An Information Security Place

I have stated that I do not like thrid-party patches.  Here are some reasons:

• It can open other avenues of attack, since the bad guy is likely to start studying the thrid-party patch for security holes. 

 

Now, there is a possibility that one of these reasons may no longer be an issue.  SC Magazine has an article talking about the new MSFT flaw and the patches that have been released byDeterminaa and ZERT.  Both of these organizations claim that their patches do not need to be uninstalled to apply the official MSFT patch.  If that is true, then the third issue from the above list is a non-issue.  Now, that “if” is really big, and you would have to limit your patching to those organization that build their patches in such a manner.

Now, I know something about Determina.  I have seen this product installed, and I know basically how it performs.  Essentially, it creates a shield around processes in memory, almost running each process in its own virtual memory space.  It then does not allow any unauthorized access to those processes.  It is basically a host-based IPS, but it does not rely on signatures to stop attacks.  It is a pro-active solution, and from what I have seen, it is a good product that allows you to relax your patching posture.

However, if they are fixing the flaw in the same manner, then they are not actually patching but are actually just shielding your system from the attack.  So I would not call this a patch at all.  However, it does work.  To test it yourself, first go here to test if your browser is vulnerable.  WARNING: if your browser is vulnerable, then it WILL crash.  I have run the test, and it DOES crash your browser (of course, you’re fine if you are running Firefox, which I suspect many are that are reading this blog).  Now that you have seen it crash, you can go download Determina’s “shield” from here.  Run the MSI.  Close all instances of IE, then go back to the test site and run it again.  You should not be affected this time.

I did not run the ZERT patch (if that is what it is) because it looked a lot more complicated in its execution and I did not want to risk it.  The Determina fix was packaged neatly in an MSI as well, so I have to believe that it is much easier to push out than the ZERT fix.

So make your own judgements with this new breed of third-party fixes / patches / shields.  I still don’t advocate them completely, but if they work as the Determina and ZERT fixes claim, then I am less hesitant than before. 

Vet

…is crap like this.  I am honestly tired of having to worry about keeping up with the latest security flaw and making sure my IPS has the latest filters and trying to make sure my network admin is keeping the patches up to date and yada yada yada.  It just gets old.

A while back, I published a list of all the things I do on a daily / weekly / monthly basis as a security manager.  When I look back at that list, I am seeing about nine tenths of it as reactionary chores.  And I am tired of being in such a state of constant reaction, even when I do everything I can to be proactive.  It just gets old. 

I realize this may sound discouraging.  Believe me when I say I don’t want to give up the fight.  I just want to help some other people fight the fight instead of being on the front lines every day. 

When I first thought about it, it kinda felt like the front line troops were going to lose a man to battle fatigue.  But to clarify by carrying the military analogy a little further, think of me as a REMF (ask your military buddies - they know what that stands for).  Basically, REMF’s are the people who sit in the back away from the front lines.  They drive fuel trucks, they fix broken vehicles, they cook food, deliver MRE’s, deliver ammunition, etc.  They are support.  They don’t always get a lot of respect.  But without the support the REMF provides, the grunt, the M1A1 tank crewman, the Apache pilot, and the howitzer gunner can’t fight the fight.  So you gotta love the REMF, even if he is not looking at bullets every day.

It may sound like I am trying to convince myself that I am making a good move, and to some degree I probably am.  I know this is the move I am supposed to make.  I feel that deeply.  I just want people to know that I am not giving up.  I am just moving to the back lines.  Is there some fatigue?  You betcha.  But I am not going to be the guy who Patton slaps.  I’m gonna be the guy driving the ammunition to the front line so you can shoot at the bad guys.

Of course, if the guy who brings the ammunition had to convince the tank commander every time that his ammunition was better than that other guys ammunition, and that his ammunition fit better in the gun tube and would make pretty lights when he shot it down range, then our military would be in a bad way.  OK, so maybe the analogy doesn’t play all the way through, but work with me here, OK?

Vet

This story talks about using third-party patches for security flaws instead of waiting for the vendor to put out a patch.  Personally, I am dead-set against it (I posted a while back about it, but I am too lazy to go look for it) for the same reasons the security pros in this article are against it. 

• It can open other avenues of attack, since the bad guy is likely to start studying the thrid-party patch for security holes. 
• Potential problems caused by the unofficial patch when installing the official vendor patch
• Management headache of uninstalling the unofficial patch
• Possibly causing support problems with the vendor because of unofficial patch

And I am sure there are more issues.  One of the main points brought up in the article is that if you have a good defense-in-depth infrastructure, you can maintain good security without the need to install patches right when they come out.  One comment struck me:

Using a mitigation strategy like blocking certain ports or shutting certain programs is the better solution. The user may have to go without a feature for a week, but it’s better than taking a risk with a third-party fix that you then have to go and uninstall before installing the real patch.

I couldn’t agree more.  And if you have a good IPS vendor with a quick signature turn-around, then you can probably have the ports turned back on or the features back in operation much quicker.

I talked about this on Alan Shimel’s podcast a few weeks back as well.  He asked me what Patch Tuesday was like for a security manager like myself, and I besically told him that it was no big deal really.  I trusted in the security I had in place.  I’m not saying I’m invulnerable.  But locking down the infrastructure and paying attention to current threats and responding to them in a timely manner is the key to stop attacks before patches are available.

Vet