The Daily Whim

The Daily Whim

Mon. Aug 18, 2003

Patch and Pray

Patch and Pray – Given the recent debacle of the LovSan Worm attacking Windows XP systems that hadn’t been updated in the previous 6 weeks, this article seems most pertinent: “Patching no longer works. Partly, it’s a volume problem. There are simply too many vulnerabilities requiring too many combinations of patches coming too fast. Picture Lucy and Ethel in the chocolate factory – just take out the humor.”

“ ‘We’re between a rock and a hard place,’ says Bob Wynn, CISO of the state of Georgia. ‘No one can manage this effectively. I can’t just automatically deploy a patch. And because the time it takes for a virus to spread is so compressed now, I don’t have time to test them before I patch either.’ ”

“One patch, for example, worked fine for everyone – except the unlucky users who happened to have a certain Compaq system connected to a certain RAID array without certain updated drivers. In which case the patch knocked out the storage array.”

“Yet for many who haven’t dealt directly with patches, there’s a sense that patches are simply click-and-fix. In reality, they’re often patch-and-pray. At the very least, they require testing. Some financial institutions, says Shawn Hernan, team leader for vulnerability handling in the CERT Coordination Center at the Software Engineering Institute (SEI), mandate six weeks of regression testing before a patch goes live. Third-party vendors often take months after a patch is released to certify that it won’t break their applications.”

“All of which makes the post-outbreak admonishing to ‘Patch more vigilantly’ farcical and, probably to some, offensive.”

The article is primarily tilted towards corporate systems, but it is no more certain for the home user. Given the hoopla last week, I did an overdue “Windows Update,” and it took almost half and hour to download and install the updates … via DSL. For the average dialup user, that translates to somewhere between four hours and infinity. Between those who are simply unaware of the need for updates, and those who are very aware of how long it takes, it is little wonder there are so many unpatched systems out there.

Heck, they arrive that way. I literally took a brand new system out of the box the Monday the LovSan worm really took off, a system that had been “burned in” mere days before, and it was vulnerable from the moment it was turned on.

Even Dell doesn’t patch their systems before they ship them. What’s a consumer to do?

Peanut Gallery

1  Mike wrote:

"What's a consumer to do?" He he.....Get a Mac!

2  rturner wrote:

Even Macs and unix based machines are getting "visitors", although they're *usually* not as vulnerable. A hardware firewall helps bigtime. I run a couple of other little helper apps: Spybot and more importantly, TrojanHunter. I had my mother's machine protected up in Rochester last week and she had over 400 thwarted attacks the night the blaster worm first struck. I had helped my sister get Norton Internet Security back on their machine the day before. Her kids had taken it off, so this time we password protected it. She had a couple of serious porn worms running that we were able to shut down. I'm afraid it's time for all the cable modem suburban mom's & dads to either turn pro, or hire one when it comes to security.

Comment by rturner · 08/18/2003 10:25 PM
Comments are closed for this article
Contact me to find out more