News

The Security Cycle

• By Mike Gunderloy
• June 11, 2004

Think back a while, and you'll recall a time when Microsoft was pushing out security patches for its products every couple of days. At the time, systems administrators were suffering from a sort of patch fatigue, when the constant need to fix systems (and usually reboot them) was just getting to be too much nuisance. Of course, it was also a public relations disaster to have Windows or Internet Explorer patches in the news so frequently. Whatever the reason, Microsoft moved to its now-standard policy of releasing batches of new security patches the first Tuesday of every month, which is starting to be called "Patch Day" by sysadmins.

Unfortunately, it looks like sysadmins are not the only ones who have gotten wise to Patch Day. This month Patch Day was on the 8th (why it was the second Tuesday in the month I have no idea), and the patches were pretty low impact: an information disclosure bug in Crystal Reports and a Denial of Service associated with DirectPlay. By Friday of the same week, the security mailing lists were starting to discuss sightings of the bug that's being called Coelacanth (for those of you not up on obscure animals, that's a big Phish).

Without going into the details (you can find them by reading the archives of the NTBugTraq mailing list, among other places), security researchers exploring the Coelacanth bug have found that they can use it to convincingly imitate an SSL-secured site, down to https: URL and little gold lock in the status bar of Internet Explorer. People so inclined could use this to imitate an actual page from, say, a bank in order to steal passwords.

Of course, this particular hole in IE's security is only one of several that are floating around at any given time. If you follow the security mailing lists, you'll soon realize that it's simply not safe to click links that you don't trust. But what worries me here is the timing. Sure, maybe it's just a coincidence. But maybe the bad guys are realizing that the best time to start exploiting new bugs is right after Microsoft has released its patches for the month.

Personally, I think I would prefer more rapid patch response on a schedule of "when bugs are found" than the current monthly schedule. But then, I'm not maintaining 5,000 servers. In any case, this seems to be a case of "damned if you do, damned if you don't." Whether Microsoft patches on a monthly schedule or on-demand, they're going to upset some people. The real answer would be software that didn't need this constant stream of patches - but an increasing number of people are skeptical that this wonderful state of affairs can or will ever be reached.