From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Mon Aug 04 2003 - 12:17:32 PDT
In the message "[Micronet] To block or not to block", dated
2003-08-01, Craig Lant wrote:
>Second, how many vulnerable machines are still out there? Everyone
>I've spoken to has got the message and has been working feverishly
>(thank you) to get their systems patched so they wouldn't be left
>out naked over the weekend.
I think it's important that Craig (and SNS folks, generally) truly
'get' the message that there are as yet many unmanaged or
under-managed workstations on campus on which patches are not
routinely applied, even for repeated vulnerabilities identified by OS
vendors as "critical."
Several cogent contributions to this discussion have forcefully
and, I think, convincingly made the point that relying solely on
patching alone to respond to imminent or current threats is
unrealistic. (This doesn't automatically argue for blocking of
traffic by port at the campus border; deployment of VPN mechanisms to
faciliate same; initiation of unit-level or host-based firewalls,
rapid expansion of the number of systems falling within managed AD
domains; or any other particular alternative approach, just that
relying on "organic" patching of unmanaged or under-managed hosts
alone will not reduce the campus's vulnerability to zero and perhaps
not even to near-zero.) Several recent experiences with various
Internet-borne worms have also borne this out quite well.
Two cases in point:
- As of 3:38 pm last Friday, August 1, Eric Chamberlain identified
10 PCs within IS&T itself, on the second floor of Evans Hall,
in the very heart of the computer center's staff office, that had
not been patched. (The status of four other PCs could not be
determined.)
As of 11:37 am today, Monday, August 4, according to a colleague's
message, at least two of these machines within our own unit of IS&T,
WSS, had apparently not yet been patched.
- When the 'Slammer' worm hit Microsoft itself, many of the
company's own systems had not yet been patched and were infected:
Robert Lemos
"Microsoft fails Slammer's security test "
CNET News.com, January 27, 2003, 4:27 PM PT
http://news.com.com/2100-1001-982305.html
>Microsoft's policy of relying on software patches to fix major
>security flaws was questioned Monday after a series of internal
>e-mails revealed that the software giant's own network wasn't immune
>from a worm that struck the Internet last weekend.
>
>The messages seen by CNET News.com portray a company struggling with
>a massive infection by the SQL Slammer worm ...
>
>The messages put Microsoft in an awkward position: The company
>relies on customers to patch security flaws but the events of last
>weekend show that even it is vulnerable. In this case, Microsoft
>urged customers to fix a vulnerability in the SQL Server 2000
>software, but it apparently hadn't taken its own advice. Moreover,
>despite its 1-year-old security push, the software giant still had
>critical servers vulnerable to Internet attacks.
>
>"This shows that the notion of patching doesn't work," said Bruce
>Schneier, chief technology officer for network protection firm
>Counterpane Internet Security. "Publicly, they are saying it's not
>our fault, because you should have patched. But Microsoft's own
>actions show that you can't reasonably expect people to be able to
>keep up with patches."
The following are some of the problems with relying solely on
patches, certain of which have also been touched on, at least to some
degree, during the current discussion.
- In some cases, patches can be difficult to find on a vendor's
Web site.
- In some cases, even automated mechanisms within an OS that
recommend appropriate patches might fail to do so because the
current OS is slightly out of date, or because of other subtle
issues.
- In some cases, vendor errors or system problems prevent patches
from being successfully installed.
- In some cases, vendor errors or system problems can lead to
crashes, system instability, or even data loss following patching.
("The cure can sometimes be worse than the disease.") In at
least a few instances, OS vendors have released second versions
of patches to fix errors in the initial versions.
- With certain vendors, notably Microsoft, there has recently been
an ongoing succession of security-related patches, which can lead
to "patch fatigue" among even support providers, let alone end
users, particularly if some of these patches must be downloaded
and installed manually.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 04 2003 - 12:25:41 PDT