Regular patch releases are conditioning security execs to brace for virus attacks, on schedules they can almost...
plot on a calendar.
A new VeriSign report links Microsoft's patch releases with new exploits. But knowing when attacks are likely to occur doesn't always make them easier to prevent. Enterprises tracking monthly, quarterly or semiannual software updates must first examine and test the updates' individual components, and then install them during scheduled downtime.
Crackers, meanwhile, are turning out exploits of the flawed software faster than network administrators can install the patches.
"I'm not saying that regularly scheduled software updates are expanding the volume of exploits," said Trent Henry, an analyst at the Burton Group, a Midvale, Utah-based IT enterprise research firm. "But clearly the mean time between the discovery of a vulnerability [and] its exploitation is ever shrinking."
In addition to patching software as quickly as possible, network security experts and industry analysts like Henry are encouraging users to review firewall and port settings to prevent sudden attacks by individuals or small groups of malicious coders.
When Microsoft releases a service pack for Windows, crackers compare unpatched and patched code side-by-side, then reverse-engineer malicious exploits targeting the code changed by the patch.
Henry cited as an example Microsoft's February 2004 release of a patch for its Abstract Syntax Notation 1 Library, which within days was used as a basis for exploit code. Attackers targeting Microsoft's ASN.1 Library would have been able to view, change or delete data, install programs or create new user accounts with full privileges.
For attackers, this is the easiest way to target software. So-called script-kiddies, at the bottom of the hacker food chain, use software to help them exploit the vulnerabilities addressed by a vendor's patch.
Security services provider VeriSign Inc. says this cracker activity contributed to a 150% rise in the number of daily security events in Q3 2004, when compared to the same period in 2003. A year-to-year comparison wasn't available. According to the report, the data is derived from VeriSign services that monitor, correlate and resolve more than 250 million daily security events from firewalls, IDSes, IPSes, VPNs and endpoint systems at some of the world's most sensitive networks.
The timing of the events is no accident.
"Examination of quarterly top attacks and the timeline they follow is a near mirror of the monthly Microsoft patch cycle," according the November report. "Mixed among a barrage of scanning and port-enumeration activity that serves as perpetual attack white-noise, we observed the clear presence of 60-day-or-newer system vulnerabilities under attack."
A network security analyst hopes that user will increase his or her readiness for attacks.
"Customers need to wake up and understand that the hackers have access to the patches and can fairly easily reverse-engineer to see which modules are patched and what code is affected," said Neil MacDonald an analyst at Stamford, Conn.-based research firm Gartner Inc.
Patching is only part of the solution, however. The analysts interviewed for this story advocate a combination of patch maintenance, vigilance when guarding network perimeters and user education.
But, for Microsoft customers at least, a new, highly secure operating system is still years away, said Santa Rosa, Calif.-based enterprise security consultant Martin McKeay, who is currently a contractor for the California State Compensation Insurance Fund.
McKeay said security execs had better keep their eyes open for new patches.
"Until Microsoft begins strengthening their code earlier in the development process," McKeay said, "there will be a lot more bandages to apply. There are just so many people out their shooting at Microsoft."
This article originally appeared on SearchSecurity.com.