0 times
November 6, 2009

I'm Calling Bullshit

Sometimes you just have to tell it like it is.  And this week, the man that puts the "Paul" in "PaulDotCom" does precisely that.  From system administrators whining, to defense in depth, this invited guest post challenges some common assumptions and provides an actionable response.  Thanks Paul!

By Paul Asadoorian

Microsoft patch Tuesday, or "Black Tuesday" as it is referred to as, has been around for some time.  At first it seemed like a good thing, with all these patches coming out it gave people time to plan accordingly and get them installed in their environment.  I firmly believe it was a knee-jerk reaction that has plagued us since 2001-2003 when "worms" and network-based vulnerabilities were being exploited on a regular basis.  The time has come to react more quickly to the wide variety of threats posing organizations infrastructure, and have the flexibility to apply patches as they come out, not just once a month.

I remember it fondly as I worked for a University at the time patch Tuesday was being dreamed up.  It was a time in a land where XP firewalls did not exist, nobody blocked the NetBIOS ports from the Internet, and the term "automatic updates" was something that did not exist.  Machines were getting compromised faster than they could be rebuilt, in fact many became compromised WHILE they were being re-built.  At some point, someone hit Microsoft with a clue bat and they began coming out with patches, lots and lots of patches.  Before you know it systems administrators were overwhelmed with patch installations, and were not armed with the appropriate tools to handle the patches.  So they do what some systems administrators do best, they bitch.  I have to admit, when I was a systems administrator, I did my share of bitching.  Its that kind of job, somewhat thankless, so bitching came with the territory.  But in this situation, it caused Microsoft to take a step back and think about how they release patches.  Then, Patch Tuesday was born (along with exploit Wednesday).  This meant Microsoft was now holding back patches, saving them up for one release!  While I started to grow hatred for this method, systems administrators did less bitching, which makes everyone's lives easier.  Another factor that played heavily into the decision to release regular patches was desktop management.  Very large corporations with 10s of thousands of desktops incurred costs when applying patches.  Each of these desktops, and servers, needed to be rebooted in order for the patches to apply!  This adds an economic factor to the equation, meaning is costs money for organizations to apply patches.

Times have changed and its time to evolve.  The regular patch release schedule got us over a hump and got systems administrators in a grove of applying patches. However, Imagine this situation:  

There are terrible viruses running around in the real world (like ones that infect you as a person, not your computer).  Your doctor is getting the vaccinations as soon as they are available.  However, its left to your doctor to determine when they are applied.  So to make things easy for everyone, vaccinations are done on the second Tuesday of every month.  In the mean time, you and your family (are users like children?) are vulnerable to the virus, some of which can be fatal, and others that are not so bad.

Let me ask you this: if it was your family, how would you feel about vaccinations that only come out on the second Tuesday of every month?

You should be equally as outraged about patch Tuesday, and here are some things you can do about it:

Set your own patch schedule

This is something I have been preaching for some time.  As an organization you need to evaluate the threats against your business, and prioritize the defensive measures you implement (if any).  You should not have to wait for an third party to release patches, they should be applied according to your own priorities.  Security is about evaluating risk and I can assure you that you can do a better job than Microsoft of evaluating risk for your organization.  

Define your own threat level

The other aspect of security that Microsoft believes they have covered for you is determining the criticality of each bulletin (which can contain multiple vulnerabilities, which doesn't help!).  What is deemed "critical" by Microsoft may not be as critical to your organization.  Evaluate each vulnerability, not just the bulletin, and think about the impact it has on YOUR organization, not the rest of Microsoft's customers.  Home users, small businesses, governments, health care, universities, they all use Microsoft products in some capacity, do they all treat threats the same way?  Hell no, and neither should you.  Define what "critical" means to your business, and that means reading each of the security bulletins when they are released, in detail.  So, on the second Tuesday of every month, get a bigger cup of coffee, sit down, relax, and enjoy the ride.

Conclusion

Dumb Questions: Is it "wormable"? Is there "public exploit" code available?

The real question you should be asking: "How does this impact our business?".  

