OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Patch 22, eh, make that Catch 22

From: Ernst Lopes Cardozo (e.lopes.cardozoARANEA.NL)
Date: Thu Sep 18 2003 - 18:15:53 CDT

How to patch 30.000 machines.

Inspired by Exibar's message: "Better way to perform Microsoft security
patching?"

I'm not so sure there is a solution. I see a lot of seriously conflicting
requirements.

We want something that does not require Admin rights on every station; But
do we really want a mechanism that can install software on a remote machine
WITHOUT requiring admin rights? How can we be sure that what gets installed
is goodware?

We don't want an intelligent bulky client on every workstation (a-la SMS).
But we need an agent that is clever enough to know what to patch, when to
patch and what patches to accept and from whom.

We don't want the patching to rely on the cooperation of the user. As
admins, we want the user out of the loop. Most users, that is. Do YOU want
your machine patched without you knowing and approving it? Any time of the
day or night? Does that software developer, software Q/A checker, missile
launcher, military combatant, want that? So we need at least two classes of
users: non-admins and self-admins. After the horrible war about who's what
type of user, we need a way to check on the hundreds of self-admin users,
lest they break our network by postponing a critical patch. So maybe we do
need that client that takes 2 minutes every time you boot your machine or
make any network connection to make sure it is still fit to run.

We may well want a client that can put the station in a special 'safe mode'
when it learns that it is missing something that has become critical because
an exploit is making the rounds. Yes, we want to distinguish between your
current Critical update and a Don't-run-without-this-critical type of
update: MS003-026 after Blaster came on the radar screen. No matter what,
your workstation, server, would not run anything but the patch process once
we got Code Red (sorry) on a patch that was not yet installed.

The further we go down this path, the more complex it gets and the more
problems we will have. Each of these mechanisms is a new invitation for
worms and DoSes. This is going nowhere.

How did other industries deal with such issues? In about every country, you
need a license to drive a car. Historically that was not the case, but there
was a moment that we simply could not allow just anybody to get behind the
wheel. To get a license your need to do a test, so you need education. To
keep the license, you must behave. Although the system is not perfect, it is
saving us a lot of trouble. It is a nuisance, but I never heard a proposal
to abolish the drivers license.

Educating the driver helps. Much more has been accomplished by the
technicians that construct cars and roads. This, I believe, is largely due
to the fact that they are held responsible for anything that goes wrong that
they could have prevented.

I strongly believe it is a myth that software must be as vulnerable as it
is. It is all a matter of priorities. By not holding the vendors
accountable, they have to go for maximum functionality lest the competition
outfeatures them. Why don't cars have doors that open at the front side? I
had one (a Citroen 2CV)- it is extremely easy to get in- and out. It has a
drawback as well - poor safety, so this design had to go. Outlook is full of
extremely convenient features that cause a lot of its vulnerability. When we
make software suppliers accountable, they will make different choices.

In a couple of months, Microsoft’s security drive will have its first
birthday. Doesn't look like it is going to be a big "mission accomplished"
party. Maybe someone will proclaim that “software can't be made safe - we
proved it”. Let's not buy that crap. If a product is sold with over 80%
margin, there sure must be room for product improvement. Actually, there is
room to build it all-over.

Ernst Lopes Cardozo
principal consultant
Aranea Consult BV
Wolput 72a
5251 CH Vlijmen
The Netherlands
Tel. +31-73-646 1660
Fax. +31-73-646 1661
http://www.aranea.nl

----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

----