Patch management woes strike August again

With security authorities warning of a big potential attack against the latest Windows flaws, IT pros have several theories on why the month of August is always so much trouble.

A suggestion for security pros: Don't take your vacation in August. Indeed, a pattern has emerged in recent years in which attackers take a recently disclosed Microsoft flaw and exploit it in dramatic fashion, often in the first two weeks of the month.

This year, security experts are sounding the alarm because of a critical Windows Server Service flaw that Microsoft addressed with its August patch release.

More on patch management
Four patch management myths 

Patch management tools
Even the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 fix as soon as possible. At the Bethesda, Md.-based SANS Internet Storm Center (ISC), volunteer handler Swa Frantzen warned, "Those of you still testing patches ... better hurry up and get some of these fixed before you get hit."

By Sunday, attackers were targeting the Windows Server Services flaw with malware in a bid to expand their IRC-controlled botnets. Cupertino, Calif.-based Symantec Corp. labeled the malware W32.Wargbot, while Tokyo-based Trend Micro called it WORM.IRCbot-JK and Santa Clara, Calif.-based McAfee Inc. labeled it IRC-Mocbot!MS06-040.

This time last year, security experts were sounding the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its August 2005 batch of fixes. Attackers exploited the flaw a few days later with the Zotob worm.

Two years ago, in July 2003, Microsoft released MS03-026 to patch the RPC-DCOM flaw. By early August, the Blaster worm was using the flaw to tear up cyberspace.

So what is it about August that makes it such a threatening time of year? Some IT professionals have their theories.

Susan Bradley, network administrator for Fresno, Calif.-based Tamiyasu, Smith, Horn and Braun Accountancy Corp., thinks the bad guys like to cause trouble when the good guys are on vacation.

"Something always happens during the Christmas holiday, and it wrecks the holidays for IT administrators, and something always seems to happen in August to wreck their summer vacations," she said. "Also, System Administrator Day is July 28, so maybe things happen in August to reinforce the appreciation everyone has for us."

Paul Asadoorian, lead IT security engineer for Brown University in Providence, R.I., speculated that the annual Black Hat hacker event in Las Vegas is a factor.

"People go to Black Hat and pick up all this knowledge about how to exploit various technologies," Asadoorian said, "then they decide to use Patch Tuesday to practice their newest skills."

That's especially problematic in a university environment, he said, since students returning to campus in August tend to come with computers that are infected with malware.

In the case of the Windows Server Service flaw, Bradley and Asadoorian are bracing for what may be another awful August. Bradley noted that H.D. Moore, co-creator of the Metasploit Framework, has already released exploit code, as have other researchers, adding, "That means the clock is ticking."

In fact, the bot attacks against the flaw started little more than a day after Bradley warned of the imminent threat.

That doesn't mean IT administrators are panicking as they evaluate whether to patch immediately or focus on other options.

Asadoorian said IT shops that deploy a variety of defenses and educate users on smart computing habits can fend off whatever August exploits come their way. "We try to throw technology at the problem as much as we can," he said. "We separate student computers from the rest of the campus and check them for problems before letting them on the network."

Organizations also need to have their VPNs and firewalls in place, and make sure antivirus signatures are kept up to date, he said, adding that network access control (NAC) is an essential element of a strong security program.

"Network access and/or endpoint assurance are two technologies every organization should try to take advantage of, something that checks the host when it tries to plug into the network," Asadoorian said. "You also need to educate the users because that goes a long way. Each semester we offer 15 hours of training for staff and about four hours for students."

Bradley has also noted some positive developments that may make future August attacks much less harmful.

"The good news is that the newer platforms are in wider use," she said, noting that her environment is now made up of machines running Windows XP SP2 and Windows 2003. While the Windows Server Service flaw can be exploited to take complete control of older platforms, she said, attackers can only use it to cause a denial of service on the newer platforms.

"As an administrator, a denial of service isn't as worrisome as someone taking over my machine," she said.

Bradley's advice for dealing with the current threat is to separate the MS06-040 patch from the rest of this month's urgent updates and deal with that one first.

"Leave the other 11 [bulletins] behind, test this one and fast-track it," she said.

This article originally appeared on SearchSecurity.com.

Dig deeper on Security and risk management for Small Business

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close