Worm spread shows hole in patch system

The ability of the MSBlast worm to spread has underscored the view that today's methods of patching security flaws, while necessary to lock down specific computers, are too time-consuming to react to critical vulnerabilities. The result has been that the MSBlast worm, which by most accounts is poorly programmed, has quickly propagated across the Internet.

The worm has infected at least 120,000 computers and has caused internal disruptions for many companies and Internet service providers.

The University of Florida, for instance, has had hundreds of systems infected due to a compromised PC connected to its network via a dial-up line. The incident happened despite a broad initiative by the school to lock down its systems with patches, said Jordan Wiens, a network security engineer for the university.

"It's simply not as easy (to patch) as people would like, given the resources of many small departments," Wiens said.

Microsoft confirmed that it is working with law enforcement to find the person or group who released the worm.

Microsoft has attempted to step up user education and automation to convince more consumers and enterprise customers to update their systems with the latest patch for this security flaw. However, the efforts have still left many PC users in the dark about their computer's insecurities.

The Computer Emergency Response Team (CERT) Coordination Center has found that as many as 1.4 million unique Internet addresses appear to be the sources of infections on the network. The number is likely to have been inflated by dial-up and broadband users that receive a different address every time they connect to their provider's network.

Security firm Symantec offered a more conservative number, based on its intrusion detection network. It found that more than 120,000 computers appear to have been infected in the past 36 hours.

The lesson: patching can't be relied on to keep computers secure.

"There is no one single answer," said Stephen Toulouse, security program manager at Microsoft. "We encourage defense-in-depth, but we also encourage customers to deploy the patch."

A defense-in-depth strategy calls for companies to not only secure the servers and network devices connected to the Internet, but to also secure their internal networks. In the past, a strategy of so-called perimetre security has been more common. Because holes in security are always a possibility -- and usually a given -- building redundancies into a corporate network could make the difference between a single breach and massive infection.

Patching is only one facet of a corporate security strategy and should be considered fallible as best, said Gerhard Eschelbeck, chief technology officer for vulnerability assessment firm Qualys. Only about 50 percent of Windows computers have had the patch applied in the last month, a typical half-life, a Qualys study found.

"We are already seeing the number of systems that are vulnerable on the Internet trailing down," he said.

In a study announced in July, Qualys found that half of all vulnerable systems are patched in the first month after a fix is available.

Home users typically patch their systems less often, said Jack Bates, network engineer for regional ISP BrightNet Oklahoma. He estimated that as much as 20 percent of BrightNet's user base had been infected.

"Home users do not actively keep up with Windows Update," he said. "Some are not even aware that it exists."

Instead of relying on its clients to patch their systems, BrightNet has blocked traffic to the vulnerable software addresses, or ports, and e-mail alerts will be sent to infected users. "This will require extensive man-hours from our personnel, as well as our customer's time," he said.

Intrusion detection systems have spotted PCs that the worm compromised on the networks of most major consumer Internet providers, including America Online, AT&T, Comcast, Cox Communications, SBC Communications and Verizon Communications. It's unlikely that the ISPs' systems have been infected by the worm, but a large number of clients that connect to those providers may have been compromised.

While businesses usually know of software flaws and the need to patch their systems, they don't always have time. Companies often do not patch their systems immediately, because they need time to test the fixes, said Brian Burns, manager of security operations for network device maker NetScreen.

"Microsoft patches don't receive enough QA (quality assurance) as they should," he said. "There have been times that a patch has been applied, and then the administrator has to spend hours rolling it back, because it has crashed the machine."

Microsoft has focused on providing tools for companies to further automate their management of patches. The company's Software Update Services allows companies to maintain a central service of patches internally and update systems depending on the patch's importance, a computer's level of exposure to threats on the Internet and how critical the system is.

Until companies start thinking about network security when designing their infrastructure, patching will be a difficult task, Qualys' Eschelbeck said.

"For the next four years, we are going to be stuck where we are now, because we have to pay for the sins of the past," he said.

Another problem with software patches is that they sometimes modify business applications in unexpected ways, said Rick Beers, director of supply chain technology at Corning, a manufacturing company.

That calls for a better explanation from technology makers of what might be unintended consequences of installing patches. "Other than a magic technology solution, the only solution is much more thorough documentation from the vendor," Beers said.