Frustration over the latest Microsoft Corp. vulnerability announced late last month is failing to wane as IT departments face the ongoing and daunting task of patching millions of machines worldwide.
The ASN.1 library vulnerability, rated as critical by Microsoft and one which requires a machine reboot, is causing headaches for thousands of IT workers who are pressed to find time to patch the machines during the limited windows of opportunity available to them.
Scott Collins has to deal with about 200 system machines and over 2,500 desktops. “The hardest part is the communications…between the departments,” said the manager of technology and infrastructure with Canaccord Capital, a Vancouver-based independent investment dealer. “These people have to be communicated to, we can’t apply the patch, reboot and say ‘thank you very much.'”
“It is like a domino effect,” he said. Each business unit has to tell Collins’s group when they can afford their machines to be shut down to patch and reboot. Because may of Canaccord’s operations are 24/7 this is no easy task, he said. “If it requires a reboot it is always way more difficult.”
Robert Lyall, who heads up the IT department at London-based Investor Relations magazine expressed his frustration recently at the day of patch work that lay ahead.
“The end user doesn’t want to be bothered with this kind of thing every couple of days, and one guy applying patches to 40 machines takes a bit of time!” Lyall said.
Lyall also looks after the magazine’s design department and said that he sees people “looking at the Macs enviously, since they don’t have these problems.”
For Collins and Lyall patching is only the endgame, one which started with testing to make sure the patch, designed to plug a hole, does not open up more holes or create unforeseen conflicts.
And unlike many previous vulnerabilities, ASN.1 has no work around. The only solution is to patch machines. This is the second critical vulnerability that has affected all Microsoft operating systems. MS03-023 was the first non-IE bulletin that affected all Windows platforms. It caused a buffer overrun in the HTML converter, according to Microsoft.
For IT departments already overrun with critical flaws in Internet Explorer, this is just one more job on their to do lists. “These are both rated critical, they both need attention,” was how Carol Terentiak, the security, strategy and response manager for Microsoft Canada Ltd., responded when asked which which flaw should be dealt with first.
Collins has chosen to go after the ASN.1 vulnerability first. Though he is confident of Canaccord’s multi-layered security approach, he said patching internal machines will help shore up defences in the unlikely event of a compromised external machine accessing its network.
Dee Liebenstein, group product manager for Symantec security response in Herdon, Vir. agrees. “It is very hard to rely on any network security today…machines (laptops) go in and out of the system (all the time),” she said.
Within days of the vulnerability’s announcement an exploit was making its way around the Internet.
A short computer program was posted to the Internet the weekend after the announcement. However, one security expert says the exploit code does not pose a risk to confidential data stored on vulnerable systems.
Computer code for the program appeared on the French language Web page http://www.k-otik.com/, a popular outlet for software exploits, and was examined in online computer security discussion groups shortly thereafter. The program will cause machines using a vulnerable version of the ASN.1 Library to reboot, producing a so-called “denial of service” attack, said Neil Mehta, research engineer at Internet Security Systems Inc.
However, the exploit program will not allow a remote attacker to run malicious code or access files on vulnerable machines. That makes it less dangerous than previous software exploits, such as code that takes advantage of a hole in the Distributed Component Object Model (DCOM) exploit that preceded the Blaster worm, he said.
Liebenstein warns the worst may yet come. “It has that same potential (as Blaster), if not more.”
Other security discussion groups were equally dismayed with the length of time it took Microsoft to come out with the patch.
“Does it really take 200 days to write a quality patch? Apple released a major patch in its iTunes player within 24 hours. What’s up with that?” wrote one dissatisfied security expert.
The reason the ASN.1 vulnerability is such a concern is its ubiquity.
“It is used pervasively throughout the system,” Liebenstein said. It is used in everything from digital certificates to Active X controls, she said. Though not known to exist yet, an attacker who creates code which would send a properly malformed message (thus creating a successful buffer overflow) could potentially “get complete control of that computer,” she explained. Liebenstein suggests patching the most exposed systems right away and then formulating a plan to patch the remaining systems as soon as possible.