Self-updating Apps Are Unreliable

Many programs today have self-updating technology built right in the program.  Add-on programs will scan every so often to an update server to see if the application needs updating.  A few of these programs that have these mechanisms are Adobe (reader, flash) and Apple (iTunes, QuickTime) client programs.

These programs do help home users keep their products patched.  But in a corporate network, these self-updating programs are not solutions to patch management.  These programs are basically left to mercy of the end user and client system.

  • Users can simply decline the update / Users may not know the importance of patching and ignore the updated needed message
    Not all users on a corporate network are security savvy, especially with patching.  Users are bombarded with messages each day on their computer.  A reminder pops up for a business meeting.  UAC in Windows Vista asks for user permission to run a program.  If a pop up comes up asking for patching, how can you be sure if he/she has actually accepted the update?
  • The update program can fail at any time
    An update program can simply fail to execute at any time.  These failures are more common than you think.  I have a test machine that has Adobe Reader installed on it.  The installation method I chose installed the self updating application.  One problem:  for three straight months, the program has failed to work.  The machine does not specify that I am missing patches (3 versions to be specific), and only presents this error message each time when checking for updates.adobeupdateerror
    Note:  This program initially worked, and I have done nothing on my machine to tamper with this update program.
  • There are no reporting measures
    As an administrator, how do you know the machine is patched?  Did the user accept the update?  Is the updater program actually working as intended?  Leaving programs in self patching mode does not allow any type of roll up reporting to occur.  Managing patches on a single system is easy with manually checking a system’s patch state.  But for small businesses up to large corporations, patch management systems with reporting is key to ensure compliance.

In my example above, we have a case of an update program failing for no apparent reason on a target machine.  If this was a computer somewhere on my network, a vulnerable version of a highly targeted program exists.  This could have been identified months ago through a true patch management solution.

Plain and simple:  Don’t put blind trust in self updating software.

– Jason Miller

Asset Management Now Available in 7.1

In NetChk version 7.1, we introduced a new feature in Asset Management.  We have a training video up on our web site that shows you how to utilize this powerful feature.  In version 7.1, you can now find asset information as well as patch information.  The video shows you how find the information regarding the Software, Hardware and Virtual assets of your systems.  The video can be found here.

– Jason Miller

Risky Business – The Drawbacks To Using Microsoft WSUS For Patch Management

Patch management is by far the most important, and critical to perform IT security related task facing any organization. Today, any company that has selected Microsoft WSUS as their primary patch management solution…is putting themselves at risk, unnecessarily! The rate at which vulnerabilities are appearing these days is staggering, but not limited to Microsoft alone. Additionally, given the sheer number of updates and patches that vendors like Adobe, Real Player, and Firefox release each month, the patch management process can quickly overwhelm any organization…especially if they don’t have the right tools in place!

Gartner released a paper last year that spoke to this situation very clearly. The following is a excerpt from that paper; “Although Microsoft has improved WSUS, client feedback suggests that WSUS is not as rich in content and as robust in targeting and reporting as the focused patch solutions. Thus, organizations accepting WSUS as “good enough” have significantly higher labor costs for content analysis, testing and deployment. Although Microsoft is making improvements to WSUS, we do not believe it will be a best-of-breed solution for patch management”. (Publication Date: 3 March 2008 ID Number: G00155187, Author: Ronni J. Colville, Title: The Patch Management Market: Collision or Coexistence?)

It’s certainly not lost on me that the current economic climate is still forcing everyone to scrutinize operating expenses – and save money anywhere possible. Thus, the appeal to use technology like WSUS – which is “free”. Make no mistake…free is not free! On the surface, WSUS appears to be a solution that’s “good enough” – but as you peel back the onion, you will quickly discover the missing capabilities. The major drawback to using WSUS centers around its inability to address vulnerabilities associated with non-Microsoft applications, and even older Microsoft applications and operating systems. While the price of WSUS is certainly intriguing, its patch coverage and product support are very weak. Today, WSUS only covers a portion of the potential threats, and creates an enormous coverage / risk gap – that if left unmanaged subjects the user (knowingly or unknowingly) to what I would characterize as unnecessary risk!!

