Why should (or shouldn't) you update your Operating System?

[Hungry Man]

Quote:

Originally Posted by BrandiCandi

The same principle that applies when you're being chased by a bear: you don't have to outrun the bear, you just have to outrun your friend.

I'm more interested in the academic approach. Ultimately I'd like to know how to secure an enterprise system, and the only way to do that is to assess each update. Do enterprises really do that? It seems unlikely that companies would pay for the expertise and time to really evaluate each update unless they were mandated to do so by law. Maybe small companies use the approach of install all updates & if one breaks it just roll back. Does anyone know?

Defense in depth is exactly that - in depth. That means that you understand your vulnerabilities (both in terms of software and design) and you address them properly. The "properly" part comes with a whole bunch of things - use what's in the kernel, for example.

Companies often do not roll out patches immediately. Stability is far more important than security for most, and rightfully so - they have their priorities.

Companies also likely have a server babysitter who sits there and reads logs from the firewall and IDS/IPS. You don't have these things - you don't hire someone to sit on your router and read everything that happens etc.

I will also say (because I believe you are on Linux) that it's a bit less important to patch on Linux. Because of the tools provided you never really have to leave the kernel if you want security, you have apparmor/selinux built right in and many services make use of those by default. You can't get that on Windows (Windows 8 may potentially bridge the gap) and users will need to go to third party security programs to achieve similar goals. I'm not trying to make this a linux vs windows, only bringing this up because I think you are on Linux and it directly addresses your question.

If you're on Windows patching is very important because the tools provided really rely on the kernel not being vulnerable and local exploits are easier to create the more room you give the program to work.

[Peter2150]

Quote:

Originally Posted by BrandiCandi

"Thorough back program" being Online Armor, Sandboxie, Appguard, image and backup?

that should have been backup. I run Shadow Protect's continuous incrementals, and backup data to several drives, as well as two cloud based backup services.

Pete

Quote:

Originally Posted by Peter2150

that should have been backup. I run Shadow Protect's continuous incrementals, and backup data to several drives, as well as two cloud based backup services.

Oh, got it. I presume the backups are for whenever you're not certain if you've been compromised & you just reinstall?

@ Hungry Man- Yes, I'm on Linux, but I also run Windows. I'm pretty sure you're following the thread in another forum on the same subject (or someone's doing a spot-on job of impersonating you LOL). I agree with most of what you said except for something I'm a bit passionate about- it's not really any easier to compromise a Windows machine than a Linux machine. Windows desktops are definitely targeted more. But if you were to fire up Metasploit, as an attacker it's a bit less work to own a vanilla Linux box than a vanilla Windows one. (plus linux users don't really use anti-virus programs, so I don't think you have to bother obfuscating the payload like you do for Windows). However, poorly configured Linux servers are targeted and commonly compromised. Once you install a server obscurity won't protect you anymore.

[Hungry Man]

Yeah I posted like 2-3 times on there though mostly because of the discussion we were having on an IRC about that. We ended up talking about how AppArmor is able to prevent remote exploitation and different methods of enforcement etc.

In terms of whipping up an exploit it's usually considered just as easy on any modern OS (osx, linux, windows.) They all pretty much have the same types of holes with the same security mitigation techniques at this point. This obviously changes depending on the distro and usage. If I'm running hardened-gentoo with grsec and various security LSMs the cost of an exploit is going to be way higher than Windows 7.

What I mean by it being easier on Windows is that if you're in a low integrity process you have more room to run a local exploit than if you're in an apparmor'd process. SELinux will validate function parameters, it'll prevent and audit disk access, it's all very finely grained. That's why it's harder to come up with a remote/ local exploit with even apparmor. It's also much easier to implement apparmor than integrity in that apparmor can be applied to any program on the system and integrity only works with programs that already fit into that sandbox. Both are pretty powerful - it's just possible to get fine grained access control on Linux (to an extreme) and it's possible to pretty much apparmor everything.

I would elaborate further but it'll just end up turning into a windows vs linux topic. To make the point briefly: on Windows you're running very few programs at low integrity (the only ones I know of are Chrome, IE, and Adobe Reader), on Linux you can run every program in a restrained environment pretty damn easily and by default there are many services already restrained.

[noone_particular]

Quote:

One day after seeing an MS advisory that said without this patch I was at extreme risk, I thought wait a minute. Yesterday before the advisory I was fine, and now suddenly I am at extreme risk. Hmm.

I can't begin to count how many times they've done that with both updates and "upgrades". One that still makes me laugh was the WMF exploit.
From SANS:

Quote:

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

I tested it with multiple variants of that exploit I'd captured, one of which was missed by every AV. None of them would run on 98. Sure, one could argue that these could easily be made to work against 98. Nobody did and no one is going to. Is 98 vulnerable? Who knows. If it is, are my defenses adequate? Untested. Until I see something beyond theory, I'm not going to worry about it.

I won't argue that it's preferable to have a secure kernel. IMO reducing, protecting and isolating the attack surface is more important. I can't look at a system with 20 ports open by default (win 7) and believe that it's secure. Explain to me why some of them can't be closed, not blocked with a firewall, CLOSED. Ports are open so they can receive unsolicited incoming connections. Why is this tied to services that can't be disabled with out causing problems. Explain to me how it's secure when powershell and functions like LoadLibraryEx bypass the built in defenses by design. Call it what you choose. I call it a backdoor.

