30 patch management
TRANSCRIPT
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –
6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME
250
PATCH MANAGEMENT AND ANALYSING STRATEGY FOR
MICROSOFT BULLETIN SECURITY
A.Sankara Narayanan1, M.Syed Khaja Mohideen
2, and M.Mohamed Ashik
3
Department of Information Technology, Salalah College of Technology, Salalah,
Oman
[email protected], [email protected],
ABSTRACT
As many realize, patching computers is a fact of life as part of the defense in depth
security strategy. While it is essential to protect company IT assets from attack,
patching vulnerabilities is only one part of the risk equation. System administrators
consider the patching process to be a single step that provides a secure computing
landscape. In reality, the patching process is a continuous cycle that must be strictly
followed. Each step in the process must be tuned and modified based on previous
successes and failures. Security fixes and feature improvements don't benefit the end
user of software if the update mechanism and strategy is not effective. This paper is
written for information technology managers and system administrators who want to
automatically and securely keep all the computers in their network up-to-date with
security patches and other updates. This paper presents one methodology for
identifying, evaluating and applying security patches in a real world environment
along with descriptions of some useful tools that can be used to automate the process.
KEYWORDS
Patch Management, Diffing, Security Patch, Patch Analyzer
1. INTRODUCTION
Microsoft Patches usually released on the second Tuesday of each month. Starting
with Windows 98, Microsoft included a "Windows Update" system that would check
for patches to Windows and its components, which Microsoft would release
intermittently. With the release of Microsoft Update, this system also checks for
updates to other Microsoft products, such as Office, Visual Studio and SQL Server.
Patch Tuesday begins at 17:00 or 18:00 UTC. Sometimes there is an extraordinary
Patch Tuesday, 14 days after the regular Patch Tuesday. There are also updates which
are published daily (e.g. definitions for Windows Defender and Microsoft Security
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print) ISSN 0976 – 6375(Online)
Volume 3, Issue 1, January- June (2012), pp. 250-257
© IAEME: www.iaeme.com/ijcet.html
Journal Impact Factor (2011): 1.0425 (Calculated by GISI)
www.jifactor.com
IJCET
© I A E M E
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –
6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME
251
Essentials) or irregularly. Seemingly Microsoft has a pattern of releasing a larger
number of updates in even numbered months, and fewer in odd numbered months.
Earlier versions of the Windows Update system suffered from two problems. The first
was that less experienced users were often unaware of Windows Update and did not
install it; Microsoft's solution was the "Automatic Update," which notified each user
that an update was available for their system. The second problem was that customers,
such as corporate users, with many copies of Windows not only had to update every
Windows deployment in the company but also uninstall patches issued by Microsoft
that broke existing functionality. In order to reduce the costs related to the deployment
of patches, Microsoft introduced "Patch Tuesday" in October 2003.In this system,
security patches are accumulated over a period of one month and then dispatched all
at once on the second Tuesday of the month, an event for which system administrators
may prepare. Some who speculate that Tuesday was selected so that post-patch
problems could be discovered and resolved before the weekend, but certainly not
every patch induced problem may be cured in that time. The non-Microsoft terms for
the following day are "Exploit Wednesday" and "Day Zero", when attacks may be
launched against the newly announced vulnerabilities.
2. PATCH ANALYSIS
The operating system is divided into multiple components. Each component can
consist of one or more files, registry keys, configuration settings, etc. Windows
Serviceability (WinSE) releases updates based on components rather than the entire
operating system. This reduces a lot of overhead with having to install updates to
components that have not changed. Depending on the severity and applicability of the
problem, there are different kinds of release mechanisms. When an individual
customer reports a bug to Microsoft for a specific scenario, the WinSE team releases
Hotfixes to address these problems. Hotfixes are not meant to be widely distributed
and go through a limited amount of testing due to the customer's need for an urgent
fix. Hotfixes are developed in a separate environment than the regular Updates. This
allows Microsoft to release Updates that do not include the Hotfix files, thereby
minimizing risk for the customer. Once the Hotfix is ready and packaged by WinSE, a
KB article is written describing the problem, with instructions on how to obtain the
Hotfix. Microsoft recommends that only customers experiencing the particular
problem install the Hotfix for that problem.
Patches are released in two different flavours GDR (General Distribution) and QFE
(Quick Fix Engineering) or LDR (Limited Distribution Release). GDR contains only
security related changes that have been made to the binary. QFE/LDR contains both
security related changes that have been made to the binary as well as any functionality
changes that have been made to it. In general, when you update a server from
Windows Update the operating system will prefer to download only security related
(GDR). If you have however manually installed a non security hotfix that updates a
file on your system, that file will from now on be updated from the QFE/LDR tree.
