He contacted the original researchers and Microsoft to verify the dates and times, and Steven Toulous of the MSSRC vetted his results. The summary is:
| 2003 | 2004 | 2005 | |
| Number of Critical Patches | 33 | 29 | 37 |
| Ave. Days from Report to Patch | 90.7 | 134.5 | 133.5 |
| Ave. Days from Disclosure to Patch | 71.1 | 55 | 46 |
This shows that Microsoft has been taking longer to fix 'responsibly' disclosed vulnerabilities, most likely due to their increased testing regime, and fixing publicly disclosed vulnerabilities which they were not previously notified of faster. The increase is understandable and the marginal increase in risk is justified if the risk from faulty patches is greatly decreased. The decrease is a good sign, but 46 days is still way too long, a skilled attacker doesn't need underground sploits if they have that long.
Continue reading "Vendor Patch Speed"
To be honest I have never struggled so hard to write something. I can write a fairly decent quality ten page conference paper (having done the research) in two to three days. Writing this seems to be far slower. I keep finding other projects to which I can meaningfully contribute to make myself feel competent. We affectionately call this WABing for Work Avoidance Behavior. I will get around to blogging some of the great, completely non-thesis related ideas I have implemented. In the past I have pushed myself to the point of requiring medical intervention, most notably while on the SRC last year. At the moment however, I struggle writing for more than a couple of hours and end up feeling absolutely awful about myself. I find with a confusing mix of inadequacy, a need for perfection and feelings that the task is too big. Worse still, I am stuck in our quiet university town with nobody here and will be missing out on new year celebrations.
Luckily I have some great friends, a wonderful girlfriend and a supportive family.
I found a kindred spirit in the thesis writing blog and some great advice in Stop Procrastinating and Complete your Dissertation (also see Procrastination & Time Management). Then there is always the great PhD (Piled High and Deeper) comics. However, the best advice by far is in Dr. Tucker-Ladd's chapter on Procrastination, it spoke to me.
As an aside, congratulations to Yusuf who has handed in his completed thesis already.
Aaw, I'm just whining, some people have real problems.
UPDATE: Serendipity went mad on the HTML for this one, it managed to break my atom feed. All fixed.
I have been writing my thesis and am trying to come up with some a priori reasons as to why vendors releasing patches in certain ways will have certain effects.
The bit of research I have just cooked up seems to indicate that for software which has a large community of users likely to get involved in the testing of patches, it makes more sense to release a detailed advisory and patch as soon as possible, instead of keeping it to yourself and releasing a patch when it is ready. This is still a very early version and is changing rapidly, please treat it as such.
I don't want to flood things with large images, so click on the graphs for a larger version.
Continue reading "Responsible Disclosure and Patching"
While a monthly patch schedule helps overworked administrators in general. An on the ball administrator has to rely on additional defenses to prevent exploitation from skilled attackers. Given the general increase in net security and additional testing Microsoft gets to put in to ensure a quality patch. Is network security monitoring the future?
Well then, Bleeding snort has the latest signatures.
While doing some research on threats and attackers for my MSc I found some interesting papers. It seems we are lacking in an understanding of 'the underground.'
Continue reading "Computer Crime Trends"
What could you have done beforehand to protect yourself against Zotob and its kin? “Install the patch” is the obvious answer, but it’s not really a satisfactory one. There are simply too many patches. Although a single computer user can easily set up patches to automatically download and install -- at least Microsoft Windows system patches -- large corporate networks can’t. Far too often, patches cause other things to break.
It would be great to know which patches are actually important and which ones just sound important. Before that weekend in August, the patch that would have protected against Zotob was just another patch; by Monday morning, it was the most important thing a sysadmin could do to secure the network.
Given that it’s impossible to know what’s coming beforehand, how you respond to an actual worm largely determines your defense’s effectiveness. You might need to respond quickly, and you most certainly need to respond accurately. Because it’s impossible to know beforehand what the necessary response should be, you need a process for that response. Employees come and go, so the only thing that ensures a continuity of effective security is a process. You need accurate and timely information to fuel this process. And finally, you need experts to decipher the information, determine what to do, and implement a solution.
source (here)
Which is exactly what my final thesis contains. A process for handling and responding to vulnerabilities and patches, a model of how much of this process can be automated and expert information to help train up experts.
This article bugs me a bit. The writer starts with a mention of a new Firefox patch and ends up asking the question:
Windows problems are so common that even home-based users know they must pay a $50/year "user tax" in order to have an anti-virus company manage the delivery of patches to them.
Is there a way to deliver that value to open source users without delivering that cost?
Apart from the error about anti-virus vendors delivering patches. Why do people think Microsoft are the only ones patching? Between Debian's apt, FreeBSD's ports, Gentoo's portage, Fedora's yum, SuSE's YaST, Sun's Patch Manager there is more innovation in patching and updating than you could shake an uninformed stick at. What's more is these tools are good and in many cases, better than Microsoft's offering (they patch everything for a start).
The MSRC blog has an interesting post entitled "A day in the life of a Security Bulletin" which gives some insight into what happens at Microsoft from when they are notified of a vulnerability through to releasing the patch.
Okay, so fast forward a bit....after we have determined that it is a vulnerability, we then work with the product groups to build the security update. Here is where it can get tricky. Let's say you have two product groups that need to work together on a particular update because both products have the vulnerable component. Because each group may run different testing, the possibility for one group to be ready to ship before the other is increased. We also work with other groups on extensive testing of the update to test things like application compatibility. So, what do you do? Ship one update for one product groups' component, but not the other? Wait? What if the issue is 'critical' in severity? What if we find an issue in the last stages of testing that could impact customer's applications negatively? You would think that this would be an easy decision and before I came to the MSRC I would have sworn that this would be a no brainer. Well I was wrong! As with all of our security vulnerability reports, each security update gets looked over in depth and we find that it may not be in our customer's best interest to provide one update before the other. If we did provide one update before the other, then that may leave the component that we do not have an update for vulnerable, making our customer more at risk because the information is now public.
It is a little scant on details and doesn't contain anything revolutionary or surprising. However, it is interesting to look behind the curtain.
Continue reading "Microsoft's Patching, an insider's view"
I was pointed to the article OSS Means Slower Patches by Pieter Blauuw. I have had it open in my browser window for the last day or two trying to figure out what feels so wrong about it. Thankfully Jericho has put together a decent response here and here. The full Symantec report is mirrored at OSVDB.
Continue reading "OSS Patches Slower"