Windows IT Pro
Connect With Us
Home > Windows Client > Cyber Threats and the Flawed Software Update Process

Cyber Threats and the Flawed Software Update Process

Dec. 28, 2004 Paula Sharick | Windows IT Pro

I don’t know how many of you regularly scan your firewall logs, but if you do, you know that the box protecting your network is subject to a nearly constant assault, from several times per day to more than once per second, depending on the type of attack. On a typical day, you might see hundreds or thousands of connect attempts to local ports with known vulnerabilities, illegal port scans, Denial of Service (DoS) attempts, and other nefarious efforts to compromise your network. Firewall probes are distinct from the ever-increasing nastiness we suffer as a result of adware and spyware, plus an incredible array of email-based worms and spam. Add to this mix, unsolicited invitations to visit Web sites that redirect your browser to a malicious Web site that, without your knowledge, downloads code that either compromises your system or phishes for information that can be used to assume your identity. Yet another scary source of potential compromise comes from unsecured wireless networks.

I routinely scan and disinfect Windows systems on a weekly, and sometimes daily, basis. I've seen some worms create as many as 600 Internet connections in just a few minutes. Aside from the implications of using up critical bandwidth and the loss of productivity, it can take hours to locate, disinfect, and verify that the latest nasty code is gone. If I extrapolate my own experience to larger organizations, it’s a good bet that the cost of policing Windows platforms is rising almost exponentially in response to this constant onslaught.

The bleakest part of this picture is that Windows appears more vulnerable than any other platform. To this point, let’s review the results of a vulnerability study (http://www.avantgarde.com/xxxxttln.pdf) performed by "USA Today" and technology consulting firm Avantgarde in September 2004. In an attempt to simulate the home-based user experience, the study connected 6 computers to the Internet and logged 305,955 attempts to compromise the six systems during a 14-day period. The study tested four Windows platforms: Microsoft Small Business Server (SBS) 2003, a default installation of Windows XP Service Pack 1 (SP1), XP SP1 running firewall software, XP SP2, a Linux system, and Mac OS 10.3.5. Neither the Linux nor the Mac systems were compromised in any way, the SBS 2003 system was compromised once, and the default XP SP1 (the target of 45 percent of the attacks) system was successfully exploited nine times. Although not terribly sophisticated, this study makes me question how and why Linux and Mac platforms so out-perform Windows in the vulnerability arena. Is it because attackers love to trash Windows, because Windows is more vulnerable, or is it a fundamental software quality paroblem that is hopelessly out of reach when you’re maintaining tens of millions of lines of code?

Here is a collection of useful security factoids that drive home the security concerns we face every day. These facts were taken from several polls and surveys performed by different security-based institutions and organizations during the last 6 months.

- According to CERT, more than 95 percent of known security breaches are a result of known vulnerabilities.
- An unpatched Windows XP SP1 system connected to the Internet can be compromised in under 4 minutes.
- It took malicious users only 36 hours to write and distribute a worm that exploited a hole in a popular firewall product. The worm successfully infected 100 percent of the 12,000 target machines in less than an hour.
- In a study performed by an email hosting company, the company identified 2.8 million phishing emails in a 1-month period, an increase of more than 7000 percent from the previous year. In the same study, they determined that 1 in 16 emails is infected with a virus and 73 percent of the millions of emails they processed in 1 month qualified as spam.
- A 2002 survey discovered that security folks spend an average of 2 hours per day hunting for security information; a more recent 2004 survey determined that security personnel spend more than 500 hours per year dealing with security threats and exploits. If we use a 40-hour work week as an example, a security employee dedicates 12.5 weeks or 3.5 months to mitigating and cleaning up after security breaches.
- A recent study of a worst-case worm threat determined that it would take only a few minutes for a well-written worm to infect every vulnerable system on the Internet, a few hours to penetrate a corporate firewall, and a few seconds to infect every vulnerable system behind the firewall.
- A recent survey of security practices in medium to large companies showed that the number of employees responsible for system and information security doubled during the past year. In a December 2004 survey of Corporate Security Officers, 80 percent agreed that cyber attacks negatively affect the bottom line and a staggering 84 percent stated that their security programs were underfunded.

Because 95 percent of successful cyber attacks are the result of unpatched OSs, utilities, and application software, it seems obvious that if we update software weekly, and more often when imminent threats appear, we should have more secure systems. However, there is a fundamental flaw in how the industry has implemented the online update process, namely that a user must be logged on as a local administrator to run automatic update tools like Windows Update and online virus scanner updates. If you don’t have a large budget to implement a corporate push-technology for desktop and server updates, to properly maintain systems you must let users log on with local Administrator privileges.

The perils and pitfalls of administrative end users, whether at home or in a corporate setting, are well known and don't merit repeating here. Working around this absurd requirement is a real headache that entails writing, scheduling, and maintaining scripts that run with administrator privileges or writing scripts or a custom Group Policy Object (GPO) that tweak ACLs on registry entries so an end-user account can modify (mostly undocumented) registry entries accessed by various online update utilities.

Because we’re slaves to updates in the current "cyber-insurgency” universe, I recommend that Microsoft and other vendors collaborate on a standard solution for the update process, one that starts with a new update permission and requisite registry entries for each OS, utility, and application that supports automatic updates. This would let designated end users run automatic update tools without requiring full administrator access. Such a solution would be a significant step forward in managing desktop security risks at home, in small businesses, and the corporate world, and a huge timesaver for the seriously over-committed network police.

