Security Watch

What Patch Tuesday's Patchy Record Means

Plus: Firefox opens up to .NET; gauging Security Essentials' enterprise chances.

• By Jabulani Leffall
• 10/19/2009

Microsoft's historic Patch Tuesday last week had the most vulnerabilities ever, but it was significant in another way: It patched nine vulnerabilities for the brand-spanking-new -- and yet to be widely released -- Windows 7 OS.

As I've wondered in this blog before -- and as others 200 million times more technically proficient than I have wondered in blogs such as this one by Imperva CTO Amichai Shulman -- is patching, or at least Redmond's patch distribution pattern, sufficient for emerging threats?

Case in point: Since October 2003, when the second Tuesday of every month first became an event for Windows enterprise admins, nearly 400 patches have been released, addressing some 745 reported and rumored vulnerabilities across every discernable operating system, server or app from Redmond. This is according to a cursory count of releases in Microsoft's security bulletin archives.

And the most patches ever came last week. Huh? We've been having a Patch Tuesday every month for six years and the biggest collection of threats came last week?

This has prompted industry watchers like Shulman -- one of the most unrelenting critics of Microsoft's patch distribution system -- to review the recent mammoth patch release and make several observations, one of which has been on Shulman's lips for a while.

"Microsoft has just reached the inherent limits of (real world) software debugging processes," he wrote. "The law of big numbers, applied to lines of code [LOC], gives us a non-zero prediction as to the number of software flaws per 1000 LOC."

The problem -- aside from the constant near-real-time inceptions, instances, incarnations and reincarnations of nasty digital "ish" -- is that according to Shulman, it takes anywhere from one to four months for the average enterprise pro to fix an urgent, high-priority vulnerability in code.

"The most pernicious of attacks, cross-site scripting, is usually fixed 30 percent of the time by developers," Shulman pointed out.
 
"Should we give up on SDLC [Microsoft's Security Development Lifecycle concept] altogether? Definitively not," he continued. "Prudent use of SDLC can dramatically improve the quality of software, and the security of the information it's processing, to the point where flaws are not interfering with common usage of the software and vulnerabilities are not abounding. However...we cannot rely on SDLC as the sole line of defense for security purposes."

Network and application firewalls, internal access control policy, and good old-fashioned vigilance are still the best bets. Who knows how much more cumbersome the patch process could get, or if more patch records will be broken in 2010?

Mozilla Opens the Door to .NET
The open source collective Mozilla, developer of the Firefox browser, said early this week that it will now allow .NET program add-ons from Microsoft -- add-ons which it said as recently as last Friday put Firefox users at risk from attack.

The now-unblocked program in question -- just one of two -- is the .NET Framework Assistant. Apparently, Microsoft addressed a flaw in .NET Framework functions in a recent patch bulletin, MS09-054, that covers "critical" vulnerabilities in Internet Explorer. But it turns out that the risk for the bugs extends beyond IE and into Firefox, especially when that browser is running on a Windows system.

Last Friday, Mozilla added .NET Framework Assistant and the accompanying Windows Presentation Foundation plug-in to its list of blocked third-party functions, warning users at the time that the functions would be barred until further notice.

There's no word on when the Windows Presentation Foundation plug-in will be unblocked, but for now, Mozilla has seen fit to defer to Microsoft in instructing users on how to deal with bugs on the rival browser.

Microsoft said in a statement early this week that "triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please note that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different. Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe."

While that Windows Presentation Foundation problem is being looked at, Redmond said Firefox users with .NET Framework 3.5 installed can disable the add-ons by going to "Tools" → "Add-ons" → "Plugins," selecting "Windows Presentation Foundation," and clicking "disable." Redmond also said that if Windows users have installed the aforementioned patch for .NET, they're good to go.

How Essential Is Microsoft Security Essentials?
There may have been a million-and-a-half downloads of it in one week, and it may have found more than 4 million bugs, but don't look for heavy enterprise adoption of Redmond's Security Essentials anti-virus software any time soon.

In addition to lingering and vehement criticism of the free software product from such objective parties as competitor Symantec, which said as far back as last year that AV is "simply not in Microsoft's DNA," and more recently from Eugene Kaspersky, founder of Kaspersky Labs, who in several news articles has called the program "Windows TwoCare" in reference to the critically panned Windows OneCare service that Security Essentials is now replacing, there's the question of what Microsoft's ultimate plan is for Security Essentials.
 
Some say the early interest and detection schemes are one thing, but Microsoft still needs to prove itself.
 
"MS Essentials is a good product, but it won't be the application that puts Symantec or McAfee out of business," wrote Andrew Storms, director of security for nCirlce, in an e-mail. "This is primarily because the enterprise will be very slow to adopt it. Enterprises migrate to any new product very slowly due to multiyear support agreements. Besides, Microsoft still has to prove itself in the anti-virus arena before enterprises will take a serious look at the product."

Storms goes on to point out, for example, that Windows Defender has been available for a while and it, like Security Essentials, is free but "hasn't measured up with its anti-spyware competitor products."