Timely Patching (was: Full analysis of the .ida "Code Red" worm.)

[Crispin Cowan <crispin () wirex com>]

JNJ wrote:

> I have to disagree.  Microsoft released a patch for this issue on 6/18/2001.
> Here we are, a tad over a month later, and the issue is being exploited en
> masse.  This calls to question the attention of systems administrators to
> their networks.  The days of selective application of security patches are
> long since over.  IMHO, systems affected by this recent outbreak are being
> administered by techs that need to pay closer attention to their
> installations and keeping them up to date.

The issue of timely patch application is rather complex.  Bill Arbaugh (bcc'd)
had an excellent paper at the 2001 IEEE Symposium on Security and Privacy
(Oakland  http://www.ieee-security.org/TC/sp2001.html ) that showed how the
vast majority of exploitations resulted from known vulnerabilities that had not
been patched.  The paper  http://www.cs.umd.edu/~waa/vulnerability.html shows
some interesting trend graphs that draw the balistic curves of rising and
subsequent falling exploitation rates, and the eventst that trigger these rate
changes.

It is also not clear that all patches should be applied immediately.  Some
vulnerabilities are discovered when they are being actively exploited, forcing
vendors to rush patches into production, and resulting in less than optimal QA
on those patches.  Thus sometimes a patch will come out that breaks stuff,
teaching admins to let someone else go first.

Which leads to Immunix's research agenda of building tools that protect
vulnerable software against unknown vulnerabilities, so that patches don't need
to be urgent <insert product pitch here :>

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html