Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins
From: Ivan Arce (ivan.arce_at_CORESECURITY.COM)
Date: Thu, 3 Jun 2004 19:38:40 -0300 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Sorry, I couldnt resist jumping into this discussion...
It appears to me that the "scan & patch" philosophy is the
accepted best-practice among many. Unfortunately, that
defacto accepted practice is not making things that mcuh better
(more secure) than 5 years ago, I suspect that is the point Russ is
trying to make.
So, my personal conclusion is, "ok, how do we improve things
since what we are doing is suboptimal". I dont think that
Russ is suggesting stop patching at all but to do so in a
more intelligent manner, understanding that you are embarking in a
process that if it not done right will leave you as bad or even
worse than before and that if it is done right you will be in a
marginally better position against current bugs and the next one
at the expense of great efforts.
Assuming that 100% patch coverage is almost impossible in any medium
sized organization I would try to tink of alternatives and improvements
Here are a few i have in mind.
Scan & Patch consumes resources, usually you need to prioritize
what to patch, when and in which order, how is this done? by an
"expert system" aka a human being ? Does the expert system take
into account actual threats or just the alleged presence of
a vulnerability in a system. Is it really there? how can you tell?
is it really exploitable? is there an actual exploit for it? is
it publicly available? what are the chances of an exploit coming into
existence? within what timeframe?
Some people use actual exploits to verify the existence of an
exploitable vulnerability and weed out false positives assuming
that the exploits are good enough for this.
Another important issue to consider with Scan & Patch is verification,
so you deployed patches on 98% of your systems, are you more secure now?
yes? how can you tell? did you verify that the patches installed
properly on all those systems? how? did you verify that the vulnerabilities
are really fixed with those patches given the particular configuration
settings of you systems and the topology of your network?
Again, here some people use exploit code to actually weed out false
BTW, did you actually need to patch all 98% of your systems? maybe
all of them were not really exploitable due to topology, ACLs,
other configuration settings, other countermeasures deployed on
the system (hence the big noise around IPSes).
So, if you only needed to patch 50% of your systems.. why did
you waste precious IT & security resources (always scarce) on
the other 48%?
In any case, I would like to make it clear... I am NOT advocating
not patching I am just proposing to figure out ways to improve the process,
make it more dependable and more efficient.
Another thought... It is not true that there is no diversity
among Windows systems, from the attackers PoV combinations of
OS version (nt,win2k,xp,2003,etc), edition, service pack, language
and sometimes even hot-fixes (let along configuration settings)
creates a fairly diverse universe that needs to be accounted for
in any attempt to execute either a directed attack or a massive one.
The sasser worm used an exploit that worked on (correct me if im
wrong) winXP and win2k with at most a 50% chance of sucessfull
exploitation if the target system was vulnerable (not counting that
the actual exploit used was tested on winXP SP0-SP1 and win2k SP4
pro/advanced server and 'suppossed' to work on other os/edition/sp/language
Furthermore, a small service bound to ports 5554/tcp and 9996/tcp
could have prevented propagation by making the exploit payload fail.
I must confess: I am biaseed on this discussion, I work for a company
that sells a penetration testing product (including exploits) but...
frankly... there is no unbiased and objective opinion in this
matter, everybody has a recipee of their own and will try to convince
everybody else that his/her tastes better that the other's, in the end it
is just a matter of what works best for each particular organization.
Finally, I dont know how or why "Microsoft bashing" got involved in the
discussion, the quality of MSFT code or the timeframes they use for
making patches available are separate issues not necesarilly relevant
to this discussion.
The security of your systems is your responsability not Microsoft's
or any other vendor's until something substantial changes in the
software industry... we all work with flawed components and until
that changes (if ever) it is us that will have to deal with the problem.
Craig Shaw wrote:
> WOOOT! I'm with you all the way!
> We use SMS Server for patch management, and like you said, it's not MS
> products that scare me. It's all those other LOB apps that keep me up at
> night worrying. I can get a 98% deployment success rate with MS patches
> in about an hour. I might have to visit 2 or 3 machines manually to get
> the update to take because some luser didn't log off at night, but
> that's it.
> I know Russ likes to slam Microsoft whenever he can, but this time I
> think he's WAY off the mark. Better off not patching? Is he serious?
> Software is buggy. ALL software is buggy. The more complex the software,
> the more bugs it gets. Period. Patching is a fact of life, pretty much
> since programs grew beyond a few hundred lines of code. This isn't a
> Microsoft problem. It is an industry problem. At least Microsoft is
> taking proactive steps to make it easier to get patches in place and
> keep users notified when new patches are available. Most of the LOB apps
> I'm forced to support are nowhere near as easy to update, and the
> vendors sure don't tell me when updates are even available.
> Maybe it's time to set aside the "I Hate Microsoft" rhetoric and start
> thinking about reality.
> Craig Shaw
> Systems Administrator
> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Subject: Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins
> Sorry Russ, but this gal in SBSland thinks that non-patching is NOT the
> way to go.
> Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
> identify and fix all PC's that are exposed to the Sasser worm! Our
> solution provides quick and seamless discovery and deployment of all your
> PC computer's Microsoft security patching needs. Regardless of where
> you're PC's reside (inside the LAN, at home or on the road), Patch
> Automation gets the job done. Contact us to learn about our free 30-day
> trial version at 800-344-1150 or visit our website at
-- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 firstname.lastname@example.org www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ----- Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly identify and fix all PC's that are exposed to the Sasser worm! Our solution provides quick and seamless discovery and deployment of all your PC computer's Microsoft security patching needs. Regardless of where you're PC's reside (inside the LAN, at home or on the road), Patch Automation gets the job done. Contact us to learn about our free 30-day trial version at 800-344-1150 or visit our website at <http://www.patchautomation.com> -----