Sasser outbreak demonstrates need for quick patch response

Computerworld - This week's Sasser worm outbreak, which disrupted operations at some businesses but left most virtually untouched, highlighted the difference a good vulnerability management strategy can make to a company's defenses, users and analysts said.
The W32/Sasser worm started spreading a week ago and by the middle of this week had infected hundreds of thousands of systems globally (see story).
The worm took advantage of a flaw, which was disclosed by Microsoft Corp. on April 13, in a Windows security and authentication component. Microsoft released a patch to fix the problem on the same day, and since then, the company and several security experts have been urging users to install the update as soon as possible.
The fact that the worm managed to infiltrate some corporate networks despite the warnings shows that there's still progress to be made in promptly responding to such vulnerabilities, said Art Manion, a member of the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
"Some organizations have streamlined patching and policy management to roll out important updates in a matter of days," said Ken Dunham, an analyst at Reston, Va.-based iDefense Inc. "Others are so careful and test so many features that they end up being vulnerable for an extended period of time."
A large majority of those infected were believed to be home users. But several large organizations were hit as well, including American Express Co. in New York (see story). An American Express spokeswoman said that "some employee desktops" were affected by the worm. "But we never had any issues with our networks or service."
"This was a big one. But I am amazed that it got as far as it did," said Firas Rouf, chief operating officer at eEye Digital Security, an Aliso Viejo, Calif.-based provider of vulnerability assessment services.
Several users said companies would have been protected if they had followed long-recommended security measures, such as knowing where vulnerabilities exist, prioritizing threats and responses, applying appropriate patches, keeping antivirus software up to date, blocking unused ports and installing firewalls on end-user desktops.
TRW Automotive Holdings Corp. in Livonia, Mich., escaped Sasser thanks largely to new patch management software that it had just finished deploying across 22,500 systems globally. The software from Emeryville, Calif.-based BigFix Inc. helped TRW identify vulnerable systems and deploy patches to them in an automated fashion.
"The big thing was the speed with which we were able to deploy patches to our desktops," said Bill Lax, TRW's global infrastructure vulnerability manager.
Meanwhile, software- and hardware-based firewalls installed on