Sasser worm highlights IT's patching dilemma

Concerns about software patching came to the fore as IT departments battled to protect corporate systems from Sasser last week

Concerns about software patching came to the fore as IT departments battled to protect corporate systems from Sasser last week.

The emergence of the Sasser worm over the May bank holiday highlighted the dilemma of how quickly IT departments should apply security patches to systems.

The worm exploited a vulnerability in Windows that was brought to public attention in the 14-patch monthly update that Microsoft issued on 13 April (MS04-11).

The worm and problems with Microsoft's patch combined to cause problems in IT departments across the UK. The Coastguard Service was one of many UK organisations affected. British Airways' check-in desks at Heathrow Terminal 4 were also hit, causing delays to 21 flights.

Organisations hit elsewhere in the world included American Express, Commonwealth Bank, the European Commission and government departments in the US, Germany and Hong Kong.

Sasser causes the Windows Local Security Authority Subsystem Service (LSass) to fail, resulting in the infected PC rebooting automatically. LSass is a core function in Windows which is used to log users onto the Windows PC.

Anti-virus company Trend Micro said anyone connected to the internet could be at risk from Sasser and its variants. A single infected PC could infect an entire corporate network within 10 minutes.

Graham Cluley, senior technology consultant at Sophos, said IT departments that thought they had secured their systems found that laptop users working at home over the weekend were a source of infection. "Remote users should have at least a personal firewall and should update anti-virus software remotely," he said.

IT departments that applied the patch also faced potential compatibility problems with existing Windows configurations.

Microsoft issued a warning on its Technet developer's site (Knowledgebase article 835732), which outlined problems with the patch and provided workarounds. The initial patch could cause Windows 2000 machines to lock-up. Microsoft also provided a workaround for a separate problem affecting Oracle databases running on Windows.

As the threat of Sasser emerged on Friday 30 April, Microsoft contacted "key communities" to warn users. One of those it alerted was London Connects, which helps co-ordinate internet security for the public sector in London.

Kate Mountain, chief executive of local authority IT directors' group Socitm, said, "We were warned by Microsoft on the Friday before the bank holiday, when the worm started to spread."

The British Retail Consortium said Microsoft had also contacted major logistics organisations.

Read more on IT risk management