The term QFE is an old term that is mostly no longer used in reference to current
versions of Windows.
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –
6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME
252
2.1 DIFFING
Diffing is the practice of comparing two things for differences, especially after some
change has been made. The two things in question could be files, Registry entries,
memory contents, packets, emails almost anything. The general principle is that you
take some sort of snapshot of the item in question (for example, if it’s a file, save a
copy of the file), perform the action you think will cause a change, and then compare
the snapshot with the current item, and see what changed. In computing, diff is a file
comparison utility that outputs the differences between two files. It is typically used to
show the changes between one version of a file and a former version of the same file.
Diff displays the changes made per line for text files. Modern implementations also
support binary files. The output is called a "diff", or a patch, since the output can be
applied with the Unix program patch. The output of similar file comparison utilities
are also called a diff; like the use of the word "grep" for describing the act of
searching, the word diff is used in jargon as a verb for calculating any difference.
Diffing is a highly successful tactic that hackers use to analyze different versions of
the same file in order to pinpoint the differences between the files. This comparative
technique has been used by hackers for years.
Now we’re going to work with the real analysis.
File Name: Msvcm80.dll
� File description: Microsoft C Runtime Library, Microsoft Visual Studio2005
� Version: 8.00.50727.762
� File size: 0.12 Mb
File Name: Msvcm80d.dll
� File description: Microsoft C Runtime Library, Microsoft Visual Studio2005
� Version: 8.00.50727.762
� File size: 0.22 Mb
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –
6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME
253
Figure 1. Diffing tool with two files
MSVCM80.DLL MSVCM80D.DLL
File Date/Time 13/11/2009 14:07:42 12/03/2012 12:55:24
Similarity 4%
Added lines/words 37861 747149
Modified
lines/words
22708 296261
Deleted
lines/words
4325 124799
Total words 563316 1188677
Total chars 2007380 4254294
Table 1. Diffing Results
Chart 1. Comparing two files
See the (Table 1) both files date and values are different. Compare Suite is a very
flexible tool. Once you’ve chosen your files, you can also choose how to compare
them. Compare “by Keywords” to find similarities between unrelated documents.
Compare drafts of the same document “word by word.” Or, compare “character by
character” perfect for software developers Compare Suite can also tell you the number
of words in your documents, the number of changes between them, and more. Set up a
list of your interests, and Compare Suite will watch for these personal keywords in
every document. There are many diffing tools are available in the market, but most of
them support text, html, word, C coding, etc. As ,we already mentioned the tool
support for DLL, and EXE files.
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –
6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME
254
3. MICROSOFT SECURITY ADVISORIES
This bulletin summary lists security bulletins released for March 2012
http://technet.microsoft.com/en-us/security/bulletin/ms12-mar
Bulletin
ID
Bulletin Title and Executive
Summary
Maximum
Severity Rating
and Vulnerability
Impact
Restart
Requirement
Affected
Software
MS12-
021
Vulnerability in Visual Studio
Could Allow Elevation of Privilege (2651019)
This security update resolves
one privately reported
vulnerability in Visual Studio.
The vulnerability could allow
elevation of privilege if an
attacker places a specially
crafted add-in in the path used
by Visual Studio and convinces
a user with higher privileges to
start Visual Studio. An attacker
must have valid logon
credentials and be able to log on
locally to exploit this
vulnerability. The vulnerability
could not be exploited remotely
or by anonymous users.
Important
May require
restart
Microsoft
Visual
Studio
Table 2 Executive Summaries
This is a constant concept in the Microsoft Security Bulletins names
For example: MS12-021
• MS – Microsoft
• 12 – The year the bulletin published (2012)
• 021 – The bulletin number in this year (21st bulletin of the 2012 year)
The Microsoft Security Response Center (MSRC) uses severity ratings to help
organizations determine the urgency of vulnerabilities and related software updates.
Rating Definition
Critical A vulnerability whose exploitation could allow the propagation of an
internet worm without user action.
Important A vulnerability whose exploitation could result in compromise of the
confidentiality, integrity, or availability of user’s data, or of the
integrity or availability of processing resources.
Moderate Exploitability is mitigated to a significant degree by factors such as
default configuration, auditing, or difficulty of exploitation.
Low A vulnerability whose exploitation is extremely difficult, or whose
impact is minimal.
