Microsoft Patches: Do you need them?

Discussion in 'other security issues & news' started by Rmus, Jan 8, 2007.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A friend stopped by the other evening, and had a rather distraught look on her face. "I've just heard that Microsoft has removed four of the patches for next Tuesday, and I just don't know what to do: How will I protect myself against these unknown vulnerabilities? I guess I'll just stay off-line until they are released." As she saw my puzzled look, she could no longer keep a straight face, and burst out laughing. With a sigh of relief, I realized that another "Patch Tuesday" would pass without her breaking her habit of not installing patches.

    Say what? How can this be? Surely her computer is just crawling with worms.

    Before you freak out too much, let me ask, how many read the MS Bulletins to assess the vulnerabilities? I subscribe to them, and will say that studying them is very educational.

    Those that do read them, are you convinced that the patch is necessary? Last year Microsoft issued 78 Bulletins. From a few of them:

    What if you don't use WMP?

    Do you know what RIS does? If you block port 69 with a firewall, do you think this patch still needed?

    What if you don't use Outlook Express?


    Are you concerned that someone could gain logon credentials to your computer?

    What if you don't use VS?

    What if you don't use WebView? Or Internet Explorer?

    As my friend and I agree, part of security planning is to decide the likelihood that a particular vulnerability could occur on your computer.

    I've always been curious as to whether or not people install all of these patches as a matter of course, or are selective about which they install.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  2. divedog

    divedog Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    265
    Location:
    Seabeck WA
    What would be the down side of installing the patch?
     
  3. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Hi Rich :)

    I pretty much take what's offered.

    2 reasons:-

    Firstly if anything that attracts attention, such as WGA, sneaks through unwanted, I can always use my backups to rollback to an earlier point.

    Secondly, I'm not a purist, eg. I don't use nlite etc to strip the OS down. So lacking that focus, it's just another information set I'd probably have to keep track of - just in case I change my mind about an installation at some point down the line.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i use nlite to slipstream xable's update pack and then afterwards i use nlite to put xp on a diet. for all i know some of the patches might as well not have been installed.

    i dont use microsoft/windows update. i just wait til the next update pack.
     
  5. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    if you havent replaced the shell and or ripped IE out with nLite or XPLite
    you use webview ;)

    its what makes IE such an integral part of the OS ;)


    some patches are critical (can you say blaster & sasser :D )
    most really arent, but the difference eludes 90 plus percent of the users.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, I'm a bit confused now, because I understood that webview is not enabled when using Classic View:

    http://support.microsoft.com/kb/819028
    "Note You can use Web view for all Windows Explorer views unless you use Windows classic folders."

    From the Win2K Help file:

    "To turn off Web view in folders, click Use Windows classic folders"

    I'll have to do some more checking on this.

    regards,

    -rich
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  8. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    ah...you are correct
    its listed as a workaround to block the attack vector in Windows Explorer

    http://www.microsoft.com/technet/security/Bulletin/MS05-024.mspx

    emphasis mine :D

    but webview is still there in Windows Explorer\IE unless you rip it out by replacing the shell or IE
    however the ability to launch the exploit is broken without the preview
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I always have my updates set to
    then I'm presented with the yellow shield so I can choose my updates and select the ones I dont want to hear about again, (these updates can be seen again at update.microsoft.com.) Because of my web appliance I can even wait abit to see what the update does and how it performs before I decide what to do.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm not sure what you mean by down side, unless those instances where the installation has not gone well. This, of course, you wouldn't know ahead of time, unless others had reported a problem.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    How do you select the ones you want to install?

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    With a tick in the box and press the download button, then any patches not downloaded your asked if you want to forget these...but I'm not really sure if you meant that or how I decide what I want to install? Anyway if you meant the latter I use a vulnerability database which gives me more time before applying the patch so that I can wait to see if the fix breaks anything, and or another patch is offered instead.

    Here's a shot I took awhile ago to explain something which will also show you an example of a box...
     

    Attached Files:

  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for that explanation!

    Just for my own knowledge, I'm interested in the different ways in which people go about installing patches.


