30 patch management

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –

6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME

250

PATCH MANAGEMENT AND ANALYSING STRATEGY FOR

MICROSOFT BULLETIN SECURITY

A.Sankara Narayanan1, M.Syed Khaja Mohideen

2, and M.Mohamed Ashik

3

Department of Information Technology, Salalah College of Technology, Salalah,

Oman

[email protected], [email protected],

[email protected]

ABSTRACT

As many realize, patching computers is a fact of life as part of the defense in depth

security strategy. While it is essential to protect company IT assets from attack,

patching vulnerabilities is only one part of the risk equation. System administrators

consider the patching process to be a single step that provides a secure computing

landscape. In reality, the patching process is a continuous cycle that must be strictly

followed. Each step in the process must be tuned and modified based on previous

successes and failures. Security fixes and feature improvements don't benefit the end

user of software if the update mechanism and strategy is not effective. This paper is

written for information technology managers and system administrators who want to

automatically and securely keep all the computers in their network up-to-date with

security patches and other updates. This paper presents one methodology for

identifying, evaluating and applying security patches in a real world environment

along with descriptions of some useful tools that can be used to automate the process.

KEYWORDS

Patch Management, Diffing, Security Patch, Patch Analyzer

1. INTRODUCTION

Microsoft Patches usually released on the second Tuesday of each month. Starting

with Windows 98, Microsoft included a "Windows Update" system that would check

for patches to Windows and its components, which Microsoft would release

intermittently. With the release of Microsoft Update, this system also checks for

updates to other Microsoft products, such as Office, Visual Studio and SQL Server.

Patch Tuesday begins at 17:00 or 18:00 UTC. Sometimes there is an extraordinary

Patch Tuesday, 14 days after the regular Patch Tuesday. There are also updates which

are published daily (e.g. definitions for Windows Defender and Microsoft Security

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &

TECHNOLOGY (IJCET)

ISSN 0976 – 6367(Print) ISSN 0976 – 6375(Online)

Volume 3, Issue 1, January- June (2012), pp. 250-257

© IAEME: www.iaeme.com/ijcet.html

Journal Impact Factor (2011): 1.0425 (Calculated by GISI)

www.jifactor.com

IJCET

© I A E M E



251

Essentials) or irregularly. Seemingly Microsoft has a pattern of releasing a larger

number of updates in even numbered months, and fewer in odd numbered months.

Earlier versions of the Windows Update system suffered from two problems. The first

was that less experienced users were often unaware of Windows Update and did not

install it; Microsoft's solution was the "Automatic Update," which notified each user

that an update was available for their system. The second problem was that customers,

such as corporate users, with many copies of Windows not only had to update every

Windows deployment in the company but also uninstall patches issued by Microsoft

that broke existing functionality. In order to reduce the costs related to the deployment

of patches, Microsoft introduced "Patch Tuesday" in October 2003.In this system,

security patches are accumulated over a period of one month and then dispatched all

at once on the second Tuesday of the month, an event for which system administrators

may prepare. Some who speculate that Tuesday was selected so that post-patch

problems could be discovered and resolved before the weekend, but certainly not

every patch induced problem may be cured in that time. The non-Microsoft terms for

the following day are "Exploit Wednesday" and "Day Zero", when attacks may be

launched against the newly announced vulnerabilities.

2. PATCH ANALYSIS

The operating system is divided into multiple components. Each component can

consist of one or more files, registry keys, configuration settings, etc. Windows

Serviceability (WinSE) releases updates based on components rather than the entire

operating system. This reduces a lot of overhead with having to install updates to

components that have not changed. Depending on the severity and applicability of the

problem, there are different kinds of release mechanisms. When an individual

customer reports a bug to Microsoft for a specific scenario, the WinSE team releases

Hotfixes to address these problems. Hotfixes are not meant to be widely distributed

and go through a limited amount of testing due to the customer's need for an urgent

fix. Hotfixes are developed in a separate environment than the regular Updates. This

allows Microsoft to release Updates that do not include the Hotfix files, thereby

minimizing risk for the customer. Once the Hotfix is ready and packaged by WinSE, a

KB article is written describing the problem, with instructions on how to obtain the

Hotfix. Microsoft recommends that only customers experiencing the particular

problem install the Hotfix for that problem.

Patches are released in two different flavours GDR (General Distribution) and QFE

(Quick Fix Engineering) or LDR (Limited Distribution Release). GDR contains only

security related changes that have been made to the binary. QFE/LDR contains both

security related changes that have been made to the binary as well as any functionality

changes that have been made to it. In general, when you update a server from

Windows Update the operating system will prefer to download only security related

(GDR). If you have however manually installed a non security hotfix that updates a

file on your system, that file will from now on be updated from the QFE/LDR tree.

