Skip to main content

Will monthly patch cycles survive the year?

Microsoft's regularly scheduled (once a month) security updates have received a great deal of criticism in the security community. The practice delays (in theory up to a month) the rollout of vital Windows patches and leaves customers exposed to worms, viruses, adware, spyware and outright hacking for more calendar days than the previous ad-hoc rollout of patches (e.g. as soon as they were ready). In today's world, where exploit code and worms show up within hours or days, these delays can be devastating. The monthly patch strategy has probably helped Microsoft with one key metric -- reducing the number of headlines per month about the latest vulnerability. In the months before Microsoft changed from ad-hoc security patch releases to a monthly schedule, negative security headlines were appearing almost daily. These headlines had begun percolating into the public unconscious, contributing generally to a vague but increasingly common perception that Windows is "insecure". Even though most people don't konw what that means, if you stop random folk on the street and ask about Windows, a significant percentage will tell you Windows is insecure. (RocketBoom dis this recently when they asked, Internet Explorer or firefox?) That torrent of negative headlines was perceived in Redmond as creating potential switchers (to Macintosh or to Linux) not among the unwashed masses, but where it counts -- the corporations on whom Microsoft has had a mind lock for more than a full decade now. The rapid growth of a tumor on the achilles heal of Windows may have contributed to the change in release policy, but that doesn't mean the change itself is entirely bad. By introducing some regularity into the patching lifecyle of Windows, Microsoft may have given IT shops everywhere the lever they needed to convince management to dedicate more resources to patching Windows, and to realize the true (substantial) expense involved. Regular monthly updates have also forced the IT community -- vendors and customer alike -- to get better at patching Windows systems. Prior to this regular and predictable delivery, most companies were still in serious denial about the need to rapidly deploy patches. They were typically going through painful gyrations to determine if every single patch applied to them or not, if they could skip deploying them, etc. in a futile effort to contain workload. They tended to lump the patches themselves into deliveries a few times each year. Now they've been forced by the regular delivery of dozens of patches at once, each month, to come to grips with more or less the non-stop patch deployment process. It can still take many days or weeks to deploy patches in a typical medium sized enterprises (say, one with more than 10,000 nodes), but that's down significantly from many months. Other vendors have been delivering patches in this regularly scheduled way, too, notably Oracle which has also been criticized by customers for untimely patch delivery (and poor documentation of patches). Despite this little ray of sunshine, it's been looking like the monthly patch cycle won't remain viable. Vendors will soon see their customers demanding weekly patch cycles, at least. What will drive this? The Patch Gap is too large in the era of the botnet and the zero day worm, driven by organized crime and state sponsored espionage. The problem with regular patch cycles is that the vendors and customers are both hoping that certain vulnerabilities have not yet been discovered by the cracker underground. Given the large number of vulnerabilities which are discovered each month, and the long period of time in which those vulnerabilities existed in widely deployed software (often years) it's almost certain that this hope is in vain. Crackers certainly know about some of these defects, and know how to exploit them, sometimes years before the script kiddies find them. Evidence that some cracker groups are well funded, probably state or corporation sponsored is mounting. Most recently a few stories have appeared which suggest that several well organized attacks have been traced back to China where state sponsorship is suspected, and industrial and governmental espionage is the motivation. Organized crime and state sponsored internet espionage rings can and do use the same techniques to explore production software for defects in a laboratory environment. The bad guys have the same debuggers and virtual machines and compilers and sniffers and Nessus plugins and documentation that are available to security researchers. The main difference is that the good guys often do this kind of research on a shoestring budget in their spare time, whereas the bad guys are increasingly making a full time job of it. The continual flood of high profile, high damage, automated exploitation of widely known and even long-patched defects which the script kiddies generate strains the security response infrastructure (trained admin and security staff, developers, testers, etc.) The enormous workload from the thousands of new viruses, worms, trojans, adware, spyware and keystroke loggers, combined with the endless stream of botnet attacks makes it more difficult for the industry to assess the real exposure to low-profile cracking from these industry practices of delayed (regularly scheduled) patch delivery. Microsoft, Oracle, and other vendors will be under increasing pressure to shorten their patch cycles, as the organized nature of botnet attacks becomes more apparent to their customers.

Technorati Tags: , , , , , , , , , ,

Intrinsic Security provides uniquely effective AntiWorm technology which detects zero-day worms and brings botnets to a crawl.


Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber