Security holes aren't being filled

[InfoSec News <isn () c4i org>]

http://zdnet.com.com/2100-1105-966398.html

By Robert Lemos 
Special to ZDNet News
November 19, 2002, 

System administrators are still not patching systems frequently
enough, according to a recently published study of a software security
flaw that allowed the Linux Slapper worm to spread.

In fact, even after the Slapper worm highlighted the existence of a
vulnerability in the Web security software known as OpenSSL, three out
of 10 systems that had the flaw continue to be vulnerable even today,
said Eric Rescorla, an independent security consultant.

"Administrators aren't as responsive as they should be," he said.  
"Even after a relatively serious hole is found, administrators don't
do the right things."

Over the past three years, software makers have been forced by their
customers to be more responsive to security vulnerabilities in their
products. The U.S. government has gotten into the act as well, with
Richard Clarke, presidential adviser on cybersecurity, making repeated
calls for companies to shore up holes in the servers for which they
are responsible.

However, system administrators--many of them overworked--haven't taken
the message to heart, according to Rescorla's research. The research
studied the response to the release of information in July relating to
a flaw in OpenSSL, a commonly used open-source program to secure data
going between Web servers and browsers using channels encrypted with
the secure sockets layer (SSL).

Tipped off to the coming announcement of the OpenSSL flaw, Rescorla
quickly selected, using a Google search, a pool of about 900 servers
that ran OpenSSL. He tested the servers every six hours to see if they
had been patched. Because he could test their status without affecting
their operation, Rescorla saw the opportunity as ideal.

"I had a couple people complain (about my scanning), but remarkably
few," he said. "The two people that sent me mail asked me not to
continue."

About 40 percent of administrators patched their systems in the seven
weeks between the public announcement of a flaw and the release of the
Slapper worm. Another 30 percent apparently patched the software after
the Slapper worm started infecting SSL servers in September.

"It's not just that some people are lazy, but also that many people
appear to wait until they feel vulnerable (i.e., an exploit is
released) before they apply fixes," he said. "This seems to be a
distinct population from those who are just lazy and don't do anything
at all."

System administrators that manage the remaining third of the servers
scanned by Rescorla fall into that last category, he said.

The low rate at which system administrators patch their servers has
been a problem for a long time. Software makers, such as Microsoft and
Symantec, and most Linux companies have created services to help
system administrators keep up with patches.

Those who did patch tended to be working at hosting service providers,
said Rescorla. "The big hosting companies are good about patching,
which isn't surprising because they maintain a security staff," he
said.

The security consultant also found that people who tended to keep
their systems up-to-date--that is, running the latest version of
software--tended to patch more frequently.

"There is some evidence that the class of people that upgrade in the
first round (before a worm is released) differ from those that upgrade
in the second phase," he said.

Several reasons could explain the late-patching behavior, he added.  
System administrators may be wary of patches that could break their
systems, so they wait until a threat appears that requires the patch
be installed. Also, administrators may just feel that it's not
necessary to patch until a real threat, such as a worm or a mass hack,
seems imminent.

"That's a pretty dangerous strategy, because the 'black hat' community
tends to have the exploit way before the administrator knows about
it," he said. He pointed to the fact that the OpenSSL flaw was
discovered after a network administrator found someone attacking their
machine with the exploit.

Finally, he said, some administrators don't patch because they're just
too lazy.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.