http://zdnet.com.com/2100-1105-966398.html By Robert Lemos Special to ZDNet News November 19, 2002, System administrators are still not patching systems frequently enough, according to a recently published study of a software security flaw that allowed the Linux Slapper worm to spread. In fact, even after the Slapper worm highlighted the existence of a vulnerability in the Web security software known as OpenSSL, three out of 10 systems that had the flaw continue to be vulnerable even today, said Eric Rescorla, an independent security consultant. "Administrators aren't as responsive as they should be," he said. "Even after a relatively serious hole is found, administrators don't do the right things." Over the past three years, software makers have been forced by their customers to be more responsive to security vulnerabilities in their products. The U.S. government has gotten into the act as well, with Richard Clarke, presidential adviser on cybersecurity, making repeated calls for companies to shore up holes in the servers for which they are responsible. However, system administrators--many of them overworked--haven't taken the message to heart, according to Rescorla's research. The research studied the response to the release of information in July relating to a flaw in OpenSSL, a commonly used open-source program to secure data going between Web servers and browsers using channels encrypted with the secure sockets layer (SSL). Tipped off to the coming announcement of the OpenSSL flaw, Rescorla quickly selected, using a Google search, a pool of about 900 servers that ran OpenSSL. He tested the servers every six hours to see if they had been patched. Because he could test their status without affecting their operation, Rescorla saw the opportunity as ideal. "I had a couple people complain (about my scanning), but remarkably few," he said. "The two people that sent me mail asked me not to continue." About 40 percent of administrators patched their systems in the seven weeks between the public announcement of a flaw and the release of the Slapper worm. Another 30 percent apparently patched the software after the Slapper worm started infecting SSL servers in September. "It's not just that some people are lazy, but also that many people appear to wait until they feel vulnerable (i.e., an exploit is released) before they apply fixes," he said. "This seems to be a distinct population from those who are just lazy and don't do anything at all." System administrators that manage the remaining third of the servers scanned by Rescorla fall into that last category, he said. The low rate at which system administrators patch their servers has been a problem for a long time. Software makers, such as Microsoft and Symantec, and most Linux companies have created services to help system administrators keep up with patches. Those who did patch tended to be working at hosting service providers, said Rescorla. "The big hosting companies are good about patching, which isn't surprising because they maintain a security staff," he said. The security consultant also found that people who tended to keep their systems up-to-date--that is, running the latest version of software--tended to patch more frequently. "There is some evidence that the class of people that upgrade in the first round (before a worm is released) differ from those that upgrade in the second phase," he said. Several reasons could explain the late-patching behavior, he added. System administrators may be wary of patches that could break their systems, so they wait until a threat appears that requires the patch be installed. Also, administrators may just feel that it's not necessary to patch until a real threat, such as a worm or a mass hack, seems imminent. "That's a pretty dangerous strategy, because the 'black hat' community tends to have the exploit way before the administrator knows about it," he said. He pointed to the fact that the OpenSSL flaw was discovered after a network administrator found someone attacking their machine with the exploit. Finally, he said, some administrators don't patch because they're just too lazy. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 02:13:02 PST