ZDNet UK / News and Analysis / Security / Security Management

Microsoft's patches: Can you trust them?

By Munir Kotadia, ZDNet.co.uk, 16 July, 2003 13:26

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Microsoft, trustworthy computing, James Governor, Pierre Noel, microsoft patch, Security, Patch, trusecure, RedMonk

ANALYSIS
To survive the next Slammer-like virus attack, updating applications and operating systems with every patch that Microsoft releases is the worst thing any business can do, according to advice from security experts and industry analysts. Advice being given to companies is that they should avoid installing individual patches released by the software giant, and only deploy service packs once they have been through a rigorous internal testing procedure. The move is a further indication that Microsoft's Trustworthy Computing initiative, which is supposed to increase the company's reputation as a reliable software developer, is not being taken seriously by the industry. Pierre Noel, security strategist at security company TruSecure International, said that if customers followed Microsoft's patching instructions earlier this year, they were left vulnerable to the Slammer virus. However, if they had only installed the service packs and ignored the various individual patches and hot fixes, they would have been safe. "Microsoft released a number of patches for its SQL server over a period of 12 months. The first few had protection against the vulnerability, but the last patch -- which was one month before Slammer was released -- was intended to fix another problem, but it reopened SQL server vulnerability," said Noel. James Governor, principal analyst at RedMonk, agreed: "That is true. Unfortunate but true." Stuart Okin, chief security officer at Microsoft UK, denies that companies are leaving themselves vulnerable by following Microsoft security policy. He said: "We brought out a patch six months before, however, we also brought out a couple of hot fixes that the patch required a little bit later on." Governor warns that users should be careful about the different types of updates and fixes released by Microsoft. "There was a screw-up, but it should be understood there is a difference between patches, security patches, and quick fix enhancements (QFE)." He notes that a QFE is designed to solve a specific customer problem and is not designed for everyone. "We would not advise organisations to deploy every QFE." But Noel goes one step further and advises his customers to avoid individual patches altogether, and instead rely on service packs combined with a commonsense approach to IT security, which he believes is not only cheaper and less time consuming, but more effective. "When asked about security, companies usually say: 'It's ok, we will be safe because we'll install all the patches.' But it is an extremely expensive operation and before you install a patch, you have to make sure it is compatible with your existing applications," said Noel. Noel has three simple pieces of advice that he believes will increase an enterprise's security up to 85 percent, without having to spend a penny. "Patching is the last thing our customers should do. Instead, a combination of small solutions will each reduce your risks by 20 or 30 percent. A combination of these can provide an 80 or 85 percent effectiveness," he said. First, said Noel, 70 percent of internal attacks happen because users log into their corporate network and then leave their terminal unattended: "You could have the strongest authentication system available, but in this case, it is left useless," said Noel, who recommends activating a password-controlled screensaver to avoid the problem completely: "The risk is virtually removed and the solution is simple, free and easy to manage." Second, time should be spent on ensuring that network routers and switches are configured correctly. According to Noel, Cisco routers by default are set to block requests from the Internet unless they have been explicitly authorised. The problem is that because of "laziness", the majority of routers have their default settings changed, which creates vulnerability: "We discovered that only 8 percent of routers are set to deny uninvited requests. When they are changed back to the default setting, the system is 47 times more resistant to a typical attack," said Noel. Specifically talking about protection from Slammer-like viruses, Noel said a simple addition to corporate security policy would have reduced Slammer's ability to infect intranets. Noel said: "Laptops should only be connected to the internal network -- via a VPN or directly -- after a reboot," which he explained would reduce infections by 50 percent because many viruses, including Slammer, are small and reside in memory. When a laptop is rebooted, the memory is cleared, but if it is put into sleep mode or hibernation, the memory is saved to disk. "As soon as the laptop was resumed, Slammer woke up and propagated into the company intranet, resulting in a denial of service attack." "It is not rocket science, but it works," he added. Governor said companies not only need to strengthen their patch testing regime before deployment, but they should have a method of "rolling back" in case anything has been missed: "It really emphasises the need for strong processes and tools to support software change and configuration management," he said. But Governor was keen to point out that it is not just Microsoft patches that companies have to worry about: "Let's not forget that Solaris has had multiple patches this year, as have the various Linux distributors. Red Hat, for example, recently released patches for Samba vulnerabilities." The bottom line, according to Governor, is that not all patches are equal. "Users, not vendors, need to decide when and why a patch should be deployed. If it's a QFE don't deploy it unless you understand what it is, what it does, and are aware that Microsoft may not yet have put the code through product-level testing," he added. Under pressure from its customers and partners, and seeing its Trustworthy Computing initiative about to go down in flames, Microsoft has admitted there is "an issue" with its patching system and is going to resolve the problems by combining all its patching mechanisms together. "We know it is a complex process and accept the fact that there was an issue," said Okin, who described Microsoft's vision of the patch management process in 2005: "Within 12 to 18 months we will move to a couple of baseline installers -- probably Windows and MSI -- so we can have a single update source. There will probably be something called Microsoft Update which does all of the applications as well as Windows and Office," he added.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Let the editors know what you think in the Mailroom.

Related stories

Microsoft may be scoring own goal with IE plans

Microsoft defends security track record

Microsoft patches 'critical' holes

Data leaks cost Midlothian a record £140k fine

Google-backed DMARC system aims to block phishers

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

5 hours ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

7 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

7 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

8 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

9 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

10 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

10 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

10 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

11 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

11 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

12 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

12 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

12 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

15 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

16 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

16 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

17 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

18 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule
Marcus Karlsson

Any update on this, considering the claimed "first week of February"?

20 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule
apexwm

Bill Goodrich : Just as al_langevin pointed out, with Windows Server 2008 there is no Services for Macintosh anymore. It's gone, not available....

1 day ago by apexwm on Windows Server 2008 drops the ball for Mac compatibility

Latest in Security Management

Data leaks cost Midlothian a record £140k fine

Google-backed DMARC system aims to block phishers

Ten ways to take the sting out of IT disasters

Featured white papers

2012 Olympics: Is your business prepared?

Symantec.cloud

2012 Olympics: Is your business prepared?

The Olympics are coming to London, and this factsheet can help businesses to get ready for the... Read more

10 safety tips for business in 2012

Symantec.cloud

10 safety tips for business in 2012

From cloud computing to remote working, your business should consider these ways to keep your business secure as traditional IT... Read more

Keeping safe from organised cybercrime

Symantec.cloud

Keeping safe from organised cybercrime

As cyber-criminals become increasingly coordinated in their cross-medium attacks, a solid, communicating and... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

Case study: How cloud enables growth

Case study: How cloud enables growth

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault