Users should lock down Windows or get ready for expensive updates
- Posted:
- 16:27 25 Sep 2003
- Topics:
- Security
Patching Windows code avoids downtime,
but proves too costly for users
Microsoft's decision to rush out a patch to fix a little-used piece
of code in its Windows operating system only weeks after an earlier
patch for the same piece of code has cost users dearly, it emerged
this week.
Research by NTBugtraq estimated the cost to users of applying the
patches averaged $477 (£318) per PC. For a large organisation
with 100,000 PCs, this would cost $47.7m, based on the cost of
tackling the related MSBlaster attack.
Users had to update every PC on corporate networks as Microsoft
published a security alert, to warn of a new bug in the OS.
Neil Crew, IT director at food group Princes, said, "I do not think
the user population has any idea of the work that takes place
behind the scenes to protect systems from this kind of thing and
how it deflects us from our main focus. If there is one good thing
to come out of it all, it makes it easier to justify our budget on
security and anti-virus."
IT experts said the latest flaw has dented Microsoft's efforts to
prove it can deliver secure IT systems through its Trustworthy
Computing initiative.
Russ Cooper, chief security officer at Trusecure, who also runs
NTBugTraq, accused Microsoft of complacency. He said one business
spent four days uploading the patch for the previous hole to
protect against MSBlaster.
"All the work users undertook to install the first patch was a
waste of time," he said. They must now install the latest MS03-039
patch, as it would be easy for someone to write a variant of
MSBlaster that could exploit the vulnerability, he warned.
Cooper said Microsoft had spent about two months working with
Polish security specialist Last Stage of Delerium to produce a
patch for the original vulnerability in Windows. Yet just weeks
later, on 10 September, it issued another patch for a similar hole
in the same software component.
Microsoft should have looked at the code to see if there were any
further patches required before releasing the first patch Cooper
said.
The latest problem is closely related to the one that exposed users
to the MSBlaster worm. Both holes relate to an element of Windows
called the Distributed Common Object Model (DCom), a protocol to
allow applications on different computers to communicate with one
another.
Analysts agree that patching must be simplified to reduce
disruption to the business. Mitul Mehta, managing director of
consultancy TekPlus, said, "Any vulnerability will have an impact
on business," although automated patching goes some way to reducing
the disruption.
Maxine Holt, senior analyst at Butler Group, was concerned by the
size of the patch file and argued that Microsoft should take a
better approach, based on the way anti-virus software companies
release regular updates.
Patching needs to be made easier to avoid further disruption and
costs to business, said Holt. She was concerned that the large
1.5Mbyte patch issued by Microsoft would slow down corporate
networks and prove time consuming and difficult to install. To
patch all desktops in a company with 8,000 PCs, more than 80Gbytes
of data would need to pass over the network.
Microsoft should base its approach to patching on that used by
anti-virus companies, she said. Compared to the 1.5Mbyte patch
Microsoft was issuing, upgrades from anti-virus company Sophos are
just 500 bytes. Such small files would go a long way to improving
patch management and remove the bandwidth barrier.
But Holt acknowledge that the task of creating smaller patches
could prove extremely difficult for Microsoft. She said, "Windows
would need to be re-engineered so that it was built on granular
code."
But users should not wait for suppliers to provide improved patch
management. Cooper recommended that users disable DCom before
applying any new patch from Microsoft. Disabling this piece of
software would remove the risk once and for all, but it could
prevent any software that uses it from running.
He advised users to disable DCom by broadcasting an automatic
update to the Windows registry file on every desktop PC, then
checking which end-users were affected by the change. "The vast
majority of organisations will never realise DCom has been switched
off," he said.
Anyone affected would complain and the 1.5 Mbyte Microsoft patch
need only be applied to these users. Such a policy would save a
considerable amount of network bandwidth, said Cooper.
Holt recommended that IT directors discuss with their admin staff
which features of the Windows operating system to lock down, to
reduce the organisation's exposure to security holes. She said it
should be possible to lock down Windows completely by disabling all
but the essential features.
Microsoft chief security officer Stuart Okin said, "This is a new
type of vulnerability that we have not experienced before."
Okin said Microsoft had only learned of the latest hole after it
had released the first patch. Even if it had been given more
notice, Okin was adamant Microsoft would still have proceeded with
the first release, given the fact that the MS Blaster worm was
infecting users.
How to secure a Windows network
IT directors need to ascertain which features in the Windows
operating system they require to run the business, and which pose
an unacceptable security threat.
IT directors then need to work with IT staff to reduce their
exposure to future Microsoft flaws. IT directors should:
Use two firewalls. An external firewall should
protect a DMZ (demilitarised zone) for servers that are exposed to
the internet and are not completely "trustworthy". Between the DMZ
and the internal machines there should be another firewall
Install an artificial intelligence intrusion detection
system system. This is especially important to protect
against vulnerabilities that are yet to be patched. Using a list of
prior traffic, the IDS learns to recognise normal traffic and
identifies exceptional flows and unusual attempts to use particular
ports. Ports are part of the logical address structure in TCP/IP
and each application uses one of about 65,000 ports on a network -
e-mail, for example, uses port 25
Patch machines regularly - once a day or every other
day. There are tools to help, such as Windows Update or
Systems Management Server
Every six months Have your PCs and servers
security-tested to look for machines that are running file-sharing
software or acting as illicit web servers, which can be a hidden
route into the network for malicious code
Run only the network services that are needed.
DCom, the subject of the latest Microsoft vulnerability, is rarely
used but is on by default in operating systems
If you are running networking protocols, such
as Netbios and Cifs, make sure that PCs are not enabled to share
files and that admin passwords are blank, or if used, are
secure.
Source: Richard Brain, technical
director of penetration testing specialist ProCheckUp
