Security Watch

Criticism on Patch Process Thrown Microsoft's Way

• By Jabulani Leffall
• 05/10/2010

As Windows enterprise pros ready themselves for the May 4 patch release slate, a third-party security firm, Core Security Technologies, is nipping at Microsoft's heels about what it calls Redmond's "silent patching" process.

Core Security is alleging that the software giant issued two patches, MS10-024 and MS10-028, for which it did not divulge adequate info about the threats.

Specifically, Core says these two patches were silently fixed based on bugs that Microsoft uncovered internally, and did not disclose the vulnerabilities in its regular monthly disclosure processes.

To its credit Microsoft does release a summary for every single patch. But what Core Security is saying, in essence, is that Redmond isn't taking threats as seriously as it should.

For instance, where MS10-24 is concerned, Core Security researcher Nicolás Economou said he discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange that were not "disclosed in the vendor's security bulletin and did not have an unique vulnerability identifier assigned to them."

The second patch, MS10-028 addressed two identified bugs in Microsoft Visio, the company's project diagramming software.

As a result, Core Security writes in its advisory that "the guidance and the assessment of risk derived from reading the (Microsoft's) security bulletin may overlook or misrepresent actual threat scenarios."

Microsoft, which often chastises independent and third-party researchers for not disclosing zero-day bugs, defends its practices, intimating that Redmond has its reasons for doing so.

"When a security vulnerability is discovered, Microsoft conducts a thorough investigation of that vulnerability, addresses any other issues found in the code as a result of that investigation and subjects the security updates to extensive testing for quality assurance," wrote Jerry Bryant, Microsoft Security Response Center spokesman in an e-mailed statement. "This helps reduce the number of updates customers have to deploy, since updating can be disruptive to customer environments."

As with all disagreements between Redmond and ISVs, the infraction is often misrepresented and the security risk in question is always debatable. When in doubt, patch.

McAfee Working To Remedy Windows "Brick" for Enterprise Pros

AV software giant McAfee has launched a dedicated page to both placate and educate companies affected last month by the patch bug. An update snafu initiated by a program glitch had everyone from Intel Corp. to the Sans Institute talking about the fact that McAfee allowed a major Windows component to be misidentified.

Amrit Williams, chief technology officer at systems management software vendor BigFix Inc., told me that these incidents are yet another sign that systems management and security tools need to be abstracted and isolated from the Windows OS and that the operating system itself is inherently flawed.

"You're not talking about some obscure file from a random third party; you're talking about a critical Windows file," said Williams, who is a former director of engineering at McAfee. "The fact that it wasn't found is extremely troubling."

What Causes Some NetAdmins To Lose Sleep?

It's that time of year again for the "What Keeps Network Administrators Up At Night" survey from Van Dyke Software. This year's survey, which is co-sponsored by Amplitude Research, is scheduled for wide release on Tuesday. The survey will cover a variety of security issues including IT/network security related to employee use of social media.

The survey also unearthed potential good news for IT budgets in 2010, what it calls a "a reversal of fortune in 2010 versus last year when it comes to budgets/staffing for IT security at enterprises."

The survey will also identify more than 11 core issues facing network administrators in 2010. The survey will conclude that "securing remote access" is still the top priority, four years running.

The other ten issues include: Keeping virus definitions up to date, patching systems, monitoring intrusions, securing file transfers, network use monitoring, user policy awareness and training, password management and administrative access, monitoring of system logs and finding and replacing non-secure Internet protocols.

Lastly the report will highlight the fact that less than half of the network administrators surveyed were bullish on cloud computing and related security issues in 2010, which is yet more proof that security in the cloud still fosters uncertainty throughout the ecosystems.

Not included in the survey are ways to help network administrators get some sleep in 2010.

Patching and Power
Saving power is central to any enterprise's bottom line and turning off workstations is a logical step in saving money and energy.

In that vein, it would make sense to be able to patch with the power off, so to speak. One vendor is offering that capability.

By integrating power management with industry leading patch management and antivirus protection, Shavlik Technologies' latest Shavlik NetChk Protect 7.5 release is said to be a nod to green IT. Among other things, company founder Mark Shavlik said the solution seamlessly integrates scheduled changes to power state (shutdown, sleep, hibernate) and Wake on LAN to power machines on for regular maintenance. 

"We have learned from utility companies and our customers that the need to automate the deployment of security patches has forced some energy savings ambitions off the agenda. By integrating these tasks with patch management in a centralized, easy-to-use console, we can make those Green IT initiatives viable," said Mark Shavlik, CEO of Shavlik Technologies, in an e-mailed statement.