Patch 22, eh, make that Catch 22

From: Ernst Lopes Cardozo (e.lopes.cardozo_at_ARANEA.NL)
Date: 09/19/03

  • Next message: Aaron C. Newman: "AppSecInc Security Alert: Denial of Service Vulnerability in DB2 Discovery Service"
    Date:         Fri, 19 Sep 2003 01:15:53 +0200

    How to patch 30.000 machines.

    Inspired by Exibar's message: "Better way to perform Microsoft security

    I'm not so sure there is a solution. I see a lot of seriously conflicting

    We want something that does not require Admin rights on every station; But
    do we really want a mechanism that can install software on a remote machine
    WITHOUT requiring admin rights? How can we be sure that what gets installed
    is goodware?

    We don't want an intelligent bulky client on every workstation (a-la SMS).
    But we need an agent that is clever enough to know what to patch, when to
    patch and what patches to accept and from whom.

    We don't want the patching to rely on the cooperation of the user. As
    admins, we want the user out of the loop. Most users, that is. Do YOU want
    your machine patched without you knowing and approving it? Any time of the
    day or night? Does that software developer, software Q/A checker, missile
    launcher, military combatant, want that? So we need at least two classes of
    users: non-admins and self-admins. After the horrible war about who's what
    type of user, we need a way to check on the hundreds of self-admin users,
    lest they break our network by postponing a critical patch. So maybe we do
    need that client that takes 2 minutes every time you boot your machine or
    make any network connection to make sure it is still fit to run.

    We may well want a client that can put the station in a special 'safe mode'
    when it learns that it is missing something that has become critical because
    an exploit is making the rounds. Yes, we want to distinguish between your
    current Critical update and a Don't-run-without-this-critical type of
    update: MS003-026 after Blaster came on the radar screen. No matter what,
    your workstation, server, would not run anything but the patch process once
    we got Code Red (sorry) on a patch that was not yet installed.

    The further we go down this path, the more complex it gets and the more
    problems we will have. Each of these mechanisms is a new invitation for
    worms and DoSes. This is going nowhere.

    How did other industries deal with such issues? In about every country, you
    need a license to drive a car. Historically that was not the case, but there
    was a moment that we simply could not allow just anybody to get behind the
    wheel. To get a license your need to do a test, so you need education. To
    keep the license, you must behave. Although the system is not perfect, it is
    saving us a lot of trouble. It is a nuisance, but I never heard a proposal
    to abolish the drivers license.

    Educating the driver helps. Much more has been accomplished by the
    technicians that construct cars and roads. This, I believe, is largely due
    to the fact that they are held responsible for anything that goes wrong that
    they could have prevented.

    I strongly believe it is a myth that software must be as vulnerable as it
    is. It is all a matter of priorities. By not holding the vendors
    accountable, they have to go for maximum functionality lest the competition
    outfeatures them. Why don't cars have doors that open at the front side? I
    had one (a Citroen 2CV)- it is extremely easy to get in- and out. It has a
    drawback as well - poor safety, so this design had to go. Outlook is full of
    extremely convenient features that cause a lot of its vulnerability. When we
    make software suppliers accountable, they will make different choices.

    In a couple of months, Microsoft’s security drive will have its first
    birthday. Doesn't look like it is going to be a big "mission accomplished"
    party. Maybe someone will proclaim that “software can't be made safe - we
    proved it”. Let's not buy that crap. If a product is sold with over 80%
    margin, there sure must be room for product improvement. Actually, there is
    room to build it all-over.

    Ernst Lopes Cardozo
    principal consultant
    Aranea Consult BV
    Wolput 72a
    5251 CH Vlijmen
    The Netherlands
    Tel. +31-73-646 1660
    Fax. +31-73-646 1661

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

  • Next message: Aaron C. Newman: "AppSecInc Security Alert: Denial of Service Vulnerability in DB2 Discovery Service"