Home > Vulnerability Assessment / Vulnerability Management > People Positing Pooh-Poohing Pre-emptive Patching Practices Please Provide Practical Proof…

People Positing Pooh-Poohing Pre-emptive Patching Practices Please Provide Practical Proof…

Microsoft
I was reading Rothman’s latest post on Security Incite regarding patching
and I am left a little confused about his position. Despite his estimation of a high score on the
“boredometer scale” as it relates to the media’s handling of the patching
frenzy ( I *do* agree with that,) I think he’s a little sideways on the issue. At least now we can say that we don’t always
agree.

Mike writes:

I
hate Patch Tuesday. It’s become more of a media circus that anything useful
nowadays. So instead of focusing on what needs to be done, most security
administrators need to focus on what needs to be patched. Or not. And that
takes up more time because in reality, existing defenses reduce (if not
eliminate) the impact of many of the vulnerabilities being patched. Maybe it’s
just my ADD showing, in that these discussions are just not interesting
anymore. If you do the right stuff, then there shouldn’t be this crazy urgency
to patch – you are protected via other defenses. But the lemmings need
something to write about, so there you have it.

One lemming, reporting for duty, sir!

Specifically, Mike’s opinion seems to suggest that basically people who “…do
the right stuff” don’t need to patch because “…in reality, existing defenses
reduce (if not eliminate) the impact of many of the vulnerabilities being
patched.”

Since Mike’s always the champion of the little people, I’ll refer him to the
fact that perhaps not everyone has all the “…existing defenses” to rely upon –
or better yet, keep them up to date (you know, sort of like patching – but for security appliances!)  In fact, I’m going to argue
that despite everyone’s best efforts, currently stealthy little zero-day Trojan
buggery does a damn good job of getting through these defenses, despite the vendor hype
to the contrary.

Emerging technology will make these sorts of vulnerabilities less
susceptible to exploit, but that’s going to mean a whole lot of evolution on
the part of both the network and the host layer security solutions; there are a LOT of solutions out there now and not ONE of them actually works well in the real world.

I still
maintain that relying on the hosts (the things you are protecting – and worried
about) to auto-ameliorate is a dumb idea.  It’s akin to why I think we’re going to have
to spend just as much time defending the “self-defending network” than we do
today with our poorly-defended ones.

I’m going to tippytoe out on the ledge here because I have a feeling that my
response to Mike’s enormous generalization will leave him with just as huge of a hole to bury
me in, but so be it.  I think he was in a hurry to go on vacation, so please cut him some slack! ;)

Specifically, many of the latest critical vulnerabilities were released to
counter exploits targeted at generic desktop applications such as Excel, Powerpoint
and Internet Explorer; things that users rely on everyday to perform their job
duties at work. 

You don’t have to click
on links or open attachments for these beauties to blow up, you just open a
document from “your” IT department over the "trusted" network drive map that was infected by a rogue scanning worm
which deposited Trojans across your enterprise and BOOM! No such thing as “trust but verify” in the
real world, I’m afraid. 

By the way, this little beauty came into your network through a USB drive that someone used to bring their work from home back to the office…sound familiar?

Yep, we can close that hole down with more layers of security software — or better yet, epoxy the USB slots closed! ;)

OK, OK, I’m generalizing, too.  I know it, but everyone else does it …

I don’t know what the “right stuff” is, but if it includes using the
Internet, Word, Powerpoint or Excel, short of additional layers of host-based
security, it’s going to be difficult to defend against those sorts of
vulnerabilities without some form of patching (in combination with reasonable amounts of security — driven by RISK.)

Suggesting that people will do the right thing is noble – laughable, but
noble. 

I’ve heard the CTO’s from several security companies during talks at
computer security tradeshows brag that they don’t use AV on their desktop
computers, always “do the right thing(s),” and have never been compromised.

I think that’s a swell idea – a little contradictory and stupid if you sell
AV software – but swell nonetheless.  I
wish I was as attentive as these guys, but sometimes doing the right thing
means you actually have to know the difference between “right” and “wrong” as
it relates to the inner workings of rootkit installations.   If these experts don’t do the "right thing" based upon
what we hear every day (patch your systems, keep your AV up to date,
run anti-spyware, etc…) what makes you think Aunty Em is going to
listen?

I’ll admit, I know a thing or two about computers and security.  I try to do the “right thing” and I’ve been
lucky in that I have never had any desktop machine I’ve owned compromised.  But it takes lots of technology, work,
diligence, discipline, knowledge and common sense.  That’s a lot of layers. Rot Roh.

Changing gears a little…

It gets even more interesting when we see statistics that uncover that fact
that 1 out of 4 Microsoft flaws are discovered by vulnerability bounty hunters –
professionals paid to discover flaws! That
means we’re going to see more and more of these vulnerabilities discovered
because it’s good for business. Then
will come the immediate exploits and the immediate patches.

Speaking of which, now that Microsoft is at the “Forefront” of the security
space with their desktop security offerings, they will get to charge you for a
product that protects against vulnerabilities in the operating system that you
purchased – from them! Sweet! That is one bad-ass business model.

We’re going to have to keep patching.  Get over it.

/Chris

  1. June 18th, 2006 at 21:27 | #1

    Chris- I love the Iraqi guy with the Microsoft logo. On a serious note, with Mike R away , I am going to say that I think he meant, that he is just bored about reading about Patch Tuesday, but I am sure he realizes that these mundane , day in and day out tasks are the glue that keeps our layered security models in place. If he doesn't feel that way, I certainly do!

  2. June 19th, 2006 at 05:58 | #2

    Gone, but not forgotten evidently. Yes, I was in a bit of a rush to spend 14 hours in the car with my screaming kids, so go figure.
    In terms of the post, let me be clear that patching is important. I am in no way shape or form saying you don't need to patch because I'm bored with the hype around each month's Patch Tuesday escpades. But you want to get to a point where you patch when YOU are ready to patch, not because it's Patch Tuesday.
    And the "right stuff" depends on who you are and what you need to do. The only thing I hate more that Patch Tuesday is someone who says they can generalize security over a mass market. But if someone has adequate alternative defenses in place, then they should be able to wait a day or two (or 5 if that's what they want to do) to patch their systems.
    And anyone that doesn't use AV on a Windows PC is just stupid. Sure you can do it, but folks that play with live grenades more often than not lose an appendage or two. AV may not prevent a zero-day, but they are pretty good at getting something out within 24 hours.
    And no Chris, you didn't dig that big of a hole. But I've got sunscreen to apply, so I'll let you off the hook this time.

  1. No trackbacks yet.