Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins

From: Ivan Arce (ivan.arce_at_CORESECURITY.COM)
Date: 06/04/04

  • Next message: Jake: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
    Date:         Thu, 3 Jun 2004 19:38:40 -0300
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Sorry, I couldnt resist jumping into this discussion...

    It appears to me that the "scan & patch" philosophy is the
    accepted best-practice among many. Unfortunately, that
    defacto accepted practice is not making things that mcuh better
    (more secure) than 5 years ago, I suspect that is the point Russ is
    trying to make.

    So, my personal conclusion is, "ok, how do we improve things
    since what we are doing is suboptimal". I dont think that
    Russ is suggesting stop patching at all but to do so in a
    more intelligent manner, understanding that you are embarking in a
    process that if it not done right will leave you as bad or even
    worse than before and that if it is done right you will be in a
    marginally better position against current bugs and the next one
    at the expense of great efforts.

    Assuming that 100% patch coverage is almost impossible in any medium
    sized organization I would try to tink of alternatives and improvements

    Here are a few i have in mind.

    Scan & Patch consumes resources, usually you need to prioritize
    what to patch, when and in which order, how is this done? by an
    "expert system" aka a human being ? Does the expert system take
    into account actual threats or just the alleged presence of
    a vulnerability in a system. Is it really there? how can you tell?
    is it really exploitable? is there an actual exploit for it? is
    it publicly available? what are the chances of an exploit coming into
    existence? within what timeframe?
    Some people use actual exploits to verify the existence of an
    exploitable vulnerability and weed out false positives assuming
    that the exploits are good enough for this.

    Another important issue to consider with Scan & Patch is verification,
    so you deployed patches on 98% of your systems, are you more secure now?
    yes? how can you tell? did you verify that the patches installed
    properly on all those systems? how? did you verify that the vulnerabilities
    are really fixed with those patches given the particular configuration
    settings of you systems and the topology of your network?
    Again, here some people use exploit code to actually weed out false
    negatives.

    BTW, did you actually need to patch all 98% of your systems? maybe
    all of them were not really exploitable due to topology, ACLs,
    other configuration settings, other countermeasures deployed on
    the system (hence the big noise around IPSes).
    So, if you only needed to patch 50% of your systems.. why did
    you waste precious IT & security resources (always scarce) on
    the other 48%?

    In any case, I would like to make it clear... I am NOT advocating
    not patching I am just proposing to figure out ways to improve the process,
    make it more dependable and more efficient.

    Another thought... It is not true that there is no diversity
    among Windows systems, from the attackers PoV combinations of
    OS version (nt,win2k,xp,2003,etc), edition, service pack, language
    and sometimes even hot-fixes (let along configuration settings)
    creates a fairly diverse universe that needs to be accounted for
    in any attempt to execute either a directed attack or a massive one.

    The sasser worm used an exploit that worked on (correct me if im
    wrong) winXP and win2k with at most a 50% chance of sucessfull
    exploitation if the target system was vulnerable (not counting that
    the actual exploit used was tested on winXP SP0-SP1 and win2k SP4
    pro/advanced server and 'suppossed' to work on other os/edition/sp/language
    combinations)
    Furthermore, a small service bound to ports 5554/tcp and 9996/tcp
    could have prevented propagation by making the exploit payload fail.

    I must confess: I am biaseed on this discussion, I work for a company
    that sells a penetration testing product (including exploits) but...
    frankly... there is no unbiased and objective opinion in this
    matter, everybody has a recipee of their own and will try to convince
    everybody else that his/her tastes better that the other's, in the end it
    is just a matter of what works best for each particular organization.

    Finally, I dont know how or why "Microsoft bashing" got involved in the
    discussion, the quality of MSFT code or the timeframes they use for
    making patches available are separate issues not necesarilly relevant
    to this discussion.

    The security of your systems is your responsability not Microsoft's
    or any other vendor's until something substantial changes in the
    software industry... we all work with flawed components and until
    that changes (if ever) it is us that will have to deal with the problem.