Table 3 Severity Rating System
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –
6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME
255
3.1 Patch management
Patch management is one of the most critical and complex Windows-security-related
issues. Security patch management is one of the important processes on all platforms
every major software vendor that is committed to security will release security
patches in response to newly identified vulnerabilities. There is no widely used
operating system or application that is immune from attackers who spend their time
trying to locate vulnerabilities to exploit. The patch management describes the tools,
utilities, and processes for keeping computers up to date with new software updates
that are developed after a software product is released. The Microsoft Windows
Software Update Service (WSUS) is a tool for management and distribution of critical
Windows patches. These patches address known security vulnerabilities and stability
issues in Microsoft Windows 2000, Windows XP, and Windows Vista, Windows 7,
Windows Server 2003 and Windows Server 2008 operating systems.
Patches released through WSUS
Currently, WSUS provides:
• Windows Critical Updates
• Windows Critical Security Updates
• Windows Security Roll-ups
• Patches for other Microsoft products such as Microsoft Office or Exchange
Server
It is not possible to use WSUS to deploy:
• Your own updates or third-party updates.
It is also not possible to update to a newer version of Internet Explorer via WSUS.
WSUS will provide the latest patches available for the version currently running on
your system, but it will not install a different version on your system.
3.2 Patch Detection and Deployment
Microsoft Baseline Security Analyzer (MBSA) is a very useful tool designed for the
IT professionals. It will allow administrators to scan local and remote systems for
missing security updates as well as common security misconfigurations.
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –
6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME
256
Figure 2. Microsoft Baseline Security Analyzer
Installation:
Download the MBSASetup-x86-EN (1588kb) file to your computer
� Double click the File� Click Run
� Click Next �Select I Accept the licence agreement
� Click Next � Click Next
� Click Install � Click O.K
Usage:
a) Scan a computer:
Check a computer using its name or IP address, this scan using for home
or personal computers.
� Click � Scan a Computer; then you will enter IP address or Computer name
� Click � Start Scan, it will check online Microsoft Security Updates, and then
your system scan will start
b) Scan multiple computers:
Check multiple computers using a domain name or a range of IP
addresses, this scan using for network environment.
� Click � Scan multiple computers, then you will enter Domain name or IP
address range
� Click � Start Scan, it will check online Microsoft Security Updates, and then
your system scan will start
Both scans detailed report will show Security Update, Administrative Vulnerabilities,
Additional System Information, Internet Information Services, SQL Server, Desktop
Application results.
4. CONCLUSION
For an organization to implement a sound patch management process, time and
dedication need to be given up front to define a solid process. Before you can dive
into a patch management deployment process, you must establish the prerequisites for
implementing the process by knowing your computing environment, preparing end
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 –
6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 1, January- June (2012), © IAEME
257
user education, assigning responsibilities, understanding the current process,
developing a chain of communication. This paper presents one methodology for
identifying, evaluating and applying security patches in a real world environment
along with descriptions of some useful tools that can be used to automate the process.
In this paper, we describe the end user’s security exposure and the complexity of the
task of keeping their systems secure.
5. REFERENCES
[1] http://dl.packetstormsecurity.net/papers/presentations/patching-ms.pdf
[2] http://mis.umsl.edu/bov/BOV04-1.pdf
[3] http://www.sans.org/reading_room/whitepapers/bestprac/practical-
methodology-implementing-patch-management-process_1206
[4] http://www.darungrim.org/
[5] http://blog.eeye.com/patch-tuesday/microsoft-patch-tuesday-august-2010
[6]http://www.viewfinity.com/Resources/WhitePapers/Viewfinity_Privilege_Manage
ment_Mitigates_
Microsoft_Patch_Vulnerabilities.pdf
[7] http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf
[8] http://en.wikipedia.org/wiki/Patch_Tuesday
[9] http://technet.microsoft.com/en-us/security/bulletin/ms12-feb
[10] http://www.phreedom.org/presentations/reverse-engineering-and-
security/reverse-engineering-and-security.pdf
[11] http://www.computerweekly.com/blogs/it-fud-blog/2011/11/microsoft-patch-
tuesday-compat.html
[12] http://www.abysssec.com/blog/2008/11/27/microsoft-patch-analysis-binary-
diffing/
[13] http://technet.microsoft.com/en-us/library/cc512589.aspx
[14]
http://www.windowsecurity.com/uplarticle/Patch_Management/ASG_
Patch_Mgmt-Ch2-Best_Practices.pdf
[15] http://technet.microsoft.com/en-us/library/cc768045.aspx
[16] http://en.wikipedia.org/wiki/Diff
[17] http://blogs.msdn.com/b/ntdebugging/archive/2008/10/21/windows-hotfixes-
and-updates-how-do-they-work.aspx
[18] http://blogs.technet.com/b/instan/archive/2009/03/04/qfe-vs-gdr-ldr-
hotfixes.aspx