Patching Windows code avoids downtime, but proves too costly for users
Microsoft's decision to rush out a patch to fix a little-used piece of code in its Windows operating system only weeks after an earlier patch for the same piece of code has cost users dearly, it emerged this week.
Research by NTBugtraq estimated the cost to users of applying the patches averaged $477 (£318) per PC. For a large organisation with 100,000 PCs, this would cost $47.7m, based on the cost of tackling the related MSBlaster attack.
Users had to update every PC on corporate networks as Microsoft published a security alert, to warn of a new bug in the OS.
Neil Crew, IT director at food group Princes, said, "I do not think the user population has any idea of the work that takes place behind the scenes to protect systems from this kind of thing and how it deflects us from our main focus. If there is one good thing to come out of it all, it makes it easier to justify our budget on security and anti-virus."
IT experts said the latest flaw has dented Microsoft's efforts to prove it can deliver secure IT systems through its Trustworthy Computing initiative.
Russ Cooper, chief security officer at Trusecure, who also runs NTBugTraq, accused Microsoft of complacency. He said one business spent four days uploading the patch for the previous hole to protect against MSBlaster.
"All the work users undertook to install the first patch was a waste of time," he said. They must now install the latest MS03-039 patch, as it would be easy for someone to write a variant of MSBlaster that could exploit the vulnerability, he warned.
Cooper said Microsoft had spent about two months working with Polish security specialist Last Stage of Delerium to produce a patch for the original vulnerability in Windows. Yet just weeks later, on 10 September, it issued another patch for a similar hole in the same software component.
Microsoft should have looked at the code to see if there were any further patches required before releasing the first patch Cooper said.
The latest problem is closely related to the one that exposed users to the MSBlaster worm. Both holes relate to an element of Windows called the Distributed Common Object Model (DCom), a protocol to allow applications on different computers to communicate with one another.
Analysts agree that patching must be simplified to reduce disruption to the business. Mitul Mehta, managing director of consultancy TekPlus, said, "Any vulnerability will have an impact on business," although automated patching goes some way to reducing the disruption.
Maxine Holt, senior analyst at Butler Group, was concerned by the size of the patch file and argued that Microsoft should take a better approach, based on the way anti-virus software companies release regular updates.
Patching needs to be made easier to avoid further disruption and costs to business, said Holt. She was concerned that the large 1.5Mbyte patch issued by Microsoft would slow down corporate networks and prove time consuming and difficult to install. To patch all desktops in a company with 8,000 PCs, more than 80Gbytes of data would need to pass over the network.
Microsoft should base its approach to patching on that used by anti-virus companies, she said. Compared to the 1.5Mbyte patch Microsoft was issuing, upgrades from anti-virus company Sophos are just 500 bytes. Such small files would go a long way to improving patch management and remove the bandwidth barrier.
But Holt acknowledge that the task of creating smaller patches could prove extremely difficult for Microsoft. She said, "Windows would need to be re-engineered so that it was built on granular code."
But users should not wait for suppliers to provide improved patch management. Cooper recommended that users disable DCom before applying any new patch from Microsoft. Disabling this piece of software would remove the risk once and for all, but it could prevent any software that uses it from running.
He advised users to disable DCom by broadcasting an automatic update to the Windows registry file on every desktop PC, then checking which end-users were affected by the change. "The vast majority of organisations will never realise DCom has been switched off," he said.
Anyone affected would complain and the 1.5 Mbyte Microsoft patch need only be applied to these users. Such a policy would save a considerable amount of network bandwidth, said Cooper.
Holt recommended that IT directors discuss with their admin staff which features of the Windows operating system to lock down, to reduce the organisation's exposure to security holes. She said it should be possible to lock down Windows completely by disabling all but the essential features.
Microsoft chief security officer Stuart Okin said, "This is a new type of vulnerability that we have not experienced before."
Okin said Microsoft had only learned of the latest hole after it had released the first patch. Even if it had been given more notice, Okin was adamant Microsoft would still have proceeded with the first release, given the fact that the MS Blaster worm was infecting users.
How to secure a Windows network
IT directors need to ascertain which features in the Windows operating system they require to run the business, and which pose an unacceptable security threat.
IT directors then need to work with IT staff to reduce their exposure to future Microsoft flaws. IT directors should:
Use two firewalls. An external firewall should protect a DMZ (demilitarised zone) for servers that are exposed to the internet and are not completely "trustworthy". Between the DMZ and the internal machines there should be another firewall
Install an artificial intelligence intrusion detection system system. This is especially important to protect against vulnerabilities that are yet to be patched. Using a list of prior traffic, the IDS learns to recognise normal traffic and identifies exceptional flows and unusual attempts to use particular ports. Ports are part of the logical address structure in TCP/IP and each application uses one of about 65,000 ports on a network - e-mail, for example, uses port 25
Patch machines regularly - once a day or every other day. There are tools to help, such as Windows Update or Systems Management Server
Every six months Have your PCs and servers security-tested to look for machines that are running file-sharing software or acting as illicit web servers, which can be a hidden route into the network for malicious code
Run only the network services that are needed. DCom, the subject of the latest Microsoft vulnerability, is rarely used but is on by default in operating systems
If you are running networking protocols, such as Netbios and Cifs, make sure that PCs are not enabled to share files and that admin passwords are blank, or if used, are secure.
Source: Richard Brain, technical director of penetration testing specialist ProCheckUp