    -ivan

    Craig Shaw wrote:

    > Susan,
    >
    > WOOOT! I'm with you all the way!
    >
    > We use SMS Server for patch management, and like you said, it's not MS
    > products that scare me. It's all those other LOB apps that keep me up at
    > night worrying. I can get a 98% deployment success rate with MS patches
    > in about an hour. I might have to visit 2 or 3 machines manually to get
    > the update to take because some luser didn't log off at night, but
    > that's it.
    >
    > I know Russ likes to slam Microsoft whenever he can, but this time I
    > think he's WAY off the mark. Better off not patching? Is he serious?
    >
    > Software is buggy. ALL software is buggy. The more complex the software,
    > the more bugs it gets. Period. Patching is a fact of life, pretty much
    > since programs grew beyond a few hundred lines of code. This isn't a
    > Microsoft problem. It is an industry problem. At least Microsoft is
    > taking proactive steps to make it easier to get patches in place and
    > keep users notified when new patches are available. Most of the LOB apps
    > I'm forced to support are nowhere near as easy to update, and the
    > vendors sure don't tell me when updates are even available.
    >
    > Maybe it's time to set aside the "I Hate Microsoft" rhetoric and start
    > thinking about reality.
    >
    > Craig Shaw
    > Systems Administrator
    >
    > -----Original Message-----
    > From: Windows NTBugtraq Mailing List
    > [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Susan Bradley,
    > CPA aka Ebitz - SBS Rocks [MVP]
    > Subject: Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins
    >
    > Sorry Russ, but this gal in SBSland thinks that non-patching is NOT the
    > way to go.
    >
    > -----
    > Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
    > identify and fix all PC's that are exposed to the Sasser worm! Our
    > solution provides quick and seamless discovery and deployment of all your
    > PC computer's Microsoft security patching needs. Regardless of where
    > you're PC's reside (inside the LAN, at home or on the road), Patch
    > Automation gets the job done. Contact us to learn about our free 30-day
    > trial version at 800-344-1150 or visit our website at
    > <http://www.patchautomation.com>
    > -----

    --
    ---
    To strive, to seek, to find, and not to yield.
    - Alfred, Lord Tennyson Ulysses,1842
    Ivan Arce
    CTO
    CORE SECURITY TECHNOLOGIES
    46 Farnsworth Street
    Boston, MA 02210
    Ph: 617-399-6980
    Fax: 617-399-6987
    ivan.arce@coresecurity.com
    www.coresecurity.com
    PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
    -----
    Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
    identify and fix all PC's that are exposed to the Sasser worm! Our
    solution provides quick and seamless discovery and deployment of all your
    PC computer's Microsoft security patching needs. Regardless of where
    you're PC's reside (inside the LAN, at home or on the road), Patch
    Automation gets the job done. Contact us to learn about our free 30-day
    trial version at 800-344-1150 or visit our website at
    <http://www.patchautomation.com>
    -----
    

  • Next message: Jake: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"

    Relevant Pages

    • So Windows Update is a dog, now what?
      ... extension, that means that the soon-to-be-released Windows Update, ... How about someone getting serious about patch management over at ... In their explanation of the severity rating scheme, the Microsoft ... incredibly reliable mechanism for getting patches onto systems, ...
      (NT-Bugtraq)
    • 9_Recommended error codes (specifically return code 5)
      ... * "return code 2" indicates patches are already installed. ... * "return code 25" means a patches requires another patch that is not yet installed. ... With or without using the save option, the patch installation process ... Installing 114008-01... ...
      (SunManagers)
    • Re: [Full-disclosure] Security Alert: Unofficial IE patches appear on internet
      ... created by a vulnerability is as serious as this case and the available ... Microsoft will be inclined strongly against holding on to this patch. ... Microsoft often have patches ready but wait for the corporate known ...
      (Full-Disclosure)
    • Re: Why not patch all windows and not just legal copies
      ... requirement from the genuine Microsoft site or put the genuine microsoft ... patches on a FTP somewhere under a CVS like ... very easy path for these thieves to patch their nasty computers. ...
      (microsoft.public.security)
    • Re: [Full-disclosure] Security Alert: Unofficial IE patches appear on internet
      ... code-independent workarounds (i.e., other than patches) are so poor, ... Microsoft will be inclined strongly against holding on to this patch. ... Microsoft to release a patch out of cycle for "critical flaws". ...
      (Full-Disclosure)