Friday, March 16, 2007

Cup of Hot Cocoa: Patch Warfare

Back in the day...

In the PC world patches where a rare thing. You purchased a program and then when the next version came out you either upgraded or didn't end of story.

As programs became more complex and we actually began to use more of the growing set of features. We found bugs and software companies began to supply patches. If I recall correctly (IIRC) most patches where actually a whole new install that you didn't have to pay for... well maybe a small fee for the media (5 1/4 inch floppies) and shipping.

Most people and companies didn't bother installing patches unless they experienced an error that required the patch to be resolved.

Time and the world moved on and before we knew it people actually started to break into computers. A whole new breed of patches. Security patches.

As the "dark side" evolved their techniques patch management went from an anomaly, to a necessity, to the current arms race.

  • Vulnerabilities (http://www.answers.com/main/ntquery?s=vulnerability&gwp=13) are announced.
  • Exploits (http://www.answers.com/topic/zero-day-exploit) are found in the wild, or sold on "underground" auctions.
Patch warfare has become a reality. Companies must balance between breaking business applications and vulnerable systems. Leaving systems unpatched is simply not an option anymore Windows Survival Time (http://www.dshield.org/survivaltime.html) tracks the length of time unpatched systems avoid infection by malware, and for Windows the "sweet spot" tends to be 40-60 minutes once connected.

The there is a paper Windows XP: Surviving the First Day (http://www.sans.org/reading_room/whitepapers/windows/1298.php) that has advice on how to patch a new system prior to connecting it to the world, and no it is doubtful the system will survive long enough to finish the windows on-line patch process before it is infected. I personally have had luck with this DIY Service Pack: Installing Windows updates without an internet connection (http://www.heise-security.co.uk/articles/80682/0) for updating new systems and ones that are missing patches.

3 comments:

Edward Maurer said...

I remember floppy after floppy installing microsoft office or visual studio. It was a nightmare.

Unknown said...

so i don't get it. if i'm behind a nat capable firewall w/o and ports open and imcp disabled, why can't i sit here all fat dumb and happy with a fresh install of windows xp2, connect to ms windows update for the million or so critical patches i need from a fresh start, download and install them, and then go on with my life?

never attach directly to internet with or without sec patches applied. this means don't plug into your cable modem directly -- put a hardware firewall / router in between -- always --

i remember sending out partial program diff patches to survey takers to make their survey taking programs work, or to change / amend their questions to ask. sending out a whole new program wasn't an option considered because back in the day, normal people like them were dialing up for all connections back to the mother ship...the patch maker.

btw, where's the marshmallows ???

Leonard said...

Ed,

It is true that with a hardware firewall that provides initial protection you have a fighting chance.

At least you do if there isn't an infected system already behind the firewall with you...