Once again, it appears that the worm authors have caught system administrators with their trousers down. Security specialist James McGregor discusses why businesses need to set aside a budget for patch management.
Despite the availability of a patch since mid-July to fix the vulnerability exploited by W32.Blaster, the widespread infection of both business and home computers showed that in most cases it had not been applied. Such was the infection rate that, at its pinnacle, the worm was taking only 30 seconds to find an uninfected computer somewhere in the world.
The single, hard and irrefutable fact is that if all the infected computers had applied a patch freely available from Microsoft weeks before its release into the wild, W32.Blaster would have failed completely. However, the worm’s authors knew that the patch would not have been applied in the vast majority of cases, and wrote and released the worm.
Luckily, W32.Blaster was not nearly as devastating as it could have been. Had the worm functioned in the same way as CodeRed, causing destruction of data and using a single connection for infection, download and propagation, or like Nimda, which used both web and e-mail to distribute itself, the infection rate and the consequences of being infected would have been a lot worse. These are salient facts which have, no doubt, not escaped the wily attention of the copycat virus writers.
Ultimately, of course, the blame might be placed at the feet of Microsoft, as the vulnerability in Windows that Blaster exploits was of the making of its programmers. But the fact is that even programmers from Microsoft are human and may, occasionally, overlook the odd buffer overflow here and there.
As the disclaimer that you agreed to before using any software from Microsoft (including patches) helpfully points out, its software may or may not be fit for purpose, regardless of how you run it. So the fact is that software vulnerabilities will be found, patches to fix them will be issued and, to maintain the security and integrity of your system, you will need to apply them promptly.
However, an organisation’s patch management strategy will not be cheap, and requires test systems, procedures, change management and back-out plans. It will require resources, including personnel and investment in training. It may even require special servers to provide software updates to other servers and workstations.
It requires investment, and with it, recognition from budget holders within companies that patch management is important and essential enough to be taken seriously. Patch management needs to be a distinct and recognised element of the system administrator’s job role. Given the financial damage incurred from cleaning up after a virus outbreak within an organisation, proactive patch management should be considered a sound business investment with real, tangible benefits.
Patch management will, in the end, save you time and money. The malicious software writers are already hard at work on copycat versions of the viruses and worms already in existence, no doubt aimed to cause much more damage, and probably working hard at exploiting the next generation of vulnerabilities. The next version of Blaster may be set to kill.
What's your view?
What stops you from patching promptly? Tell us in an e-mail >> Computerweekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
James McGregor is a consultant with the specialist IT security consultancy DNS.