When Patches Aren’t Applied

“It is quite possible, companies have chosen, for better or worse, to use their money on marketing as opposed to patching systems. It is, in many cases, a straightforward decision,” Lindner said, warning that it’s dangerous to downplay the serious risk that can be caused by an exposed system.

David Litchfield, co-founder of Next Generation Security Software (NGSS), estimated that less than 5 percent of vulnerable systems are patched in a timely manner. “Within a few weeks of the advisory going out, about 20 percent are fixed but I’d say about 50 percent of enterprises don’t even bother to apply the patches,” he said in an interview from his U.K. office.

“A large part of the problem is that the administrator is not even aware of the patch. It is surprising that in some enterprises, there are no vulnerability assessment (VA) tools being used,” he argued.

At other times, Litchfield said IT admins are simply “fed up” with the large amount of patches being issued and are content to wait for service packs that provides a bulk fix. That’s why the Code Red and Slammer attacks were so successful. There were literally millions of unpatched systems around the world,” he added.

Litchfield called on governments around the world to take the lead in educating companies and consumers about the serious risks involved with bad software. “It would be a good start a massive user awareness campaign but the problem is coaching people to read those documents. It’s like taking the horse to the water but you can’t make them drink.”

Secunia’s Kristensen agreed that user awareness was a huge problem, even with the increased publicity from the mainstream media. “One of the big reasons why people aren’t installing patches is the lack of knowledge about them actually existing,” he declared.

During internal research, Kristensen said admins are more eager to patch a hole in a Web server or a mail server but, even then, only about 50 percent of the holes in susceptible servers are plugged.

“Even with all the media attention, I don’t think there’s much more than two-thirds of services out there that’s been updated,” he added.

Crying Wolf?

Then, there is the cry-wolf syndrome, born out of too many ‘critical’ warnings being issued, particularly by Microsoft. The Redmond, Wash.-firm acknowledged there were legitimate fears that too many high-level alerts were being issued.

Steve Lipner, director of security assurance for Microsoft, recently announced the Severity Rating Criteria would be modified to specify clearly which bugs needed to be addressed immediately.

“There is also a widespread feeling that the Severity Ratings are difficult to understand and apply. For these reasons, we have modified (the criteria) to help customers more easily evaluate the impact of security issues,” Lipner explained.

Of Microsoft’s 72 warnings in 2002, more than half were tagged with the ‘critical’ rating. Of the ten issued this year, five have been described as critical. The ‘critical’ rating is reserved only for “a vulnerability whose exploitation could allow the propagation of an Internet worm without user action,” Microsoft explained.

The new ratings criteria carry an ‘important’ tag for flaws that could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources. Below that, the company issues ‘moderate’ or ‘low’ warnings.

For CERT/CC’s Lindner, the issue goes beyond software vulnerabilities and points to faults with the engineering process. “The root cause of problematic patches and problematic software is bad software engineering practices. That’s where we have to fix things,” Lindner declared.

“When we find flaws in software and we have to build a patch, we’re using the same bad software engineering practices to build the patch to fix the software that’s poorly engineered. It’s a vicious circle,” he added.

Even as the experts continue to decry the slow pace of patch applications, Lindner suggested a two-fold approach to fixing things. First, he called for widespread adoption of better software enginnering practices and, more importantly, widespread adoption of developing foolproof architecting protocols.

He said too many built-in flaws were being discovered in some of the most crucial protocols. “Even if you wrote air-free software, there would still be vulnerabilities because the protocols themselves have problems. That’s what he have to concentrate on fixing,” said Lindner.