RE: Releasing patches is bad for security

From: Dozal, Tim (tdozal_at_cisco.com)
Date: 03/03/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Blaster Recurrence"
    Date: Wed, 3 Mar 2004 12:42:25 -0800
    To: "James P. Saveker" <james@wetgoat.net>
    
    

     
    I have seen SUS and SMS they are both great along with using AD to push
    patches and various other methods like login scripts systems. Smaller
    patches with bits technology, less reboots, all of these are steps along
    the path.

    MS is making progress but as they have the largest install base they are
    the largest target. Open source can argue all they want but if an open
    source OS becomes as large as Windows it will become a target and god
    forbid every company who decided to use the open source OS has to rely
    on their internal teams to write a patch (or trust one written by
    somebody who has to take no accountability for it) and then go repair
    the damage of a widespread virus.

    Security is at the front of every hi-tech company's priority list and MS
    is no exception. They are a smart company responsible for the bottom
    line. If the bottom line is affected by security issues in it's
    products they will enhance the security.

    To circle back to the original topic: Releasing patches is bad for
    security

    Valdis,

    Patches are a fact of life, full disclosure in reference to a
    vulnerability is a bad thing as it opens the door for those people not
    smart enough to find the exploit on their own to take advantage of
    another persons discovery and cause harm. Regardless of the OS Windows,
    Linux, Free BSD, AIX, HPUX, IOS I don't care, they all release patches
    and they always will. It's the way software works......

    Tim

    -----Original Message-----
    From: James P. Saveker [mailto:james@wetgoat.net]
    Sent: Wednesday, March 03, 2004 11:17 AM
    To: Dozal, Tim
    Cc: incidents@securityfocus.com
    Subject: RE: Releasing patches is bad for security

     
    My word, you are brave Tim. I said something similar on Full Disclosure
    and got quite a telling off.

    I have to fully support your comments and also make another point.

    The new patch model for longhorn will not require reboots. They are
    investing a great deal of money in security now as before they had
    valued functionality over security.

    Current patches are getting smaller as with large enterprises bandwidth
    can be at a premium.

    For large business they offer SMS as a great tool for patch deployment,
    including being aware of remote users and making use of the "bits"
    technology. For smaller business they offer SUS for FREE!!

    I am not saying that MS have always got it right in the past, quite
    frankly they have not. Things are changing with MS, time will tell.

    James Saveker
    www.wetgoat.net

    "The only thing which helps me maintain my slender grip on reality is
    the friendship I share with my collection of singing potatoes..."

    -----Original Message-----
    From: Dozal, Tim [mailto:tdozal@cisco.com]
    Sent: 03 March 2004 01:19
    To: Valdis.Kletnieks@vt.edu
    Cc: incidents@securityfocus.com
    Subject: RE: Releasing patches is bad for security

    After sitting in on some of the discussion at the security conferences
    on the MS campus their strategy is as sound as any I have scene
    proposed. They are only releasing out of cycle patches for things that
    are wormable. Other vulnerabilities as they are discovered, no matter
    the source of the discovery, are released in scheduled patches.

    This is to aid their large customers, the ones who usually take the
    longest time to deploy patches, have strict IT policy and also pay a TON
    of $$$ to MS for their software.

    You miss MS intent with:

    I mean.. *really*.. apply a few neurons. What black hat who didn't just
    fall out of a tree is going to reveal his 0-day in a worm before it's
    usefulness has dried up?

    Those are things they patch in cycle as they are discovered, and trends
    show the largest impacting virus threats from these occur AFTER the
    patches. The smart hackers who have early 0-day exploits will always
    exist, they are the needle in the haystack not the atomic bomb MS is
    trying to deal with in their recent patch changes and policy changes.

    2003 and longhorn will be quite a different story, MS has learned
    turning everything on for ease of use is not smart or secure so the next
    gen stuff is more secure in the idea that if it's not turned on
    specifically by the customer it's not turned on at all. This will make
    for a huge reduction in the attack surface of the hosts, again a step in
    a long line of steps that are needed to make the entire solution secure.

    Tim

    -----Original Message-----
    From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
    Sent: Tuesday, March 02, 2004 8:51 AM
    To: Dozal, Tim
    Cc: incidents@securityfocus.com
    Subject: Re: Releasing patches is bad for security

    On Mon, 01 Mar 2004 14:40:40 PST, "Dozal, Tim" <tdozal@cisco.com> said:
    > The question to ask yourself is do the vulnerabilities get exploited
    > before or after MS releases the patches. I think for code red/Nimda
    > MS posted a patch and some 300ish days later the worm hit. Then move
    > ahead

    Note that there's a major logic flaw in here - "vulnerabilities
    exploited"
    is *NOT* the same thing as "worm". Microsoft *wants* you to make that
    logical error, because they don't want you thinking about all the
    unpatched holes in IE, and they don't want you thinking about how many
    black hats have 0-days that they're not attaching to worms because then
    they'd lose the use of that 0-day.

    I mean.. *really*.. apply a few neurons. What black hat who didn't just
    fall out of a tree is going to reveal his 0-day in a worm before it's
    usefulness has dried up?

    If anything, the fact that Nimda was 300 days and Blaster was only 18,
    is proof that:

    a) The percentage of people patching quickly is going up, *and*
    b) this means that throwing away your 0-day on "diminishing returns" is
    happening faster.

    Obviously, whoever released Nimda was using their 0-day for months after
    the patch before enough p[eople closed the hole that they said "screw
    this, this one's gotten lame" and launched a worm. It only took 2 weeks
    of concentrated patching before the owner of the Blaster 0-day threw in
    the towel....

    Remember why we originally *started* the full-disclosure movement -
    without it, the vendors won't move and the 0-days will circulate for
    *years*.

    ------------------------------------------------------------------------

    ---
    Free 30-day trial: firewall with virus/spam protection, URL filtering,
    VPN, wireless security
    Protect your network against hackers, viruses, spam and other risks with
    Astaro Security Linux, the comprehensive security solution that combines
    six applications in one software solution for ease of use and lower
    total cost of ownership.
    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security
    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.
    Download your free trial at 
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------
    

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Blaster Recurrence"

    Relevant Pages

    • RE: Releasing patches is bad for security
      ... The new patch model for longhorn will not require reboots. ... functionality over security. ... Current patches are getting smaller as with large enterprises bandwidth can ... > MS posted a patch and some 300ish days later the worm hit. ...
      (Incidents)
    • RE: Releasing patches is bad for security
      ... posted a patch and some 300ish days later the worm hit. ... The problem then is how to release patches ... specifically focused on finding security flaws in all of their software. ... Releasing patches is bad for security ...
      (Incidents)
    • Re: [Full-Disclosure] Gates: You dont need perfect code for good security
      ... the blaster worm preceded the patch so this argument is DOA ... you do not have to pay for RHN to get redhat patches. ... I run Astaro Security Linux here at the house..blaster ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
      ... But you'd still patch either way, ... of home users who don't even know what a security patch *IS*, ... But how many organisations firewall off internal servers from ... administrators have the time to watch the IDS given the number of patches they ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...
      ... My personal prejudice is that I subscribe to the school of "security by ... I said why release them all on day 0 of the patch release. ... We use the details to create signatures for our vulnerability ... >>these signatures and use them to check for patches or to protect systems ...
      (Full-Disclosure)