[Hungry Man]

Upgrades do minimize attack surface.

https://en.wikipedia.org/wiki/Securi...vice_Hardening

These were fairly important for breaking shatter attacks and others.

Quote:

Ports are open so they can receive unsolicited incoming connections. Why is this tied to services that can't be disabled with out causing problems.

Not sure what you mean. Netbios/ disovery of other devices on the network can be disabled + it exists in similar form OSX and Linux. Ubuntu has a port open (avahi, which is incidentally sandboxed) for this purpose. I don't know about OSX except that it exists for it.

What other open ports are there besides those 4?

[noone_particular]

Hardening and reducing the attack surface are 2 completely different things. Hardening toughens the necessary attack surface. Reducing or minimizing removes what isn't necessary. The results of each are just as different. Hardened means more difficult to exploit or defeat. An attack surface that's been removed can't be exploited. You can't attack something that isn't there. Refer to the image in the first post of this thread. That is ridiculous. With an attack surface this big, it better be hardened. Tell me that this operating systems "hardened" attack surface is more secure than a system that doesn't expose those ports at all.

Refer to this thread. Explain to me why this port can't be closed (not blocked or restricted, closed) without disabling other parts of the system. I can see what it's been tied to but I don't see one good reason why besides making it very difficult or impossible to completely close it. Ports are open so an app or service behind it can receive unsolicited incoming traffic. Why is that necessary? I'm old school here. AFAIC, minimizing the attack surface means eliminating all potential points of entry that are not necessary, not just blocking them with a firewall. Using a firewall block access to an open port is a band aid approach that treats the symptom and ignores the underlying problem.

Regarding LoadLibraryEx, does this still bypass Applocker? Is the "solution" still just a hotfix available only to those who learned of this problem, not something that should be immediately patched? Even the old free version of SSM intercepted LoadLibraryEx, but such apps don't work on Win 7 anymore. Can Powershell still defeat Applocker? What good is such built in security when it can be defeated/bypassed by normal system calls and built in utilities? What is Applocker? A watered down, built in replacement for HIPS that doesn't cover certain built in components and allows certain system calls to bypass it entirely? No thanks.

I can see what you're saying. Reducing / minimizing really has nothing to do with updating. But it's a basic security principle: you should only run services you need. Windows serves an enormous population, most of which are completely comptuer illiterate. So it serves Windows and the customers well to have everything enabled because few people know how to enable it manually. But for the more saavy user that means they need to disable crap they don't use. You have to balance security with functionality- they'll always be at odds.

The principle of disabling unused crap is true in any operating system. I had to disable some useless pre-packaged stuff in Ubuntu, like remote desktop. Some distros are more bloated than others, I think Ubuntu is bloatier (is that a word?)

As for port 135, that includes Domain Name Server (which resolves ip addresses to human-readable names) & DHCP (which assigns the IP address to your computer). If you successfully disable those you will have an expensive hunk of useless junk.

[noone_particular]

DNS server and DHCP use port 135 on Win 7?

Quote:

If you successfully disable those you will have an expensive hunk of useless junk.

I have both of those disabled on XP. Static IP and the apps resolve their own DNS as needed. Is that no longer possible on 7?

Quote:

Some distros are more bloated than others, I think Ubuntu is bloatier (is that a word?)

Still a big difference in scale. Ubuntu and other Linux versions have grown from a CD to DVD sizes, but that includes the OS and a pile of software. Windows consumes more than that with the OS alone.

Quote:

Originally Posted by noone_particular

DNS server and DHCP use port 135 on Win 7?

I have both of those disabled on XP. Static IP and the apps resolve their own DNS as needed. Is that no longer possible on 7?

Wait- nevermind. It's for remote management of DHCP & DNS servers. Yeah, I'd want that disabled.

Quote:

Originally Posted by noone_particular

Still a big difference in scale. Ubuntu and other Linux versions have grown from a CD to DVD sizes, but that includes the OS and a pile of software. Windows consumes more than that with the OS alone.

True. But my point is that you're always going to want to find out what services come with any OS & disable whatever you're not going to use.

[noone_particular]

Quote:

But my point is that you're always going to want to find out what services come with any OS & disable whatever you're not going to use.

Yes, I expect to have to do this. I also expect that I should be able to disable/remove whatever services I feel are unnecessary without finding that other necessary services are dependent on the ones I want to disable.

Quote:

Originally Posted by noone_particular

Yes, I expect to have to do this. I also expect that I should be able to disable/remove whatever services I feel are unnecessary without finding that other necessary services are dependent on the ones I want to disable.

meh.

Unless you understand every service & all their dependencies I don't know how you could. I sure don't.

[noone_particular]

Quote:

Quote:

Unless you understand every service & all their dependencies I don't know how you could. I sure don't.

That's exactly my point. In the 2nd thread I linked to, it discusses DCOM and port 135. This page on Black Vipers site has info on that service and lists the services that depend on it for each version of Windows. Compare the service dependencies of DCOM for Win 7, Vista, and XP. On XP nothing else depended on it. Look at the list for Vista and 7. They've made certain that the service has to run because about 30 others depend on it that didn't need it before. I don't see this as an improvement or an advantage.

Services are one of the primary reasons I've kept 98 as my primary system. Even if I connect it directly to the net, no router, firewall, etc, I'm exposing no entry points. There are none, save those used by Tor. Even this is hardened on my system. Tor can't parent any other process and write permission has been removed for the folders it uses.

If you're interested in services and how they interact, look through Black Vipers site. Compare how it's changed from XP to now.