The term QFE is an old term that is mostly no longer used in reference to current

versions of Windows.



252

2.1 DIFFING

Diffing is the practice of comparing two things for differences, especially after some

change has been made. The two things in question could be files, Registry entries,

memory contents, packets, emails almost anything. The general principle is that you

take some sort of snapshot of the item in question (for example, if it’s a file, save a

copy of the file), perform the action you think will cause a change, and then compare

the snapshot with the current item, and see what changed. In computing, diff is a file

comparison utility that outputs the differences between two files. It is typically used to

show the changes between one version of a file and a former version of the same file.

Diff displays the changes made per line for text files. Modern implementations also

support binary files. The output is called a "diff", or a patch, since the output can be

applied with the Unix program patch. The output of similar file comparison utilities

are also called a diff; like the use of the word "grep" for describing the act of

searching, the word diff is used in jargon as a verb for calculating any difference.

Diffing is a highly successful tactic that hackers use to analyze different versions of

the same file in order to pinpoint the differences between the files. This comparative

technique has been used by hackers for years.

Now we’re going to work with the real analysis.

File Name: Msvcm80.dll

� File description: Microsoft C Runtime Library, Microsoft Visual Studio2005

� Version: 8.00.50727.762

� File size: 0.12 Mb

File Name: Msvcm80d.dll

� File description: Microsoft C Runtime Library, Microsoft Visual Studio2005

� Version: 8.00.50727.762

� File size: 0.22 Mb



253

Figure 1. Diffing tool with two files

MSVCM80.DLL MSVCM80D.DLL

File Date/Time 13/11/2009 14:07:42 12/03/2012 12:55:24

Similarity 4%

Added lines/words 37861 747149

Modified

lines/words

22708 296261

Deleted

lines/words

4325 124799

Total words 563316 1188677

Total chars 2007380 4254294

Table 1. Diffing Results

Chart 1. Comparing two files

See the (Table 1) both files date and values are different. Compare Suite is a very

flexible tool. Once you’ve chosen your files, you can also choose how to compare

them. Compare “by Keywords” to find similarities between unrelated documents.

Compare drafts of the same document “word by word.” Or, compare “character by

character” perfect for software developers Compare Suite can also tell you the number

of words in your documents, the number of changes between them, and more. Set up a

list of your interests, and Compare Suite will watch for these personal keywords in

every document. There are many diffing tools are available in the market, but most of

them support text, html, word, C coding, etc. As ,we already mentioned the tool

support for DLL, and EXE files.



254

3. MICROSOFT SECURITY ADVISORIES

This bulletin summary lists security bulletins released for March 2012

http://technet.microsoft.com/en-us/security/bulletin/ms12-mar

Bulletin

ID

Bulletin Title and Executive

Summary

Maximum

Severity Rating

and Vulnerability

Impact

Restart

Requirement

Affected

Software

MS12-

021

Vulnerability in Visual Studio

Could Allow Elevation of Privilege (2651019)

This security update resolves

one privately reported

vulnerability in Visual Studio.

The vulnerability could allow

elevation of privilege if an

attacker places a specially

crafted add-in in the path used

by Visual Studio and convinces

a user with higher privileges to

start Visual Studio. An attacker

must have valid logon

credentials and be able to log on

locally to exploit this

vulnerability. The vulnerability

could not be exploited remotely

or by anonymous users.

Important

May require

restart

Microsoft

Visual

Studio

Table 2 Executive Summaries

This is a constant concept in the Microsoft Security Bulletins names

For example: MS12-021

• MS – Microsoft

• 12 – The year the bulletin published (2012)

• 021 – The bulletin number in this year (21st bulletin of the 2012 year)

The Microsoft Security Response Center (MSRC) uses severity ratings to help

organizations determine the urgency of vulnerabilities and related software updates.

Rating Definition

Critical A vulnerability whose exploitation could allow the propagation of an

internet worm without user action.

Important A vulnerability whose exploitation could result in compromise of the

confidentiality, integrity, or availability of user’s data, or of the

integrity or availability of processing resources.

Moderate Exploitability is mitigated to a significant degree by factors such as

default configuration, auditing, or difficulty of exploitation.

Low A vulnerability whose exploitation is extremely difficult, or whose

impact is minimal.