Key WSUS Drawbacks

  • Non-Microsoft Application Coverage – The absence of this capability creates both risk, and the dedication of essential resources unnecessarily.
  • Custom Application Coverage – How about “custom applications”. What if there are applications that have been deployed to support the needs of the organization…that no one in the world cares about but the company deploying it. How do those applications get patched…? Certainly not via using WSUS!!
  • No Coverage For Non-Domain Joined Systems – WSUS assumes, and in fact, requires that all managed Windows systems be members of the domain to be discovered. Thus, you can’t protect what you can’t find.
  • Online and Offline Virtual Machine Support – With the virtual sprawl continuing to expand, the ability to discover all forms of virtual systems is critical.
  • Limited Reporting – WSUS 3.0 only offers the user access to a small number of reports – with some export capability. This is very limited at best.
  • Architecture – WSUS relies solely on a series of agents to manage the patching function. Putting an agent on server is generally not a good idea because it can create an unnecessary, potential point of failure.
  • Reboot Control – This is as especially critical for servers.  WSUS  does not allow pinpoint control over when systems are rebooted – during planned downtime. The absence of control here can present a great deal of difficulty – especially if critical servers reboot at a time when the shouldn’t.

What’s needed to truly address this growing and complex problem is a comprehensive, purpose built solution that can; 1) accurately assess either virtual or non-virtual machines for missing patches – either Microsoft or non-Microsoft, 2) once discovered…quickly remediate / deploy the required patches, and finally, 3) provides good, consumable reporting that clearly illustrates that the risk has been removed, and the environment has been restored to the desired state. Despite the fact that WSUS is a free utility, the disadvantages it presents should certainly make you think twice about relying on it to address one of your most critical IT security requirements.

Dave Eike
Shavlik Technologies

Windows 7 – Not Just A New User Experience

Last week marked the arrival of Windows 7 to the market.  We had the operating system in our hands for the past couple of months and have done some extensive testing with it.  It is definitely a bit snappier in terms of speed compared to Windows 7.

On the security side of Windows 7, you shouldn’t be looking for anything major.  This release was focused on the user experience.  A lot of the features introduced in Windows 7 address the “black eyes” the Windows Vista operating system received during its release.

Although, there are some worthwhile security improvements in Windows 7 to take note of: 

  • Improved UAC
    Depending on how you view the changes made to UAC, you may either consider the changes as a step forward or a step backwards.  Microsoft made UAC less intrusive.  They received feedback on the UAC security feature presenting too many pop-ups that created a very frustrating user experience.  Users will now be presented less UAC pop-ups.
     
  • Bitlocker to Go
    In Windows Vista, Microsoft introduced the Bitlocker technology that allowed local hard drive encryption.  This was a great feature, but it lacked the breadth for an ever changing IT world.  USB flash drives and USB hard drives are very common in the work place now and deserve the attention from security minded people.  Laptops can be, and have been, stolen that can lead to data disclosure.  But, mobile storage devices are extremely common and can easily be lost or stolen.  With Bitlocker to Go, Microsoft has extended their encryption technology to cover these devices.
     
  • AppLocker
    Acceptable use software policies on networks can be a giant pain for many administrators today.  Commonly, IT policies restrict what applications can be used on a network and for a good reason.  With each additional application on a computer, the threat risk increases exponentially.  Operating systems are not the only software that can have software vulnerabilities.  With the addition of AppLocker, administrators can specify exactly which programs can be run on a desktop computer.  In the past, this has been somewhat achievable through Windows Software Restriction Policies.  This technology was especially cumbersome and time consuming.  In addition, users could easily circumvent application rules by simply updating the software to a new version.  With AppLocker, administrators are now armed with a smarter and more robust software application control technology.
     
  • Windows Biometric Framework
    It is really strange to be in the year 2009 and talking about Windows and Biometrics as both of these technologies have been around for years.  Administrators implementing biometrics have the burdensome task of implementing third party software with their networks in order to implement security.  I have been there before and have spent many hours setting up and troubleshooting fingerprint biometric environments.  In Windows 7, Microsoft has introduced a new common programming interface for biometric providers.  This will allow a unified system for new technologies that implement this framework.  What does this mean for you?  A simple, reliable and easy to implement biometric solution for your company.  Although this technology will not have an immediate impact on your networks, Microsoft has laid the groundwork for the future of biometrics.

 

 – Jason Miller

Shavlik NetChk 6.5.3 Now Available

Last week, Shavlik released a new version of the 6.5 product line in 6.5.3.  This update is a maintenance update that fixes 28 issues.

A list of the issues resolved can be found here.

Before upgrading, you should visit the release notes.  The release notes can be found here.

 – Jason Miller

The Value Of Good Security Intelligence

Information security professionals are very vigilant about ensuring that the systems they are charged with protecting are reliable and resistant to attack. However, with today’s ever expanding threat landscape…maintaining a secure environment has become a constant challenge.

In order to better address this, the need for better security intelligence is critical. We are all painfully aware that systems are prone to risk, but by introducing measurable controls, as well as better security posture intelligence data…the potential for risk will dramatically decrease.

Currently, there’s a staggering number of threat vectors one has to consider when making decisions, and taking action. The collection of this type of information with little or no automation presents a tremendous challenge.

