Educause Security Discussion mailing list archives

Re: FW: MS Critical Updates and client management

From: Bill Frazier <frazier () IASTATE EDU>
Date: Fri, 16 Jul 2004 11:48:23 CDT

I believe that there is an element of perspective that needs
to be considered and which, unfortunately, complicates
matters.

Exploits, once in the wild, are frequently rapidly and heavily
used.  I believe that closing holes as quickly as possible
reduces user (and institution) grief.

However, discussion of updates labeled critical which were
issued based on a date on a calendar, in no particular
relation to the publication of the vulnerability, is an
oxymoron.



__________________________________________________________________
On Fri, 16 Jul 2004 12:02:33 EDT, Chad McDonald wrote:

This is a multi-part message in MIME format.

------=_NextPart_000_017D_01C46B2C.C737EA40
Content-Type: text/plain;
        charset="US-ASCII"
Content-Transfer-Encoding: 7bit

My thoughts are that if the potential for exploitation of a particular
vulnerability are severe enough, then the 1-2 day lag that you discuss
in
item #2 is about 2 days to long.  I am a big proponent of testing, but
barring your enterprise servers, I think that the risk of someone taking
advantage of a freshly advertised hole far outweighs the likelihood of a
patch or update breaking a desktop application or causing data loss.  I
tend
to agree with you on item #1, understanding that that this does not
represent critical updates.



Thanks,

Chad McDonald, CISSP

Director of Campus Computer Support Services

Georgia College & State University

Phone   478.445.4473

Fax       478.445.1202

Email    chad.mcdonald () gcsu edu

Home Page       http://chadmcdonald.net <http://chadmcdonald.net/>



  _____

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of O'Callaghan, Daniel
Sent: Friday, July 16, 2004 9:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] MS Critical Updates and client management



I've searched the archives and effective practices, but haven't found
anything specific to this issue.

I'm looking for input on effective practices for MS Critical Update
deployment, specifically the timelines from MS release to client
deployment.

The majority of clients that authenticate to our domain are configured
using
standard "images" based on the systems' intended use.  We recently began
using SUS to update clients, and it appears effective, but there is
disagreement over when the updates should be pushed.

Simplified, there are two schools of thought:

1. All client updates/patches should be installed and vetted on all
standard
client image configurations in our test lab for 5-6 days prior to
deployment
as the risk and potential impact of a patch breaking something is
greater
than the risk of an exploit within this timeframe.

2. Critical updates should be installed and vetted on the most common
client
image configurations in our test lab for 1-2 days prior to deployment
as the
risk and potential impact of an exploit (as we approach the zero day) is
greater than the patch breaking something.



I realize this is an oversimplification of an industry-wide dilemma,
but am
looking for the groups' input as to the current risk balance for
effective
practice.

Or have we become so polarized that we are missing something?
(Abandoning MS
is not a viable option)





Daniel V. O'Callaghan, Jr., CISSP

Information Security Officer

Sinclair Community College

444 West Third Street, 14-002

Dayton, Ohio 45402-1460

937-512-2452

daniel.ocallaghan () sinclair edu



********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group d
iscussion list can be found at http://www.educause.edu/cg/.

------=_NextPart_000_017D_01C46B2C.C737EA40
Content-Type: text/html;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Message</title>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"Street"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PostalCode"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"State"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"address"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"country-region"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>My thoughts are that if the =
potential for
exploitation of a particular vulnerability are severe enough, then the =
1-2 day
lag that you discuss in item #2 is about 2 days to long.&nbsp; I am a =
big
proponent of testing, but barring your enterprise servers, I think that
=
the
risk of someone taking advantage of a freshly advertised hole far =
outweighs the
likelihood of a patch or update breaking a desktop application or =
causing data
loss.&nbsp; I tend to agree with you on item #1, understanding that
that =
this
does not represent critical updates.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Thanks, =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><st1:country-region w:st=3D"on"><st1:place =
w:st=3D"on"><font
  size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
  color:navy'>Chad</span></font></st1:place></st1:country-region><font =
size=3D2
color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:navy'> McDonald, CISSP<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Director of Campus Computer Support
Services<o:p></o:p></span></font></p>

