Blaster shows IT departments the need for speed on patches

Computerworld - The frequent patching required to stay on top of potential attacks, viruses and worms, such as this week's W32.Blaster worm, may soon be unsustainable for some IT organizations, users and analysts cautioned yesterday.
As a result, companies will have to find more automated and proactive ways to deal with such threats, they said.
The Blaster worm, also known as the DCOM Worm or Lovsan, first appeared Monday and has affected thousands of computers running Microsoft Windows 2000 and Windows XP operating systems (see story). In addition to propagating widely, the worm also installs back doors on infected systems that could later allow malicious attackers to take full control of a compromised system.
Blaster is the first self-propagating worm to take advantage of a previously known buffer overflow vulnerability in a Windows interface that handles remote procedure calls (RPC). The flaw was publicly disclosed only last month and affects almost all versions of Windows, including the Windows Server 2003 operating system.
The stunning speed with which the vulnerability was exploited is a sign that companies are going to have respond to new threats even faster than they are today, said Chuck Adams, chief security officer at Netsolve Inc., an IT services company in Austin.

---

What do you think? Post your opinions and see what others have to say in our discussion forum.

---

Whereas worms such as SQL Slammer took eight months to appear after the vulnerability was announced, Blaster was released in just one month, Adams said.
That means companies will need to find ways of shrinking the time it takes them to test and deploy patches, said Vivek Kundra, director of infrastructure technologies for Arlington County, Va. Currently, Arlington County needs about three or four days to push out patches across its networks.
"That is not going to work any longer," Kundra said. "I need something that can cut the process down to a few hours, if not minutes."
The county began working to install recommended patches for the Windows RPC vulnerability last Thursday, before the recent outbreak began to spread. About 100 or so Windows servers that were vulnerable to the virus were patched by Monday, and as of yesterday, 300 had been patched. But 3,200 or so of the county's workstations were still left unpatched.
The county started using Microsoft's Windows Update server technology to deploy the patches but had to abandon the approach because the patches didn't always deploy properly. It is now using a Novell Inc. resource management tool called ZENworks to distribute the patches, according to Kundra.
Going forward, the county is eyeing the possibility of outsourcing its patch management process to a third party. Also up for consideration are plans to install a more automated process for testing and deploying software patches, Kundra said.
To protect itself from the RPC vulnerability, the 22-hospital Banner Health system in Phoenix has had to patch over 500 servers and 8,000 workstations. The organization has been working for the past two weeks to install the patches and has been diligently following advice from organizations such as the CERT Coordination Center in Pittsburgh to protect itself against Blaster-like attacks.
"I can tell you, it's been one heck of an effort on a lot of people's part to do that," said Dave Jahne, a senior security analyst at Banner.
Banner has a highly standardized desktop environment, so deploying the workstation patches using an automated process was fairly straightforward, Jahne said. But the organization had to extensively test the patches in its server environment to ensure they didn't break or disrupt any existing applications.
"The thing about patching is that it is so darn reactive. And that can kill you," Jahne said. "You need to literally drop everything else to go take care of [patching]. And the reality is, we only have a finite amount of resources" to do that, he said. For the longer term, Banner is studying the feasibility of partitioning its networks in such a way as to minimize the impact of vulnerabilities, Jahne said.
The need to constantly patch systems can be especially hard for large and widely distributed corporations, according to Marc Willebeek-LeMair, chief technology officer at Tipping Point Technologies Inc., an Austin-based vendor of intrusion prevention products. For one thing, such corporations need to do far more extensive testing than smaller companies to ensure that patches don't break existing applications, Willebeek-LeMair said. Scheduling the time needed to deploy such patches can also be hard.
"Sometimes [patching] can be more an art than a science," said Hugh McArthur, information system security officer at Online Resources Corp., a McLean, Va.-based application service provider for over 500 financial institutions. "There will be times when you may need to make a judgment call balancing risk, appropriate testing [and] mitigating factors," he said.
Normal patching in a nonemergency takes between two and five working days, McArthur said. In an emergency, it can be done in a few hours.
"I would equate patch management to a migraine headache that doesn't go away. Just a constant nagging pain in the back of your head you learn to deal with," he said.