Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Tip #24: Not all patches are released on a Tuesday

Published: 2007-10-24
Last Updated: 2007-10-24 17:10:04 UTC
by Daniel Wesemann (Version: 2)
0 comment(s)

Big kudos to Microsoft, really. Even my not overly tech savvy dad knows by now that he must make sure to get his patches on the second Tuesday of the month. While one might argue over the sorry state of software development that makes monthly patching a must, I still think that the concentrated effort and foghorn message of Microsoft for monthly patching has done a lot of good.

So much good, in fact, that plenty home users are carefully updating their anti-virus, are downloading their Windows patches once a month, and still end up providing their online banking credentials in blissful ignorance to the latest key logger. How it got onto the system? Either through not-so-free freeware that the user obligingly installed, or, increasingly, through drive-by downloads that lurk on certain web pages. These drive-bys used to go after the Microsoft vulnerability-du-jour a year or so ago, but nowadays seem to primarily target third party software.

Only last week, we unraveled an obfuscated web page that tried to exploit Baofeng (10.Sep), Powerplayer (31.Aug), ThunderDap (28.Sep) and Yahoo Webcam (5.Jun). All are media players of some sort, and certainly not overly popular. The date in brackets indicates when the corresponding vulnerability/PoC was documented, so some of the sploits were pretty "fresh". The bad guy nowadays has a choice - to try to find those user PCs that didn't do anything on Patch Tuesday by going after a well documented Microsoft vulnerability, or to attack software components that are relatively rare, but where pretty much everybody who has the component installed will also be exploitable. It is clearly the latter that's on the upswing.

Since there is (to my knowledge) no clear cut approach available that would tell a home user that his machine is ripe for exploitation and which third party patches are needed, the best advice I can usually give to a home user is to every quarter or so check the software installed, to throw out all those pieces never used, and to check the web sites of the remaining components for newer versions. Yes, this is a herculean task, but in my opinion necessary. If you don't do it for all your software, at least check the components which routinely talk to the net (chat software, music and video players, browser plugins, web browsers, filesharing apps, mapping software, etc). Some of them might do "auto update", but most don't, or at least don't do it right.

Surfing the Internet with a browser that doesn't speak ActiveX helps as well, in most cases. But we don't want to solely rely on a single line of defense now, do we?

Update 1422UTC:  Several readers writing in are recommending the free-for-personal-use "Secunia Personal Software Inspector" (psi.secunia.com) to identify third party software that needs updating.  I don't have any hands-on experience with this tool yet, but the majority opinion of our readers is usually quite reliable.

Keywords:
0 comment(s)
Diary Archives