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    You can set something up for free if you care to man the rules yourself or use something like a free network intrusion detection and prevention software - realtime traffic analysis detecting content, protocol, attacks and probes.
    Anyway here's my setting which I forgot to include, although as you can see automatic is recommended.
     

    Attached Files:

  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If by critical, you mean the patches address a critical function of the OS, then OK.
    If by critical you mean they are necessary or you will be exploited, then I would disagree.

    In the early days of Windows 2000 there were rumblings about the whole matter of services, ports, etc. Some of the knowledgeable security people in my circle of friends began to revisit the area of network protection.

    There was a lot of confusing information floating around about
    services and ports, one item being ports "listening," that this meant
    you were vulnerable:

    http://www.urs2.net/rsj/computing/imgs/kerio-listen.gif

    However, it became clear that a service or component can "listen" all it wants but can't respond
    if the port is closed, either by the OS, or by a firewall:

    http://www.urs2.net/rsj/computing/imgs/kerio-445.gif

    Both SASSER and MSBLASTER worms typically propagate via network connections or through email attachments. Blaster, via port 135 and Sasser, port 445. Now, no one could have anticipated those worms, but for those who had secure firewall configuration, those worms never crawled in. We still see activity today on those ports as part of typical probes:

    http://www.urs2.net/rsj/computing/imgs/kerio-135445a.gif

    Interestingly, there was another blocking point, should there have been intrusion via an open port:
    Dropped files of SASSER and MSBLASTER

    MSBLAST: Msblast.exe
    WORM_SASSER: AAvserv.exe​
    But that's for another discussion.

    So, while the patch was certainly welcomed, for many it wasn't necessary.

    There are lots of similar examples - a recent one being the MSWord exploit. At the University, where faculty view dozens of Word.doc files weekly from students, standard procedure was to use WordViewer for all non-user originated word files. In the early days, the concern was the macro virus. Using WordViewer precluded worrying about a virus database being up-to-date.

    With the recent exploit targeting WordViewer, we just switched to a text editor. So, even though there is yet no patch available, for us, the exploit is a non-issue.

    Once exploits become known, I have found that

    1) I can ignore them because they don't apply to my situation

    2) I can often find ways other than patches of dealing with them - very helpful since the next patch date might be weeks away!


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  17. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    I like patches. Usually I install all of them in one pack, but firstly on VM :)
     
  18. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    So Rich, just to stretch the practice a little further, when/if in 2008, SP3 pops along and assuming for the moment you're still running xp on a live box:-

    ........if SP3 is little more than a compilation of all the previous patches/updates since SP2, then do you think you are likely to not bother with SP3, in order to maintain any percieved gains from the cherry picking ?

    ....... Or do you think you will update to SP3, possibly installing any patches you have have carefully avoided so far, only to begin the process of selective updates again ?

    ........ are there presently ,any patches/updates beyond WGA, that would cause you to consider avoiding SP3 if it involved having to absorb those patches as part of the whole package ?

    Maybe you'd hope that SP3 would offer a selective instillation ?

    Maybe it's just become one of those aspects of management you enjoy but don't feel particularly protective about, so it's not something you'll give that much thought to - and you'll just update and start over without a second thought ? or won't feel able to answer until the time comes ?
     
    Last edited: Jan 9, 2007
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello eyes-open,

    I use Win2K on my principal workstation and I do have SP4 because many applications require it.

    My laptop came with XP SP1 and when SP2 was released, after looking at Microsoft's Top Ten Reasons to install it, I saw that nothing applied to me, so I haven't installed it.

    http://www.microsoft.com/windowsxp/sp2/topten.mspx

    For myself, I would have to see what it contained. For the few home users I help, I install the SP

    Some of it has to do with what IMM brought up. Microsoft is not in an enviable position. But consider, that MS applications have attracted the majority of malware attacks, not because other vendor's products are not vulnerable, but because of Microsoft's huge world-wide consumer base: that is where the money is.

