[ISN] Hackers Beating Efforts to Patch Software Flaws

InfoSec News isn at c4i.org
Tue Aug 23 14:16:45 EDT 2005


By Jaikumar Vijayan 
AUGUST 22, 2005

The speed at which hackers are taking advantage of newly disclosed
software flaws should be prompting companies to adopt stronger
measures for dealing with such vulnerabilities, according to IT
managers and analysts.

Several security experts last week said that IT departments need to
look beyond just patching defects and devise broader and more holistic
strategies to defend themselves against attacks seeking to quickly
exploit new flaws.

The advice comes in the wake of an onslaught of worms that targeted a
flaw in a plug-and-play component of Windows 2000. The worms hit
several large companies, including The New York Times Co., Cable News
Network LP, Caterpillar Inc., DaimlerChrysler AG and General Electric
Co., when hackers made use of the hole disclosed less than a week
earlier by Microsoft Corp. as part of its monthly patch release.

The rapid exploitation of the Windows 2000 vulnerability left some IT
managers acutely aware of the need to be vigilant about keeping their
systems up to date.

"We are going to have to fast-track the latest security upgrades,
maybe the same day, unfortunately," said Satish Ajmani, CIO of
California's Santa Clara County. "It is scary."

The trend has prompted Uline Inc. to accelerate its patching of
desktops and servers, said Robert Olson, a systems administrator at
the Waukegan, Ill.-based distributor of packing and shipping

The Windows 2000 bugs caused infected systems to restart repeatedly
and could allow remote attackers to take control of compromised
systems. According to vendors of antivirus software, the malware
targeted only older, Windows 2000-based systems.

Although none of those 11 or so worms are considered particularly
serious by most security experts, they serve as a sobering
illustration that hackers can take advantage of new flaws before many
companies can patch them, said John Pironti, a principal security
consultant at Unisys Inc. in Blue Bell, Pa.

"I think these attacks show that there is still a fair bit of latency"  
between patch release and deployment in a lot of companies, agreed
Fred Rica, a partner at PricewaterhouseCoopers in New York.

"Hackers have adopted new attack techniques," Pironti said. "Instead
of going out and looking for vulnerabilities on their own, they are
waiting for patches to be released to see what holes are being fixed."  
Then they go after those holes as quickly as they can, he said. The
trend could leave many companies dangerously exposed, especially large
ones that typically test and analyze patches before deploying them,
Pironti said.

"They have to assume that they are going to be vulnerable to attack
from the moment a patch is out," he said. "They need to have
countermeasures in place while the patches are tested" and deployed.

Enterprises should look at implementing the equivalent of the
color-coded threat system used by the U.S. Department of Homeland
Security when dealing with newly disclosed flaws, said Dave Jordan,
chief information security officer for the government of Arlington
County, Va. Once new flaws are disclosed, Jordan said, IT security
personnel "should conduct business differently than they would day to
day." They need to implement countermeasures as soon as possible to
mitigate risk, he said.

Measures can include conducting thorough threat analysis, gaining an
understanding of specific risks of new flaws, shutting down systems
where possible, blocking access to affected ports and using
intrusion-detection and -prevention systems to monitor for unusual
activity and network behaviors, security experts said.

A vast majority of worms and viruses, including those launched this
week, use common methods and take advantage of common flaws—such as
buffer overflows—to attack vulnerable systems, said Thor Larholm, a
senior security researcher at PivX Solutions Inc. in Newport Beach,

Instead of relying solely on patches to fix every new flaw, it's
better to address some common underlying vulnerabilities, he said.  
"There are multiple ways to protect against entire classes" of
vulnerabilities without having to apply patches for each one, he said.

PivX is one of several vendors, including Immunix Inc. and eEye
Digital Security, that sell tools to repair generic buffer overflows
in the absence of vendor patches.

"About 90% of the worms out there can be mitigated just by hardening
your systems," Larholm said. For instance, disabling so-called
null-session accounts, which are enabled by default on Windows 2000
systems, would have prevented this week's worms from taking advantage
of the plug-and-play flaw, though it is not always practical, he said.


More information about the ISN mailing list