Discuss this Article 18

Anonymous User (not verified)
on Jan 4, 2005
Very nice article. I also agree that patch management should never be performed by the user and that users should never have administrative rights. In our organization we are currently using Update Expert by St. Benard Software. We test all patches with in the IT department and then deploy them out to the rest of the network. Update Expert allows us to schedule the patches to install after hours and those users who do work durring that time are told be off their computers durring the patch process. The next morning we review the patch results and contact the users who did not get patch the night before and take their systems down to be patched.
jefblack
on Dec 29, 2004
Windows XP in a Server 2003 environment can be configured through group policy to restrict what code it will run.
KIRK (not verified)
on Dec 28, 2004
SUS worked for me. Single-handedly patched 350+ servers and several thousand workstations for the past year and a half with 0 virus infections.
PASSERWIP (not verified)
on Jan 3, 2005
SUS doesn't protect against viruses. You need an enterprise antivirus management solution from companies such as Symantec or Network Associates (McAfee). A way that you can get management to buy into patch management software such as SMS 2003 is to show them how much it costs *not* to invest in patch management software. Take a history of the number of hours spent per week/month/year on manual patch management, and do a project cost based on that figure. I also did not see the figure on XP SP2 intrusions.
dvelez
on Dec 28, 2004
Nice article. One suggestion is using SUS. It's free and works very good. It's no perfect, but get the job done.
Bim
on Dec 28, 2004
I didn't catch how often the XP SP2 system was compromised. Great statistics on attacks and speed of compromise of systems...makes me wonder why Windows systems I manage have never been compromised? Lots of reasons of course but gloom & doom is not required. Good recommendation to MS regarding patch application permissions. While local admin permissions are a known no-no, in today's environs they represent a resonable compromise versus unpatched systems.
Anonymous User (not verified)
on Dec 29, 2004
What you are saying is right but i have seen windows 2000 crash multiple times after I have set up a pc for a user with all its apllicatins,because i did windows update.The problem is that some patches and hotfixes,if they are done together i personally had blue screens.Microsoft should consider that...
Anonymous User (not verified)
on Jan 28, 2005
Nice article and follow on comments. No matter what tools one uses to keep devices patched, updated and secure......if you don't have a policy in writing, enforceable and supported by management your success will be limited at best...
Anonymous User (not verified)
on Dec 28, 2004
SUS is fine if your users will install the updates when prompted instead of canceling the installation. In my environment I've seen patches delayed for weeks because a user cancelled the installation and then shutdown their computer while they went on vacation for a week or two then come back and canceled the install a couple of more times before SUS forced the install. I'm going to bite the bullet recommend to my company to invest some $$ in a package that will push the Windows updates as well and being able to deploy the non-Microsoft updates.
Anonymous User (not verified)
on Jan 28, 2005
Pigs will fly on the day that a single automated tool will provide a decent sized organization with all the features and functions it needs to stay up to date.......SUS, SMS, Tivoli, Symantec, MSUpdate, CSA, EPolicy, all have some valuable funtions, but for a large organization to rely on a single tool to do everything, and do everything well, is quite frankly a pipe dream...IMHO
Anonymous User (not verified)
on Dec 28, 2004
I'm going to forward your article to my management, as it is a pretty accurate synopsis of the current computing landscape. However, I believe from an enterprise perspective, providing tools for end users to manage updates is going about it from the wrong direction. The responsibility for maintaining most corporate desktops lies with the IT staff, not end users. Relying on end users to keep systems updated is asking for problems because they won't do it diligently or often enough. My wish is for Microsoft to provide a corporate version of their desktop operating system utilizing AD and GP, but incorporating functionality like Cisco's CSA to prevent code from being run that wasn't explicitly allowed by the IT staff. The current situation is too open to start with and requires much modification and administration. It requires a change of approach from "Allow all, restrict whatever hole is found next" to "Restrict all, allow only what has been approved". Home users could still purchase swiss-cheese versions as the responsibility for maintaining their machines is (still) their own.

Please or Register to post comments.

Related Articles
Upcoming Training

Mastering System Center 2012

During over 6 hours of training you can join John Savill from your computer as he will walk you through the key components and capabilities of System Center 2012, what’s involved in using the components, and the benefit they can bring to your environment.

Register Now

Current Issue

May 2013 - The NameTranslate object is useful when you need to translate Active Directory object names between different formats, but it's awkward to use from PowerShell. Here's a PowerShell script that eliminates the awkwardness.

CURRENT ISSUE / ARCHIVE / SUBSCRIBE

Windows Forums

Get answers to questions, share tips, and engage with the Windows Community in our Forums.

Featured Products
Windows 8 Tips
Windows 8 Tips

You’ve been told that Microsoft has somehow compromised the beloved desktop environment and ruined it with Metro...

VIP - Premium Membership
For the IT Professional that needs access to training, premium content, discounts, and more, joining our VIP group just...
Testing with Visual Studio 2012

June 25th
Presented by: Brian Minisi

EARLY BIRD DISCOUNT -...

View CatalogView Shopping Cart

WindowsITPro.com
Related Sites
Copyright © 2013 Penton Media, Inc