    If you accept the premise that any line of code has the potential to be mis-used, then it may not be too far in the future that other vendors will have some type of "Patch Tuesday." Consider these advisories just in the last few months of 2006:

    Multiple vulnerabilities in Symantec Veritas NetBackup

    Asus servers as virus disperser: How long the sites have been infected,
    how many customers are affected and how the malware was able to
    establish itself on the servers is not yet known.

    A cavity in Linux Bluetooth?
    Multiple buffer overflows in the cmtp_recv_interopmsg function
    in the Bluetooth driver (net/bluetooth/cmtp/capi.c)
    in the Linux kernel; Red Hat is aware of this issue and is
    tracking it for Red Hat Enterprise Linux 4

    Yahoo Messenger critical update

    Symantec AntiVirus Worm Hole allows Remote Code Execution

    Malformed MIMEs can bypass email AV filtering.

    IBM Tivoli Storage Manager Buffer Overflow

    New Adobe vulnerability

    Mac OS X Apple UDIF Disk Image Kernel Memory Corruption

    Firefox Reverse Cross-Site Request (RCSR) vulnerability

    Opera Browser CSS Attribute Handling Remote Buffer Overflow Vulnerability

    Critical security vulnerability in WinZip 10
    ________________________________________________________________ ​
    Think of how mobile phones are starting to attract attention:

    http://mobile.f-secure.com/news/monthlyoctober06.html
    "By the end of October the total number of mobile viruses rose up to 331"

    I know that for myself and others whom I'm in contact with, it's an individual thing - just liking to be in control of our computer as much as possible.

    For example, I use Word 7 as my word processor workhorse. It uses Word Basic code (VBA began with Word 97) so I'm not affected by the latest exploits. Also, macros are stored in the template, not in the document in Word 7, so a macro virus can't propagate via a document.

    I use an older version of Acrobat Reader with most plugins disabled, so I'm not affected by the latest exploits.

    The lure to upgrade these types of applications is the added functionality. Vendors have to continually add "features" in order to stay competitive.

    I ask myself, do I need the added functions of this upgrade?

    Take Adobe Acrobat: the reader is no longer just a "reader." Its self-contained javascript and other such actions allow for the direct launching of URLS contained in the document, as an example. Nice idea, but open for abuse, as the latest PoC showed.

    So, you need a patch if you use that plugin.

    And I would install the patch it if the exploit affected me, but it doesn't. Besides, when I read about an exploit, I want to deal with it right away, and not feel vulnerable and exposed while waiting for a patch to be released.

    My interest in the "patches" themselves is how people deal with them, and what their rationale is. I think Meriadoc's solution is very interesting.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: Jan 9, 2007
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Are you concerned that you might be vulnerable until the next update pack is released?

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  21. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    not particularly. and like ive said, using nlite probably makes it so i dont need as many of the updates anyway.

    i just install updates as it costs me nothing.
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Do you need them?

    why not download? Even if you have it covered, why not set it to automatic (critical updates), and forget all about ito_O?
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Automatic updates = Windows Genuine Advantage Notification gets installed without your consent. And who knows what else?
    Mrk
     
  24. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Patch to OpenBSD current - but I don't always follow my own advice. [​IMG]
     
  25. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    sasser & blaster where cited as wildly successful direct exploits of the OS, of course there are work arounds, firewalls, and just doing without, jpegs, javascripts, activeX, docs, pdf, ect ect ect
    if you cant patch it disable it, hopefully you hear about it before infection

    being behind a hardware NAT with a layered defense Ive never had a personal problem

    but then when the vast majority of the population was unable to patch their systems off update before they were infected....

    do we need express install of automatic updates?
    no
    but the rest of the world does ;)


    using XPLite (W2K) Ive obviously picked and chosen which updates to employ, but have had some concerns about dropping code that may in part be just so much junk designed to also effect subsystems no longer on the box.
    So far Ive not seen any gross incompatibilities
    (maybe I should make that above the normal threshold for a hotfix to break an install) :cautious:
     
    Last edited: Jan 10, 2007
Loading...
Thread Status:
Not open for further replies.