MoMusings

According to a new survey ‘Two-thirds of U.K. businesses fail to patch‘ their Windows desktops and servers. An older survey found ‘Patch Management An Ongoing Challenge For Many Companies‘ with ‘only about one in five completely ready for the next virus attack‘. Why is this a problem?

Well read on, and all will hopefully be made clear:

Over the last few years we have seen the window between a vulnerability being announced and malware exploiting it shrink from years to months, weeks and more often now just a few days[1]. So, this area needs to be addressed in the fight against malware and spyware as many use known vulnerabilities [which have patches available] to gain access to vulnerable systems.

Some of these vulnerabilities may be used when you visit a website which uses exploit code that your system is not yet patched against. These are commonly called ‘drive-by-downloads‘ or ‘drive-by-infections’. In most of these types of attacks, such as with the WMF vulnerability you may not even be aware that your computer has become infected. There is no warning, no download prompt, nothing to warn you or tip you off that something nasty and underhand has taken place during your visit to the site.

So, what can you do?
For home systems and those not already managed via third party or in-house patch management tools, you should at the very least ensure that all Windows systems are set to automatically check the Windows Update website at least once a week. If your systems run Windows 2000, 2003 or XP make sure you enable the Windows update service via Automatic Updates. This will ensure that updates are automatically downloaded and installed on those systems.

If you or your customers prefer to control when windows updates are deployed across their networks then you could use the Microsoft Software Update Server [SUS].

Here is some data on SUS from the Microsoft site:

SUS is a version of Windows Update designed for organizations that want to approve each software update before installing them. SUS allows administrators to quickly and easily deploy Windows related security updates and critical updates to any computer running Windows 2000, Windows XP Professional, or Windows Server 2003 systems. SUS includes the following capabilities:

• Software updates can be approved on each SUS server, enabling testing in a separate environment as well as phased deployments across an enterprise.
• SUS clients, which are the same as the Automatic Update component described earlier, can be configured to download software updates from the SUS server (saving bandwidth on shared Internet connections), or directly from Windows Update.
• Software updates can also be copied onto a CD-ROM from an SUS server connected to the Internet, and then transferred to SUS server in a protected network with no Internet access.

SUS servers require Windows 2000 Server or Windows Server 2003, IIS, and port 80 communications with SUS clients. SUS servers can be configured to synchronize software update packages and approvals either manually or automatically from a parent SUS server (or from Windows Update), enabling flexibility in how the environment is maintained.

There are lots of other third party patch management systems available, and some companies create their own instead of using off-the-shelf patch management tools.

Below are links to articles covering other solutions:

• http://www.networkworld.com/reviews/2003/0303patchrev.html
• http://www.serverwatch.com/tutorials/article.php/3414841
• http://www.serverwatch.com/tutorials/article.php/3381211
• http://www.serverwatch.com/tutorials/article.php/3424551

[1] There have been a number of malware using so-called ‘Zero-day’ exploits. In this case there is no patch from the vendor to actually fix the hole in the operating system or application, and other mitigation techniques are required to partially or ideally completely manage the situation until a patch becomes available. An example of this would be the WMF exploit that surfaced in December 2005, but was not patched by Microsoft until January 2006.

And now for something completely different, but related:
I have blogged about rootkits previously, but I came across a new one recently that I’d never heard of before.

The difference is this one is not a piece of malicious software, actually it is a band named ‘Root Kit‘ from Sydney, Australia. The fun thing is that they have just released a music video cheekily called ‘Patch Me Up‘, hence the title of this entry, and it has lots of security buzzwords in it. Normally I’d just ignore such trivia, however the video is quite good and the song is catchy. There are a few comedy moments in there too.

Let me know what you think of it.

Oh, you want a link to it? No problem, here you go, via Google: http://video.google.com/videoplay?docid=9151435244001559688

If you prefer to download it, you can via this link: http://www.rootkitonline.com/NetNuke/Download/tabid/55/Default.aspx