A recent variant of Netsky seeks to worm its way onto people's desktops by claiming to patch various "hot" recent viruses or worms, including Sasser, Netsky itself, Beagle (aka Bagle in some listings), Mydoom, and MSBlast (aka Blaster in some listings), according to a recent news report. As with any other e-mail attachments, it's essential to train your users never to use them to patch systems. In another tip, in fact, I wrote about an incredibly convincing hoax that looked and read exactly like a real Microsoft security bulletin. That is, except for one thing: neither Microsoft nor any other reputable software vendors, including antivirus companies, ever send patches or updates to subscribers or users via e-mail. The hoax asked users to install the attached update!
"Why don't vendors send updates via e-mail?" you might be tempted to ask. Although they could use mechanisms such as public key encryption or digital signatures to prove their identities for e-mail delivery, software vendors uniformly choose to send notification of updates by e-mail, and let users download patches from verifiable sources at their convenience. Otherwise, in some cases vendors offer registered, up-to-date users subscription services that can initiate downloads (when available, such as Symantec's LiveUpdate service) to keep software and data files current, or automated update services (such as Windows Update) to do the same thing.
Making user software pick up downloads automatically or on demand is good policy from a security standpoint, as recent events clearly illustrate. But there are also size and message fan-out issues to consider as well. Because Microsoft Service packs are normally over 100 MB in size (if not much bigger), it's irresponsible to broadcast mail with attachments that big to large numbers of users. This is not only because of the size of the attachment itself, but also because of the large number of such messages that would be generated. The same thing is true, in fact, for most attachments over 1 MB in size. As responsible Internet citizens, most companies won't send that much data attached to e-mail; it's simply more efficient to have customers grab and use downloads when and as they need them (and many companies stage local copies of downloads as well, to prevent their users from having to copy the same thing repeatedly across the Internet).
The simple rule of thumb to teach users is: Never open or install anything that calls itself an update, a patch, a fix or whatever that shows up in your e-mail inbox. If you must install something (on a home or traveling machine, away from the office, for example), go to the vendor's Web site or use an automatic update service to download the patch. These simple words of advice, with properly patched and updated systems, will help users avoid nearly all sources of infection that might show up in their inboxes.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.
This was first published in May 2004