[ISN] Security holes aren't being filled

From: InfoSec News (isnat_private)
Date: Wed Nov 20 2002 - 00:00:32 PST

  • Next message: InfoSec News: "[ISN] U.S. Government Flunks Computer Security Tests"

    By Robert Lemos 
    Special to ZDNet News
    November 19, 2002, 
    System administrators are still not patching systems frequently
    enough, according to a recently published study of a software security
    flaw that allowed the Linux Slapper worm to spread.
    In fact, even after the Slapper worm highlighted the existence of a
    vulnerability in the Web security software known as OpenSSL, three out
    of 10 systems that had the flaw continue to be vulnerable even today,
    said Eric Rescorla, an independent security consultant.
    "Administrators aren't as responsive as they should be," he said.  
    "Even after a relatively serious hole is found, administrators don't
    do the right things."
    Over the past three years, software makers have been forced by their
    customers to be more responsive to security vulnerabilities in their
    products. The U.S. government has gotten into the act as well, with
    Richard Clarke, presidential adviser on cybersecurity, making repeated
    calls for companies to shore up holes in the servers for which they
    are responsible.
    However, system administrators--many of them overworked--haven't taken
    the message to heart, according to Rescorla's research. The research
    studied the response to the release of information in July relating to
    a flaw in OpenSSL, a commonly used open-source program to secure data
    going between Web servers and browsers using channels encrypted with
    the secure sockets layer (SSL).
    Tipped off to the coming announcement of the OpenSSL flaw, Rescorla
    quickly selected, using a Google search, a pool of about 900 servers
    that ran OpenSSL. He tested the servers every six hours to see if they
    had been patched. Because he could test their status without affecting
    their operation, Rescorla saw the opportunity as ideal.
    "I had a couple people complain (about my scanning), but remarkably
    few," he said. "The two people that sent me mail asked me not to
    About 40 percent of administrators patched their systems in the seven
    weeks between the public announcement of a flaw and the release of the
    Slapper worm. Another 30 percent apparently patched the software after
    the Slapper worm started infecting SSL servers in September.
    "It's not just that some people are lazy, but also that many people
    appear to wait until they feel vulnerable (i.e., an exploit is
    released) before they apply fixes," he said. "This seems to be a
    distinct population from those who are just lazy and don't do anything
    at all."
    System administrators that manage the remaining third of the servers
    scanned by Rescorla fall into that last category, he said.
    The low rate at which system administrators patch their servers has
    been a problem for a long time. Software makers, such as Microsoft and
    Symantec, and most Linux companies have created services to help
    system administrators keep up with patches.
    Those who did patch tended to be working at hosting service providers,
    said Rescorla. "The big hosting companies are good about patching,
    which isn't surprising because they maintain a security staff," he
    The security consultant also found that people who tended to keep
    their systems up-to-date--that is, running the latest version of
    software--tended to patch more frequently.
    "There is some evidence that the class of people that upgrade in the
    first round (before a worm is released) differ from those that upgrade
    in the second phase," he said.
    Several reasons could explain the late-patching behavior, he added.  
    System administrators may be wary of patches that could break their
    systems, so they wait until a threat appears that requires the patch
    be installed. Also, administrators may just feel that it's not
    necessary to patch until a real threat, such as a worm or a mass hack,
    seems imminent.
    "That's a pretty dangerous strategy, because the 'black hat' community
    tends to have the exploit way before the administrator knows about
    it," he said. He pointed to the fact that the OpenSSL flaw was
    discovered after a network administrator found someone attacking their
    machine with the exploit.
    Finally, he said, some administrators don't patch because they're just
    too lazy.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 02:13:02 PST