Lets get one thing clear, evil bad guys have exploits.  They have exploits for stuff we don't know about yet.  When a patch is released, its too late. Shortly after a patch is released, its really too late.  So patching needs to be built right into your operations and balanced with your business plan.  Don't get caught up in the hype around "remote exploits", "wormable", and all that crap, take matters into your own hands, at least as much as Microsoft lets us. The game is risk mitigation, not patching.  But we can't rely on MS to provide reasonable, workable, mitigants to many of their bugs based on track record.

Loading mentions Retweet

Comments (5)

Nov 09, 2009
johnmccash2 said...
OK... You make excellent points, but I've got to make one other one... Diseases don't wait for vaccinations to be issued, and then reverse engineer them to discover new ways to infect. Many enterprise environments are stuck with only being able to update on a scheduled basis for anything but the most dire vulnerability. To their credit (I can't believe I'm complimenting Microsoft!) they will put out an out of cycle patch for things that they believe might be 'fatal'. If Microsoft dumps patch Tuesday by the wayside, and just starts pushing out patches any old time, the result will be that black-hats out there will start (or more properly, continue) reverse engineering them the minute they're released. On average, this will result in the availability of substantially more in the way of working exploits by the time those stuck on a monthly patch cycle can catch up. You can make the argument that the monthly patch cycle is a concept well past due for retirement, but the same can be said for passwords...
Nov 09, 2009
Paul Asadoorian said...
johnmcash2 - you make an excellent point! I did leave out one of the benefits of the patch cycle, and I can't dispute it. Attackers will reverse engineer patches and come up with exploits sooner. This may be true for some patches, but certain vulnerabilities are patched because MS found it being exploited in the wild. For those patches I believe MS should release ASAP (and in some cases they do). Thanks for the feedback!

Cheers,
Paul

Nov 10, 2009
Eric said...
Most organizations don't have a daily change control meeting. Ours is weekly, and many companies have them even less frequently. If Microsoft releases a patch on Friday, either I give the attackers a 4-5 day head start, or I try and get management to approve emergency patches and my weekend goes down the tubes. As it is now, I can start patching (my test systems) the day the patches are released.

Home users? Their computers are set, by default, to install patches at 3am Wednesday. Again, if Microsoft releases a patch at 3pm Wednesday, that gives attackers a 160 hours to exploit before most systems gets patched.

So what if Microsoft released patches every Tuesday? Well, it takes me about 2 weeks to patch all my systems, so this would mean that I would never be done patching. Every day, and every night, I'd be installing some sort of patch.

And sorry, but the answer to "how does this affect my business?" is that the PCI-DSS section 6.1 states that my company must install critical security patches within one month of release. There's not a whole lot of leeway there.

Nov 11, 2009
Paul Asadoorian said...
"Home users? Their computers are set, by default, to install patches at 3am Wednesday. Again, if Microsoft releases a patch at 3pm Wednesday, that gives attackers a 160 hours to exploit before most systems gets patched."

Home users don't have thousands of desktops in their home, why should they have to wait for a patch to the browser that is already being exploited in the wild? Home users should get patches as they come out, especially "critical" ones that are already being exploited.

"So what if Microsoft released patches every Tuesday? Well, it takes me about 2 weeks to patch all my systems, so this would mean that I would never be done patching. Every day, and every night, I'd be installing some sort of patch."

If MS released patches every Tuesday you could tune your own patch management strategy to fit the needs of your organization. Sure, some patches would not be applied right away, some would. The point is you would have a CHOICE.

"And sorry, but the answer to "how does this affect my business?" is that the PCI-DSS section 6.1 states that my company must install critical security patches within one month of release. There's not a whole lot of leeway there."

And herein lies my greatest fear: letting Microsoft and PCI dictate how we implement security and risk management in our organizations.

Cheers,
Paul

Nov 14, 2009
pensource said...
A responsible environment administrator organizes chaos.

- Identify your mission critical applications.
- Identify test teams for your mission critical applications.
- Identify regression test scripts for your mission critical applications.

The Microsoft "patch Tuesday" design gives the environment administrator the ability to have staff available to test patches against mission critical applications and deploy security patches in a timely fashion.

The notion that Microsoft has removed choices by clustering releases is spurious. With patches released at scheduled intervals, you have the option to plan staff availability. When patches are released at Irregular intervals, you cannot plan to have staff available. You cannot chose to plan.

Leave a comment...

 
Got an account with one of these? Login here, or just enter your comment below.
Posterous-login    twitter