Hackers Beating Efforts to Patch Software Flaws

Computerworld - The speed at which hackers are taking advantage of newly disclosed software flaws should be prompting companies to adopt stronger measures for dealing with such vulnerabilities, according to IT managers and analysts.

Several security experts last week said that IT departments need to look beyond just patching defects and devise broader and more holistic strategies to defend themselves against attacks seeking to quickly exploit new flaws.

The advice comes in the wake of an onslaught of worms that targeted a flaw in a plug-and-play component of Windows 2000. The worms hit several large companies, including The New York Times Co., Cable News Network LP, Caterpillar Inc., DaimlerChrysler AG and General Electric Co., when hackers made use of the hole disclosed less than a week earlier by Microsoft Corp. as part of its monthly patch release.

The rapid exploitation of the Windows 2000 vulnerability left some IT managers acutely aware of the need to be vigilant about keeping their systems up to date.

"We are going to have to fast-track the latest security upgrades, maybe the same day, unfortunately," said Satish Ajmani, CIO of California's Santa Clara County. "It is scary."

The trend has prompted Uline Inc. to accelerate its patching of desktops and servers, said Robert Olson, a systems administrator at the Waukegan, Ill.-based distributor of packing and shipping materials.

The Windows 2000 bugs caused infected systems to restart repeatedly and could allow remote attackers to take control of compromised systems. According to vendors of antivirus software, the malware targeted only older, Windows 2000-based systems.

Although none of those 11 or so worms are considered particularly serious by most security experts, they serve as a sobering illustration that hackers can take advantage of new flaws before many companies can patch them, said John Pironti, a principal security consultant at Unisys Inc. in Blue Bell, Pa.

"I think these attacks show that there is still a fair bit of latency" between patch release and deployment in a lot of companies, agreed Fred Rica, a partner at PricewaterhouseCoopers in New York.

"Hackers have adopted new attack techniques," Pironti said. "Instead of going out and looking for vulnerabilities on their own, they are waiting for patches to be released to see what holes are being fixed." Then they go after those holes as quickly as they can, he said.

The trend could leave many companies dangerously exposed, especially large ones that typically test and analyze patches before deploying them, Pironti said.

"They have to assume that they are going to be vulnerable to attack from the moment a patch is out," he said. "They need to have countermeasures in place while the patches are tested" and deployed.