It’s time to take patch management seriously

Windows updates don’t normally feature highly on this blog… after all, they come along every month, you test them (perhaps?), install them, and leave things along for a few weeks. Sometimes there’s an out of band patch release and that ought to indicate that there is a significant problem that requires attention. So why have I been hearing so much over the last few weeks about the Win32/Conflicker.B worm with people panicking to update systems, install the latest AV updates, and generally try and catch up after being so lackadaisical in the first place?

Let me explain what I mean… according to an e-mail I received from Microsoft last week:

Win32/Conficker.B exploits a vulnerability in the Windows Server service (SVCHOST.EXE) for Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows 2008. While Microsoft addressed this issue in October with Microsoft Security Bulletin MS08-067, and Forefront antivirus and OneCare (as well as other vendor’s anit-virus products) helped protect against infections, many systems that have not been patched manually through Server Update Services and Microsoft/Windows Update or through Automatic Updates have recently come under attack by this worm. Attacked systems may lock out users, disable our update services and block access to security-related Web sites:

In response to this threat, Microsoft has:

It is our hope that these resources can assist you in resolving issues with unpatched, infected systems and that you can apply MS08-067 to any other unpatched systems as soon as possible to avoid this threat.”

I’m sure there are some people who feel that applying updates is an intrusion, an unnecessary interruption into the day (these are probably the same people that advocate turning off user account control…). Others will claim that other operating systems don’t need patching so often (I don’t know about the frequency of updates but patches on my Macs always seem pretty big and Linux is in one big patch cycle as the open source model is one of continuous improvement). Personally, I’m glad that Microsoft settled down to a predictable monthly cycle and for those who think that’s a problem because it gives hackers a predictable timeframe for reverse engineering patches and attacking weaknesses in unpatched systems it’s all the more reason why every organisation’s IT security people should be ready to look at the update announcements on the second Tuesday of every month and then to act accordingly. And when a patch comes along outside that predictable schedule to consider that, yes it’s a pain in the neck, but it might just be important…

Which brings me back to the point. Conficker (also known as Downadup). As F-Secure put it:

“First — It was an out-of-band update.

Second — It was given an ‘Exploitability Index Assessment’ of ‘1 – Consistent exploit code likely’.

That kind of speaks for itself, doesn’t it?

Third — It allows for Remote Code Execution, in numerous versions of Windows (particularly critical for 2000, XP, and Server 2003).

All of these combined factors equals something quite serious that should be patched as soon as possible. If you are having difficulties with Automatic Updates, the bulletin links to manual downloads.

Security Update for Windows XP
Security Update for Windows Server 2003

It’s always a good idea to be ready for out-of-band updates. You can subscribe to Microsoft Security Notifications here.”

The other thing that this worm has awakened is corporate IT departments saying things like “how can we check that all our machines are updated with the Microsoft update and with the latest antivirus signatures?”. Well guys, there’s a feature called Network Access Protection (NAP) and it’s implemented in Windows XP SP3, Windows Vista and Windows Server 2008. Whilst you’ve all been bleating about how Vista is bad, perhaps you should have looked a bit further and seen some of the advantages it could bring. If you still can’t stomach a Vista upgrade because somehow you think that Windows 7 will be easier from an application compatibility standpoint (I have news for you…) or think that Microsoft and security in the same sentence indicates an oxymoron then there are plenty of third party endpoint security systems with similar controls…

Perhaps we need an outbreak like this from time to time to wake up the IT Managers and persuade them to spend some money on security improvements within the infrastructure.

Here endeth the lesson. Now go and update your systems.

For more information, check out Centralised information about the Conficker Worm and MS08-067 Conflicker worm update.

4 thoughts on “It’s time to take patch management seriously


  1. C’mon Mark, you really think everyone should have learned their lesson after SQL Slammer and the whole MSBlaster/Welchia fiasco? Oh right, they should have, I did. My systems are patched.


  2. @Marc – you got it! Sadly, based on the panic I’ve seen and the various communications that Microsoft has been pushing out, not everyone is that organised.

    @Mike – fair comment. My point about Vista was more that I hear a lot of organisations bleating about how bad it is [perceived to be] and ignoring any kind of steps forward in their infrastructure as a consequence. It’s not strictly relevant here but not patching systems, not looking at increasing security, not having effective anti-malware measures (simply mandating the use of anti-virus software is not enough these days) are all indicators of an organisation that, IMHO, is asking for trouble.

    Maybe we need a SQL Slammer/Nimda/Code Red/Conficker every couple of years to wake up the IT Managers…

Leave a Reply