SANS Top Cyber Security Risks report shows application patching is much slower than Operating System patching.
Why does this occur?
Is patching applications more difficult? In some cases patching JAVA may be cause issues with internal applications. But I haven’t seen a case yet where a Flash or Adobe Reader update has caused an issue. (I’m talking security bulletings not major releases).
Is the problem culteral? It took people a while to get in the habit of rolling out Operating System patching. Perhaps they just haven’t crossed the Application hurdle yet.
Is it the tools? SMS/Config Manager doesn’t seem to make deployment easy. Perhaps I’m doing it wrong, but with third party applications I have to use a script I downloaded from myitforum.com in order to customize the user install experience (ability to postpone). Having to update that for each application I’m pushing is a pain. My impression is that ConfigMgr’s competitors are much better at doing this. ConfigMgr is also quite difficult to use under our security policy if you want to patch remote users who don’t use the VPN.
I suspect a lot of mid-size and smaller businesses have just set up a WSUS server. WSUS lacks the capability of deploying application updates. (although googling shows an interesting add-on from a third party to add this functionality).
Applying third party application updates is time intensive. I deploy them one at a time. With Microsoft patches they are all deployed at once. Upgrade fatigue sets in much more quickly due to the greater frequency of these individually deployed third party plugins.
Improving application patching requires more than telling the administrator to work harder. The tools need to be improved so we can do our job. Microsoft needs to step it up with ConfigMgr. It needs to be easier to patch non-Microsoft products or customers will start checkout out competitors.
Archive for September 2009
Enterprise Windows Application Patching
SEP 11.0.5
Symantec Endpoint Protection 11.0.5 is on Fileconnect. Release notes are posted here.
Apple Innovations
I usually skip over the Mac versus PC adds, but due to the hazards of watching football live I caught one today.
It was about the hardware innovations of the Mac. Kind of silly since last time I checked my hardware was from Dell not from Microsoft.
How about Macs software innovations. Apple went all out with XProtect in Snow Leopard.
Here is Sophos’ writeup
When files are downloaded through the following applications:
- Entourage
- Safari
- Firefox
- Thunderbird
- iChat
- and other programs that use LSQuarantine
XProtect is invoked.
Unfortunately, if variants of these threats find their way on to your system via an application that doesn’t set the com.apple.quarantine extended attribute, for example via:
Skype
Adium
BitTorrent
and Finder (via USB keys, network share, etc …)
Then you’re sort of out of luck.
- source: Sophos
But hey, you’re not missing that much anyway. This “feature” only scans for the hash of 2 Mac trojans according ZDnet’s Zero Day blog.
Now that is innovation.
Link: Star Trek and Infosec
There is a certain overlap between sci fi fans and infosec.
I saw RSnake tweet this link: What Star Trek Predicts About the Future of Information Security.
I agree with one of the commenters, if it hasn’t already been done (and they can fair use the video rights) there is a conference presentation waiting to be made there. At the very least update the post with some illustrative Youtube clips.
That was so awesome I hurt myself laughing (I should problably have that checked out.
Symantec Dameware False Positive
“Symantec Security Response will post another set of LiveUpdate virus definitions today, 09/16/2009 at approximately 3PM Pacific. This posting is in response to a false positive (FP) on the ‘Dameware Remote Administration’ application. This FP was first released in definitions with version 20090915 rev.038 (Sequence 100395) IU. The detection has been corrected starting 20090916 rev.025 (Sequence 100419).”
Evaluating HTTP Security Solutions
While trying to eval a HTTP security solution I’ve been trolling for viruses by browsing Google Top Trends.
The vender advertizeing their zero day protection detects the virus even when virustotal has only one scanner detecting (and not one used by this vender). So they are showing off their zero day protection rather well. The problem I have is the incumbent protection which would not have detected the virus with AV was able to block the site completely with URL filtering.
I normally don’t think too much of URL filtering as protection anymore. Malware can be on legitimate sites. New sites that aren’t catagorized come online. But for my extremely small sample set, its actually providing the same level of protection.
Tech Support Engrish
“Are on the Internal network where the following IP addresses are reachble?”
How’s that again? The funny thing is when I glanced at this question on my blackberry I didn’t even notice anything was wrong.
Firefox to Suggest Flash Updates
Firefox recently announced that a soon to be released version will check for Flash updates in addition to updating Firefox. That should be helpful for end users.
As with any news people of course have their own axe to grind and put their own spin on things. Wolfgang Kandek writes about this development in a Qualys blog adding “Now we just need to convince Hillary Clinton to let the Department of State use Firefox.”
I dont see how this change would cause an enterprise to switch browsers. In an enterprise this Firefox Flash update reminder should be pretty much worthless. If an Enterprise has deployed Firefox then it has probably deployed Flash for Firefox. If its deployed Flash for Firefox, than the company should be deploying updates for it. Enterprises have patch cycles and testing. They often disable built in update mechanisms and deploy updates through SMS/Patchlink/Bigfix/etc. Is it possible for enterprises to disable this functionality, perhaps through FirefoxADM?
Far from being the crowning achievement in Firefox security, I think this Flash update checker could potentially be a problem. I notice the screenshot taken by Wolfgang does not show a SSL site in use when the user is prompted to upgrade. It seems to me that this Flash update mechanism is prime for Phishing. Spyware for Firefox has already masqueraded recently as a Flash update. I think this update mechanism’s delivery method as shown in Wolfgang’s screenshot primes phishing victims.
WordPress Admins Get patching
Patching WordPress becomes even more urgent reports CNET. A worm is now in circulation exploiting unpatched WordPress installs.