Table 3 Severity Rating System



255

3.1 Patch management

Patch management is one of the most critical and complex Windows-security-related

issues. Security patch management is one of the important processes on all platforms

every major software vendor that is committed to security will release security

patches in response to newly identified vulnerabilities. There is no widely used

operating system or application that is immune from attackers who spend their time

trying to locate vulnerabilities to exploit. The patch management describes the tools,

utilities, and processes for keeping computers up to date with new software updates

that are developed after a software product is released. The Microsoft Windows

Software Update Service (WSUS) is a tool for management and distribution of critical

Windows patches. These patches address known security vulnerabilities and stability

issues in Microsoft Windows 2000, Windows XP, and Windows Vista, Windows 7,

Windows Server 2003 and Windows Server 2008 operating systems.

Patches released through WSUS

Currently, WSUS provides:

• Windows Critical Updates

• Windows Critical Security Updates

• Windows Security Roll-ups

• Patches for other Microsoft products such as Microsoft Office or Exchange

Server

It is not possible to use WSUS to deploy:

• Your own updates or third-party updates.

It is also not possible to update to a newer version of Internet Explorer via WSUS.

WSUS will provide the latest patches available for the version currently running on

your system, but it will not install a different version on your system.

3.2 Patch Detection and Deployment

Microsoft Baseline Security Analyzer (MBSA) is a very useful tool designed for the

IT professionals. It will allow administrators to scan local and remote systems for

missing security updates as well as common security misconfigurations.



256

Figure 2. Microsoft Baseline Security Analyzer

Installation:

Download the MBSASetup-x86-EN (1588kb) file to your computer

� Double click the File� Click Run

� Click Next �Select I Accept the licence agreement

� Click Next � Click Next

� Click Install � Click O.K

Usage:

a) Scan a computer:

Check a computer using its name or IP address, this scan using for home

or personal computers.

� Click � Scan a Computer; then you will enter IP address or Computer name

� Click � Start Scan, it will check online Microsoft Security Updates, and then

your system scan will start

b) Scan multiple computers:

Check multiple computers using a domain name or a range of IP

addresses, this scan using for network environment.

� Click � Scan multiple computers, then you will enter Domain name or IP

address range

� Click � Start Scan, it will check online Microsoft Security Updates, and then

your system scan will start

Both scans detailed report will show Security Update, Administrative Vulnerabilities,

Additional System Information, Internet Information Services, SQL Server, Desktop

Application results.

4. CONCLUSION

For an organization to implement a sound patch management process, time and

dedication need to be given up front to define a solid process. Before you can dive

into a patch management deployment process, you must establish the prerequisites for

implementing the process by knowing your computing environment, preparing end



257

user education, assigning responsibilities, understanding the current process,

developing a chain of communication. This paper presents one methodology for

identifying, evaluating and applying security patches in a real world environment

along with descriptions of some useful tools that can be used to automate the process.

In this paper, we describe the end user’s security exposure and the complexity of the

task of keeping their systems secure.

5. REFERENCES

[1] http://dl.packetstormsecurity.net/papers/presentations/patching-ms.pdf

[2] http://mis.umsl.edu/bov/BOV04-1.pdf

[3] http://www.sans.org/reading_room/whitepapers/bestprac/practical-

methodology-implementing-patch-management-process_1206

[4] http://www.darungrim.org/

[5] http://blog.eeye.com/patch-tuesday/microsoft-patch-tuesday-august-2010

[6]http://www.viewfinity.com/Resources/WhitePapers/Viewfinity_Privilege_Manage

ment_Mitigates_

Microsoft_Patch_Vulnerabilities.pdf

[7] http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf

[8] http://en.wikipedia.org/wiki/Patch_Tuesday

[9] http://technet.microsoft.com/en-us/security/bulletin/ms12-feb

[10] http://www.phreedom.org/presentations/reverse-engineering-and-

security/reverse-engineering-and-security.pdf

[11] http://www.computerweekly.com/blogs/it-fud-blog/2011/11/microsoft-patch-

tuesday-compat.html

[12] http://www.abysssec.com/blog/2008/11/27/microsoft-patch-analysis-binary-

diffing/

[13] http://technet.microsoft.com/en-us/library/cc512589.aspx

[14]

http://www.windowsecurity.com/uplarticle/Patch_Management/ASG_

Patch_Mgmt-Ch2-Best_Practices.pdf

[15] http://technet.microsoft.com/en-us/library/cc768045.aspx

[16] http://en.wikipedia.org/wiki/Diff

[17] http://blogs.msdn.com/b/ntdebugging/archive/2008/10/21/windows-hotfixes-

and-updates-how-do-they-work.aspx

[18] http://blogs.technet.com/b/instan/archive/2009/03/04/qfe-vs-gdr-ldr-

hotfixes.aspx

30 patch management

Documents