Comment: Got the time?

9 Jun 2004

Plenty of evidence, both statistical and anecdotal, exists to support the view that businesses don’t update their security systems nearly as often as they should. This is despite the fact that many viruses and worms are written to exploit vulnerabilities in Windows or Outlook – holes which those patches address. The fact that Sasser, Netsky and others have been as widespread as they were is a sad testament to the amount of unpatched systems out there.

But you won’t get any finger-wagging from me. There are several reasons why so many organisations and individual users still remain vulnerable.

Not so long back, Microsoft released a patch that addressed several security vulnerabilities in various versions of Windows. Ironically it emerged that the security patch itself caused problems with some Windows 2000 systems, such as preventing users from logging on, booting the system, or actually from using the system because the CPU was stuck at 100pc. Talk about a dilemma: risk being caught by not implementing a fix or risk having systems come crashing to a halt.

Bill Gates has recently alluded to this problem himself. Stopping short of a full ‘mea culpa’, he nonetheless admitted to a “learning curve” in this respect, “of having to really identify which improvements to software are just new features and very optional, and which ones are the very critical things that need to be put out quickly, and have been very well tested to make sure that when those go into place, they, themselves, don’t cause any problems.”

(This is not, by the way, another cheap shot at Microsoft’s expense. To its credit, the company has lately been addressing the security market seriously and has made large strides with its work so far. It may not always get things right, but it now scores higher marks for effort than previously.)

Security experts have warned of a shortening timeframe between a vulnerability being announced and the arrival of resulting malware that exploits it. However, in the rush to act, there seems to be a tradeoff between issuing fixes for whatever vulnerabilities are discovered and testing these patches on systems that are likely to run key business applications.

There’s always a risk that your company’s accounts software package may not work when confronted with some updates to the computer’s operating system.

Then there’s the problem of exactly what to install. Sasser was an instructive recent example. For my sins, I recently got to play with an infected PC and set about getting to Microsoft’s website to sort out the problem. I was confronted by an array of different downloads. The files – well over a dozen of them, though I can’t recall the exact number – weighed in at more than 17MB. On a dialup modem, there’s not much alternative but to pick and choose which files to download. Sasser had imposed its own particular deadline, as I was effectively running against the clock to try and download the files before the worm got to work and forced the system to shut down.

It also got me thinking about time, or the lack of it, in all this mess. One security consultant recently told me that, for instance, a computer running a business-critical system can’t afford to be offline, certainly not during working hours when customers may have to conduct some transactions involving that same system. The window of time to fix a problem is usually to be found at the dead of night – even then, we’re talking about maybe a couple of hours at best to sort it out.

All of which goes some way to explaining why older worms and viruses still proliferate, sometimes months after they first attack. Time is not on our side, no it ain’t…

By Gordon Smith