Cyber Threats and the Flawed Software Update Process

I routinely scan and disinfect Windows systems on a weekly, and sometimes daily, basis. I've seen some worms create as many as 600 Internet connections in just a few minutes. Aside from the implications of using up critical bandwidth and the loss of productivity, it can take hours to locate, disinfect, and verify that the latest nasty code is gone. If I extrapolate my own experience to larger organizations, it’s a good bet that the cost of policing Windows platforms is rising almost exponentially in response to this constant onslaught.

The bleakest part of this picture is that Windows appears more vulnerable than any other platform. To this point, let’s review the results of a vulnerability study (http://www.avantgarde.com/xxxxttln.pdf) performed by "USA Today" and technology consulting firm Avantgarde in September 2004. In an attempt to simulate the home-based user experience, the study connected 6 computers to the Internet and logged 305,955 attempts to compromise the six systems during a 14-day period. The study tested four Windows platforms: Microsoft Small Business Server (SBS) 2003, a default installation of Windows XP Service Pack 1 (SP1), XP SP1 running firewall software, XP SP2, a Linux system, and Mac OS 10.3.5. Neither the Linux nor the Mac systems were compromised in any way, the SBS 2003 system was compromised once, and the default XP SP1 (the target of 45 percent of the attacks) system was successfully exploited nine times. Although not terribly sophisticated, this study makes me question how and why Linux and Mac platforms so out-perform Windows in the vulnerability arena. Is it because attackers love to trash Windows, because Windows is more vulnerable, or is it a fundamental software quality paroblem that is hopelessly out of reach when you’re maintaining tens of millions of lines of code?

Here is a collection of useful security factoids that drive home the security concerns we face every day. These facts were taken from several polls and surveys performed by different security-based institutions and organizations during the last 6 months.

- According to CERT, more than 95 percent of known security breaches are a result of known vulnerabilities.
- An unpatched Windows XP SP1 system connected to the Internet can be compromised in under 4 minutes.
- It took malicious users only 36 hours to write and distribute a worm that exploited a hole in a popular firewall product. The worm successfully infected 100 percent of the 12,000 target machines in less than an hour.
- In a study performed by an email hosting company, the company identified 2.8 million phishing emails in a 1-month period, an increase of more than 7000 percent from the previous year. In the same study, they determined that 1 in 16 emails is infected with a virus and 73 percent of the millions of emails they processed in 1 month qualified as spam.
- A 2002 survey discovered that security folks spend an average of 2 hours per day hunting for security information; a more recent 2004 survey determined that security personnel spend more than 500 hours per year dealing with security threats and exploits. If we use a 40-hour work week as an example, a security employee dedicates 12.5 weeks or 3.5 months to mitigating and cleaning up after security breaches.
- A recent study of a worst-case worm threat determined that it would take only a few minutes for a well-written worm to infect every vulnerable system on the Internet, a few hours to penetrate a corporate firewall, and a few seconds to infect every vulnerable system behind the firewall.
- A recent survey of security practices in medium to large companies showed that the number of employees responsible for system and information security doubled during the past year. In a December 2004 survey of Corporate Security Officers, 80 percent agreed that cyber attacks negatively affect the bottom line and a staggering 84 percent stated that their security programs were underfunded.

Because 95 percent of successful cyber attacks are the result of unpatched OSs, utilities, and application software, it seems obvious that if we update software weekly, and more often when imminent threats appear, we should have more secure systems. However, there is a fundamental flaw in how the industry has implemented the online update process, namely that a user must be logged on as a local administrator to run automatic update tools like Windows Update and online virus scanner updates. If you don’t have a large budget to implement a corporate push-technology for desktop and server updates, to properly maintain systems you must let users log on with local Administrator privileges.

The perils and pitfalls of administrative end users, whether at home or in a corporate setting, are well known and don't merit repeating here. Working around this absurd requirement is a real headache that entails writing, scheduling, and maintaining scripts that run with administrator privileges or writing scripts or a custom Group Policy Object (GPO) that tweak ACLs on registry entries so an end-user account can modify (mostly undocumented) registry entries accessed by various online update utilities.

Because we’re slaves to updates in the current "cyber-insurgency” universe, I recommend that Microsoft and other vendors collaborate on a standard solution for the update process, one that starts with a new update permission and requisite registry entries for each OS, utility, and application that supports automatic updates. This would let designated end users run automatic update tools without requiring full administrator access. Such a solution would be a significant step forward in managing desktop security risks at home, in small businesses, and the corporate world, and a huge timesaver for the seriously over-committed network police.

End of Article