Hackers' Window of Opportunity
Microsoft’s first Patch Tuesday of the new year is an unusually singular effort; the company is releasing a single patch to correct a remote code vulnerability in all versions of Windows server.
When Microsoft created Patch Tuesday in October 2003, it was a mechanism for bringing regularity and predictability to the patch release process. Prior to Patch Tuesday, Microsoft was routinely criticized for the chaotic and unpredictable process of releasing patches whenever they became available.
At some points over the last five years, dozens of patches have been released on Patch Tuesday. To have only one patch come out may seem like a milestone for Microsoft, a sign of progress that Patch Tuesday has achieved its goals and the Trustworthy Computing Initiative—the sweeping program enacted by Bill Gates in 2002 to correct Microsoft’s vulnerability-ridden software—has achieved its goals.
"Microsoft has become more and more risk averse over time in an effort to protect its brand, so they're going to release patches as quickly as possible," says Aaron Shilts, vice president of professional services at FishNet Security, one of the largest security solution providers.
The truth is Patch Tuesday is far from being dead, and, in fact, some wonder whether Microsoft needs to introduce some irregularity to the patch release cycle to keep hackers and malware writers on their toes. Evidence exists that hackers are waiting for Patch Tuesday to see what fixes are released and what remains vulnerable before unleashing new exploit code. Hackers are either releasing existing exploits or reverse engineering the patch to create an exploit before the fix is widely deployed.
"It’s not uncommon that Microsoft releases a patch that criminals are trying to take advantage of the time, the window of opportunity, because they don’t immediately patch," says Paul Ferguson, director of Trend Micro’s Advance Threat Research.
Rewind a month to Patch Tuesday, December 2008, when Microsoft issued nine patches for a series of remote code vulnerabilities in the Windows operating system, Media Player and Internet Explorer. Within days of Patch Tuesday, reports started surfacing of a critical vulnerability in Internet Explorer that opens the door for Trojans to stealthily download from malicious Web sites. At one point, Trend Micro reported that more than 6,000 Web sites were compromised with the Trojan and hundreds of millions of IE users were at risk. Microsoft issued an out-of-band patch to correct the vulnerability about a week after Patch Tuesday.
While the December IE vulnerability appeared as a zero-day exploit in waiting, the truth is the vulnerability was little more than an accident. Ferguson says a Chinese security research lab accidentally posted details of the vulnerability, which was used to create the exploit that was quickly released to the wild. The incident, however, was enough to raise the specter of hackers holding exploits until they see what Microsoft is releasing in its patch rollouts.
"Patch Tuesday still is a working model, but Microsoft shouldn’t limit itself to that one release cycle," says Brandon Dunlap, managing director of Brightfly, a security consulting group in Houston. "By having a predictable schedule, you also have a predictable schedule for the bad guys. If Microsoft is releasing a SQL Server patch, a bad guy knows that he has at least a week to exploit it."
Microsoft is aware of the window of opportunity between Patch Tuesday and the actual deployment of patches in production environments. For years, the recommended best practice for patching called for security teams to conduct regression testing in nonproduction environments before rolling out to production machines. The lag time created by testing creates the exploitation window of opportunity.
Microsoft even acknowledges the potential for hackers to keep exploits in reserve to see what fixes are released on Patch Tuesday. However, it believes both the process and layers of protection built into the Patch Tuesday release cycle provide adequate protection against many exploits. The first line of defense is the Active Protection Program, a collaborative effort by Microsoft and 22 partners to provide intermediary workarounds and shields against the exploitation of vulnerabilities before new patches are deployed.
"If you look at Patch Tuesday, we provide means to protect and information to prioritize the patch deployment," says Mike Reavey, director of the Microsoft Security Response Center, the unit charged with triaging Microsoft vulnerabilities and creating patches. "The window of vulnerability is what Active Protection was designed for. While users are doing their regression testing of the new patch, they’re being protected by the 22 vendors in the program."
Additionally, automatic updates embedded in Windows and other Microsoft applications enable Microsoft to transparently deploy patches—which is particularly useful for home and small-business users that don’t follow security bulletins or have dedicated administrative support.
When all else fails, Reavey says Microsoft will deploy a patch outside the regular Patch Tuesday cycle. While Microsoft released three out-of-band patches in 2008, it has only broken the Patch Tuesday cycle eight times in the last five years, Reavey says.
"The customers I’ve talked with still appreciate the predictable cycle," Reavey says. "Having partners that provide protection and releasing more information keep [Patch Tuesday] relevant."
Few people will dispute the utility and effectiveness of Patch Tuesday. While Microsoft is releasing only one patch this month, software rival Oracle is unleashing a tsunami of 41 patches for numerous applications. But should Microsoft consider a little less predictable patch release process? Reavey says no, but others say it should be on the table.
"Microsoft maybe should start thinking about some additional randomization; it might be helpful," FishNet’s Shilts says. "It’s probably better to have regularity and have a process in place to deploy patches as they come out."