The ability to aggregate threat and vulnerability information into a single source helps accelerate the response to any potential risk, and reduces the uncertainty in decision making. So what what’s the best approach to address this?

Generally, security intelligence is gathered in response to established requirements or policies that were put in place to help measure and many any form of risk or vulnerability. The most common categories of threats are either targeted at information assets, or ones that could impact the reputation of any business. A formal, repeatable process coupled with the appropriate level of automation needs to be established to gather the required information, and assemble it into a form that is both measurable and consumable. This approach will enable decision makers’ review and analyze security data from multiple sources, as well as simplify the task of tracking the security state of any network.

There a great article that covers this subject. It can be found at: http://www.au.af.mil/au/awc/awcgate/nps/cisr_wise3_p17.pdf

Dave Eike
Shavlik Technologies

Happy Anniversary MS08-067

Tomorrow will mark the one year anniversary of the MS08-067 software vulnerability in the Windows Server Service.  This is the vulnerability the Conficker worm exploited.

Microsoft released this patch “out-of-band”, unbeknownst, to the security industry.  When I looked at this security bulletin in detail, I was instantly alarmed.  The vulnerability allowed remote code execution as well as being out-of-band.  Well, ok, this may sound like a lot of vulnerabilities Microsoft patches each month.

This security bulletin was different for two reasons:

  1. This vulnerability affected the Windows Server Service.  Ah, but what uses that service?  Pretty much every computer running Windows has this service running and could be exploited.
  2. This vulnerability did not require any authentication to be exploited.  In other words, an attacker does not need to supply a login to exploit the vulnerability.

These combinations made the vulnerability extremely alarming and a potential hotbed for a new worm outbreak.  We had made some announcements regarding this vulnerability in October, warning people to patch their systems as soon as possible.  On a ranking of how bad this vulnerability was, we gave it 10 out of 10.

Fast forward to February 2009.  A new worm hits the Internet attacking the software vulnerability.  Shockingly, this worm rapidly spread to millions of computer across the globe.  These computers did not have the patch applied that was released 4 months earlier.

The worm itself did not deliver a payload, so the hype around the vulnerability quickly turned to frustration by people.  “Why all the warning around MS08-067 and Conficker?  Nothing happened!  This was a bunch of media hype trying to scare us!”

Plain and simple:  We got lucky with this vulnerability as it did not deliver pain like the Code Red Worm.  Next time, we might not be as lucky.

A valuable lesson we all should take from this:  Don’t ignore patches.  They are your first line of defense against virus and worm outbreaks.

– Jason Miller

Virtualization and You.

So I came across another article discussing the increased use of Virtual Machines for server infrastructure. This article published on the Network World site is indicating Gartner’s latest results around virtualization adoption are, 18% of all server utilization is now virtual machines, with continued adoption the expectation that by 2012 50% of server usage will be virtual.

For those that have done any of our support surveys earlier this year know I was asking similar questions of you. The results of my survey frankly mirror what Gartner’s results were. I was also pleasantly surprised by the amount of folks who were using Shavlik NetChk Protect to scan and patch their VM’s. The usage stats between VMware and Microsoft were fairly similar to Gartner’s results as well.

So, today’s question is what will your adoption of Virtualization be?
[polldaddy poll=2146266]

Thanks for your participation!

Craig

Case of the Mystery Security Patch

One of our customers today pointed out a patch we had missed on October’s Patch Tuesday.  This was very strange as we are quite meticulous at making sure all security patches are covered.

The patch in question is KB974554.  According to the patch knowledge base article, it is part of the MS09-060 security bulletin.  The affected product for the patch is Office Outlook 2003.

Interesting, the MS09-060 bulletin notes that KB973705 is the patch for Office Outlook 2003.  Also, the bulletin page mentions nothing of KB974554.

After looking closely at the knowledge base article for KB973705, there is a “Known Issues…” note:

 After you install this update, the Outlook View Control may not function in those programs that use Forms 2.0 functionality. To resolve this issue, install the following security update for Microsoft Office 2003:

974554 MS09-060: Description of the security update for Office 2003: October 13, 2009

Ah, this is a bug fix for a security bulletin.  A bulletin released on the same day.

Was this the case where Microsoft found an issue with a patch but decided to not announce it and release a second patch to fix the issue?

If you have installed KB973705 and you use Forms 2.0 in Outlook 2003, you should look at applying this patch.  Reading the details for KB974554, the page lists the patch as security patch.  The patch appears to be a non-security update that fixes a bug for the security patch.  Nonetheless, I wouldn’t take chances and apply to the patch to your Office Outlook 2003 machines after applying KB973705.

– Jason Miller