Tuesday, August 16, 2005

Patch Tuesday

Just one week after Microsoft’s August monthly release of critical update patches from Windows, commonly known as Patch Tuesday, CNN’s network was hit hard by some variant of a worm that exploited one of these patched vulnerabilities. Lou Dobb’s show and some others were affected. Sadly, the cause is quite clear to me as it is to any good network administrator. CNN has not been updating it’s Windows network. There is literally no good excuse for this failure. Let me explain why.

Microsoft has been under attack by hundreds if not thousands of computer programmers for the past five years or more. The reasons vary but usually include the fact that 95 percent of all PC’s in the world run Windows and or overly complex and often poorly designed features included in Microsoft operating systems. There are simply more ways to exploit Windows and more people doing it than with any other system ever built. If I was a hacker I’d hack Windows before I bothered with anything else because it is easier and more effective to attack Windows. Who cares if somebody writes a virus for the TRS-80?

Knowing that your systems are the most popular and most vulnerable means you have to take the bad with the good. If you are going to use Windows because it is easy, cheap, portable, or whatever, then you must also be prepared to do what it takes to defend your system or network. Microsoft has made this pretty painless. Individuals since 1998 have been able to turn on automatic updates and get these critical patches with little or no effort on their part. Not doing so is as dumb as leaving a loaded gun lying around unsecured. It is an invitation to disaster. Apple and Linux users are laughing now but will eventually face similar issues once they gain enough market share to be significant.

Networks have special considerations. They also have professional administrators whose job includes providing the security individuals can do for themselves on unmanaged systems. Microsoft has gone out of their way to make this task as easy as possible for this group as well. Years ago, IT departments had to apply patches manually at each desktop or pay huge sums for System Management Server (SMS) to deploy these patches automatically. In the past few years Microsoft has released several versions of free administrative tools that contain most of this functionality. Software Update Service (SUS) was such a success it was updated and became Windows Update Service (WUS). Administrators can use WUS to download and selectively test and install software patches to any recent version of Windows client or server machine.

There is NO reason not to do this promptly each month. Because the process of documenting and fixing vulnerabilities makes the weakness known, it is vital to apply these patches promptly BEFORE new viruses and worms are written to exploit them. If a patch cannot be applied because it affects some poorly written but vital software application, then administrators must fall back on the training and intelligence of network users until the vital software can be repaired or replaced.

Sharp network administrators make it a top priority to download and test all new critical updates immediately when they become available the second Tuesday of each month. Many other software vendors including Oracle, RedHat, and others time their regular patch releases to coincide with Microsoft’s. As soon as these patches prove compatible with vital software on representative sample machines on the network, updates are flagged for widespread distributed via WUS. No network machines should be without a critical patch a week after being released. CNN’s were and the results were painfully obvious.

Typically, the government is slow at most everything so it was no surprise to hear that some machines in offices on the out-of-session Capital Hill were affected. A few companies (Caterpillar?) were also caught with their patches down. Shame on their administrators or maybe shame for being on vacation without a trained replacement. Management is generally to blame and must accept responsibility for excessive IT cutbacks, incompetent directors, poorly trained, lowly paid, overworked staff. Otherwise, Administrators had the wrong priorities. Nearly 50 percent of business networks still run Windows 2000 because it still works fine. But you have to apply available patches to any operating system.


Blogger franmartin2995 said...

i thought your blog was cool and i think you may like this cool Website. now just Click Here

2:49 AM  

Post a Comment

<< Home