A patch in time

7 Feb 2006

While the security industry can get into a flap over the discovery of a new virus or worm, the fact is a lot of the resulting damage would be contained by the relatively simple expedient of keeping your software up to date and patched regularly.

Despite this, it has emerged that many businesses and home users still aren’t using the latest version of Windows that would protect them better from security threats such as malicious code. That’s according to Microsoft, which revealed that there have been an estimated 220 million downloads of Windows XP Service Pack 2 to date, a version of the desktop operating system that was specifically upgraded to offer improved security.

Perhaps unsurprisingly, Microsoft had expected this figure to be higher. In Europe, there has been an upgrade rate of 60pc from earlier versions of Windows. “We’re a bit disappointed with the overall uptake of Windows XP Service Pack 2,” Ronny Bjones, security strategist for Microsoft EMEA said in an interview last month.

The service pack, which is designed to prevent rogue code such as that found in executable attachments or website popup windows from changing a PC’s settings without the user’s knowledge or consent, was released in August 2004.

Bjones said the goal was to get as many organisations and individuals to upgrade to Windows XP Service Pack 2 as it was more secure than previous version of the operating system. To show how much Microsoft had emphasised security, he said that the work on strengthening XP had taken precedence over other high-profile projects within the company. “We stopped development of Vista [the next version of Windows] because we wanted to bring out a new client product that was so focused on security,” he said.

Bjones urged businesses to implement patches more quickly than they are currently doing, in order to protect their systems. He also defended Microsoft’s programme of scheduled monthly release for software patches instead of launching them as threats are discovered. “Typically an attacker will wait until the industry releases a patch. They then reverse engineer the patch and create an exploit — code that can attack the vulnerability,” he said. “Attackers are betting that customers are taking a long time to patch their systems. From that perspective, it’s better to [release patches] as a controlled process.”

A case in point was the worm that attacked many media organisations last August. Among the high-profile victims were CNN, the New York Times and the Financial Times. Microsoft had issued the patch for the vulnerability that this code exploited a week prior to the attack.

“The person who did this hadn’t attacked the latest technology. It just shows the barrier for script kiddies [people who release malicious code] is higher,” he said.

Later last year events took an interesting turn as Microsoft broke with its schedule to issue a patch for a critical software vulnerability in the way its Windows operating system handles Windows Meta File (WMF) graphics files. Since the flaw was first discovered just after Christmas there were reports of security attacks, which exploit it.

Microsoft had originally said it planned to release the patch for the vulnerability as part of its regular monthly schedule of releasing software patches on the second Tuesday of every month. However it appears that growing concern over the flaw led the company to issue the patch in advance.

Just before Microsoft was compelled to act, a new exploit was published which took advantage of the flaw in WMF. Brian Honan, head of BH Consulting in Dublin, called the publication of this exploit “irresponsible” when there is no vendor patch available. He said it would only encourage other exploits to be developed, aggravating the situation.

In fairness, this is a reverse of how things normally happen. More typically, the security industry announces a particular software vulnerability and at the same time a patch is made available to fix this flaw. This way, users can update their systems before malicious code writers have the chance to create code that exploits that particular flaw.

Bjones acknowledged that for large organisations that have a range of different applications, implementing software patches isn’t an easy process. “If you talk to chief information officer you have to see that the subject is more complex than putting Windows XP SP2 on desktops,” he admitted.

However, he pointed out that Microsoft had combined all of the patches for its Exchange, Windows and Office products into a single engine, Windows Update, making the process easier to manage. He claimed that improvements to the desktop operating system, as well as to Windows Server 2003 were “from a technology point of view a massive step forward”.

By Gordon Smith