The security landscape

This excerpt from "The administrator shortcut guide to patch management" lists the top vulnerability categories and discusses the growing number of computer security threats that require patching.

Administrator shortcut guide to patch management The following excerpt is from Chapter 1 of the free eBook "Administrator shortcut guide to patch management" written by Rod Trent and available at Click for the complete book excerpt series.

The security landscape

It's an insecure world. Each day we read about new threats to computer security, and whether these threats result from operating system (OS) vulnerabilities or holes in application security, it is difficult to keep up with the number of patches that are constantly being released. As time has progressed, new types of threats have surfaced, making each area of the computer vulnerable to a wide range of exploits. The following list highlights some of the top vulnerability categories:

  • OS vulnerabilities -- OS vulnerabilities, although not the most common, tend to gain the most media coverage. OS vulnerabilities are one of the security aspects targeted by patch management.
  • Application vulnerabilities -- In addition to the OS being vulnerable to exploits, the applications that run on the OS can also require patching. Some prominent applications for which patches are regularly released include Microsoft Office, Microsoft SQL Server, and Microsoft Exchange Server as well as third-party Independent Software Vendor (ISV) software products.
  • Viruses -- A virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail message or in a downloaded file, or be present on a diskette or CD-ROM. Over the past year, antivirus software application vendors have performed double-duty by providing, through their updating mechanisms, fixes to exploits that ultimately should be dealt with through patch management.

There are three main classes of viruses. The following list provides definitions of each:

File infectors -- Some file infector viruses attach themselves to program files, usually selected .COM, DLL or .EXE files. Some can infect any program or process for which execution is requested, including .SYS, .OVL, .PRG and .MNU files. When the program is loaded, the virus is loaded as well. A virus can even bind itself to the OS shell.

System or boot-record infectors -- These viruses infect executable code found in certain system areas on a disk. The viruses attach to the DOS boot sector on diskettes or the Master Boot Record (MBR) on hard disks. A typical scenario is to receive a diskette from an innocent source that contains a boot disk virus.

Macro viruses -- These viruses are among the most common and they tend to do the least damage. Macro viruses infect Microsoft Word and typically insert unwanted words or phrases.

  • Worms -- A worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an OS that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks. Worms most commonly exploit known software flaws or vulnerabilities.
  • Spam -- Spam is unsolicited email. From the sender's point-of-view, spam is a form of bulk mail, often to a list obtained from a spambot or by companies that specialize in creating email distribution lists. To the receiver, it usually seems like junk e-mail. It's roughly equivalent to unsolicited telephone marketing calls except that the user pays for part of the message because everyone shares the cost of maintaining the Internet. Spam can also carry viruses that, upon viewing, infect a system.
  • Spyware -- Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet, spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.
  • Adware -- Adware is any software application in which advertising banners are displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to lower the cost for the user.

Exploits are growing not only in number but also in complexity. For example, the recent Sasser worm exploited a Microsoft Windows vulnerability, and it required no user interaction to do damage. In other words, the user did not have to click an email attachment or run a virus-infected program. Granted, there are many factors outside of the control of companies that contribute to the spreading of worms and viruses (for example, home users), but if companies had had an effective patch management solution in place, Sasser would not have been as successful in replicating itself across their networks because the patch to plug the exploit Sasser utilized was available several weeks prior to the worm's release. In the same respect, it is alarming how the patch-to-exploit time is decreasing. In other words, when a patch is made available by a vendor, virus writers are developing and releasing their terrorist code sooner than ever.

Even with the patch-to-exploit time decreasing substantially, many virus and worm writers still attempt to develop viruses based on old exploits. These viruses and worms are targeting those uninformed or uneducated end users. Even in this day and age, where computers are everywhere and in use every minute of the day, there are still those computer users that have failed to receive the message that computer security responsibility resides with them first.

To get a better understanding of the overall landscape of computer security, it is helpful to know how times have changed. The Computer Emergency Response Team (CERT) maintains statistics about past reported incidents and vulnerabilities. Table 1.1 illustrates that the number of reported incidents and vulnerabilities has steadily increased.

Year Reported incidents Reported vulnerabilities
2000 21,756 1,090
2001 52,658 2,437
2002 82,094 4,129
2003 137,529 3,784

Table 1.1: Reported incidents and vulnerabilities by year. (Source:

For more information about CERT, see the resource box at the end of this chapter.

Click for the next excerpt in this series: Types of vulnerabilities.

Click for the book excerpt series or visit to obtain the complete book.

Read more on Hackers and cybercrime prevention