<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on"><font size=3D2
  color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
  color:navy'>Georgia</span></font></st1:PlaceName><font size=3D2 =
color=3Dnavy
 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> <st1:PlaceName
 w:st=3D"on">College &amp; State</st1:PlaceName> <st1:PlaceType =
w:st=3D"on">University</st1:PlaceType></span></font></st1:place><font
size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:navy'><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Phone&nbsp;&nbsp; =
478.445.4473<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Fax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n
b=
sp; 478.445.1202<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Email&nbsp;&nbsp;&nbsp; <a
href=3D"mailto:chad.mcdonald () gcsu edu">chad.mcdonald () gcsu edu</a><o:p>
</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Home =
Page&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a
href=3D"http://chadmcdonald.net/";>http://chadmcdonald.net</a><o:p></o:p>
<=
/span></font></p>

</div>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font
=
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> The =
EDUCAUSE
Security Discussion Group Listserv =
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] <b><span
style=3D'font-weight:bold'>On Behalf Of </span></b>O'Callaghan, =
Daniel<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Friday, July 16, =
2004 9:11
AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
SECURITY () LISTSERV EDUCAUSE EDU<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [SECURITY] MS =
Critical
Updates and client management</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I've searched the archives and effective practices, =
but
haven't found anything specific to this =
issue.</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I'm looking for input on effective practices =
for&nbsp;MS
Critical Update deployment, specifically the timelines from MS release =
to
client deployment.</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>The majority of clients that authenticate to our =
domain are
configured using standard &quot;images&quot; based on the systems' =
intended
use.&nbsp; We recently began using SUS to update clients, and it
appears&nbsp;effective, but there is disagreement over when the updates
=
should be
pushed.</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Simplified, there are&nbsp;two schools of thought: =
</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>1. All client updates/patches&nbsp;should =
be&nbsp;installed
and vetted&nbsp;on all standard&nbsp;client image configurations in
our&nbsp;test lab for 5-6 days prior to deployment&nbsp;as
the&nbsp;risk =
and
potential impact of a&nbsp;patch breaking something is greater than the
=
risk of
an exploit within this =
timeframe.&nbsp;&nbsp;</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>2. Critical updates should be installed and vetted
on =
the
most common client image configurations in our test lab for 1-2 days =
prior to
deployment&nbsp;as the risk and potential impact of an exploit (as we =
approach
the zero day) is greater than the patch breaking =
something.</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I realize this is an oversimplification of an =
industry-wide
dilemma, &nbsp;but am looking for the groups' input as to =
the&nbsp;current risk
balance for effective practice.&nbsp; </span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Or have we become so polarized&nbsp;that we are =
missing
something?&nbsp;(Abandoning MS is&nbsp;not a viable =
option)&nbsp;</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Daniel V. O'Callaghan, Jr., =
CISSP</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Information Security =
Officer</span></font><o:p></o:p></p>

<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on"><font size=3D2
  face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Sinclair</span></font>
</st1:=
PlaceName><font
 size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> <st1:PlaceName
 w:st=3D"on">Community =
College</st1:PlaceName></span></font></st1:place><o:p></o:p></p>

<p class=3DMsoNormal><st1:Street w:st=3D"on"><st1:address =
w:st=3D"on"><font size=3D2
  face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>444 =
West Third
  Street</span></font></st1:address></st1:Street><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>, =
14-002</span></font><o:p></o:p></p>

<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:City w:st=3D"on"><font
=
size=3D2
  face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Dayton</span></font>
</st1:Ci=
ty><font
 size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>, <st1:State
 w:st=3D"on">Ohio</st1:State> <st1:PostalCode =
w:st=3D"on">45402-1460</st1:PostalCode></span></font></st1:place><o:p>
</o=
:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>937-512-2452</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>daniel.ocallaghan () sinclair edu</span></font><o:p>
</o:p=

</p>


<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

</div>

</body>

</html>
**********
Participation and subscription information for this EDUCAUSE Discussion
=
Group discussion list can be found at http://www.educause.edu/cg/.
**********
Participation and subscription information for this EDUCAUSE Discussion
Group d
iscussion list can be found at http://www.educause.edu/cg/.
------=_NextPart_000_017D_01C46B2C.C737EA40--




__________________________________________________________________
Bill Frazier                                 frazier () iastate edu
Assistant Director/Software Support          voice: (515) 294-8620
Iowa State University                        fax:   (515) 294-1717
Academic Information Technologies, 291 Durham, Ames, Iowa 50011

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

MS Critical Updates and client management O'Callaghan, Daniel (Jul 16)
- <Possible follow-ups>
- FW: MS Critical Updates and client management Chad McDonald (Jul 16)
- Re: FW: MS Critical Updates and client management Bill Frazier (Jul 16)
- Re: MS Critical Updates and client management David Dewire (Jul 19)