Microsoft's patches: Can you trust them?
To survive the next Slammer-like virus attack, updating applications and operating systems with every patch that Microsoft releases is the worst thing any business can do, according to advice from security experts and industry analysts.
Advice being given to companies is that they should avoid installing individual patches released by the software giant, and only deploy service packs once they have been through a rigorous internal testing procedure. The move is a further indication that Microsoft's Trustworthy Computing initiative, which is supposed to increase the company's reputation as a reliable software developer, is not being taken seriously by the industry.
Pierre Noel, security strategist at security company TruSecure International, said that if customers followed Microsoft's patching instructions earlier this year, they were left vulnerable to the Slammer virus. However, if they had only installed the service packs and ignored the various individual patches and hot fixes, they would have been safe.
"Microsoft released a number of patches for its SQL server over a period of 12 months. The first few had protection against the vulnerability, but the last patch -- which was one month before Slammer was released -- was intended to fix another problem, but it reopened SQL server vulnerability," said Noel.
James Governor, principal analyst at RedMonk, agreed: "That is true. Unfortunate but true."
Stuart Okin, chief security officer at Microsoft UK, denies that companies are leaving themselves vulnerable by following Microsoft security policy. He said: "We brought out a patch six months before, however, we also brought out a couple of hot fixes that the patch required a little bit later on."
Governor warns that users should be careful about the different types of updates and fixes released by Microsoft. "There was a screw-up, but it should be understood there is a difference between patches, security patches, and quick fix enhancements (QFE)." He notes that a QFE is designed to solve a specific customer problem and is not designed for everyone. "We would not advise organisations to deploy every QFE."
But Noel goes one step further and advises his customers to avoid individual patches altogether, and instead rely on service packs combined with a commonsense approach to IT security, which he believes is not only cheaper and less time consuming, but more effective. "When asked about security, companies usually say: 'It's ok, we will be safe because we'll install all the patches.' But it is an extremely expensive operation and before you install a patch, you have to make sure it is compatible with your existing applications," said Noel.
Noel has three simple pieces of advice that he believes will increase an enterprise's security up to 85 percent, without having to spend a penny. "Patching is the last thing our customers should do. Instead, a combination of small solutions will each reduce your risks by 20 or 30 percent. A combination of these can provide an 80 or 85 percent effectiveness," he said.
First, said Noel, 70 percent of internal attacks happen because users log into their corporate network and then leave their terminal unattended: "You could have the strongest authentication system available, but in this case, it is left useless," said Noel, who recommends activating a password-controlled screensaver to avoid the problem completely: "The risk is virtually removed and the solution is simple, free and easy to manage."
Second, time should be spent on ensuring that network routers and switches are configured correctly. According to Noel, Cisco routers by default are set to block requests from the Internet unless they have been explicitly authorised. The problem is that because of "laziness", the majority of routers have their default settings changed, which creates vulnerability: "We discovered that only 8 percent of routers are set to deny uninvited requests. When they are changed back to the default setting, the system is 47 times more resistant to a typical attack," said Noel.
Specifically talking about protection from Slammer-like viruses, Noel said a simple addition to corporate security policy would have reduced Slammer's ability to infect intranets. Noel said: "Laptops should only be connected to the internal network -- via a VPN or directly -- after a reboot," which he explained would reduce infections by 50 percent because many viruses, including Slammer, are small and reside in memory. When a laptop is rebooted, the memory is cleared, but if it is put into sleep mode or hibernation, the memory is saved to disk. "As soon as the laptop was resumed, Slammer woke up and propagated into the company intranet, resulting in a denial of service attack."
"It is not rocket science, but it works," he added.
Governor said companies not only need to strengthen their patch testing regime before deployment, but they should have a method of "rolling back" in case anything has been missed: "It really emphasises the need for strong processes and tools to support software change and configuration management," he said.
But Governor was keen to point out that it is not just Microsoft patches that companies have to worry about: "Let's not forget that Solaris has had multiple patches this year, as have the various Linux distributors. Red Hat, for example, recently released patches for Samba vulnerabilities."
The bottom line, according to Governor, is that not all patches are equal. "Users, not vendors, need to decide when and why a patch should be deployed. If it's a QFE don't deploy it unless you understand what it is, what it does, and are aware that Microsoft may not yet have put the code through product-level testing," he added.
Under pressure from its customers and partners, and seeing its Trustworthy Computing initiative about to go down in flames, Microsoft has admitted there is "an issue" with its patching system and is going to resolve the problems by combining all its patching mechanisms together. "We know it is a complex process and accept the fact that there was an issue," said Okin, who described Microsoft's vision of the patch management process in 2005: "Within 12 to 18 months we will move to a couple of baseline installers -- probably Windows and MSI -- so we can have a single update source. There will probably be something called Microsoft Update which does all of the applications as well as Windows and Office," he added.
Let the editors know what you think in the Mailroom.