The risks of Patching

1
The risks of Patching

• Keeping your network safe during those zero days
• WWW.SBSDIVA.COM

2
Who am I?

• Patchaholic
• SBS MVP
• Security MVP
• Been patchin SBSs since SBS 4.0
• Used to squint when rebooting

3
So whats the first questions to ask?

• What tool?
• What patch engine?
• What will break what?
• Tool isnt important
• Process

4
What is a patch?

• Bug
• Flaw
• Something that needs fixing
• Patch Security patch

5
Why should we patch?

• Worst case scenario
• Fixing an issue where attacker from remote can
  hurt
• Code Execution
• Take control of system

6
Understanding the risks of patching

• Worst case Line of business stuff breaks
• Best case everything works
• Typical patch month for your networks
• Whats broken in the past for you?

7
What if you dont patch?

• Whats the worst thing that happens?
• Well..
• How many of the owned servers come in from
  unpatched workstations?

8
Risks in a SBS network

• Server?
• Ports open?
• WORKSTATIONS
• Local administrator
• Download anything?
• Free stuff?

9
History of risks in SBSland

• Code Red
• Nimda
• Nail the server
• Today?
• Keep the system working
• Borrow the bandwidth

10
Greatest risks?

• Review your networks
• Desktops
• If you nail the server?
• If you nail a workstation?
• How expendable?

11
How to determine what/when?

• Read the bulletin
• Whats the riskiest?
• Read the criticality
• From remote?
• Mere surfing?

12
Win2k3 /XP sp2

• Typical threats come from authenticated
  connections
• Lesser risks to these platforms
• A/V
• Spyware
• Safe surfing
• IE 7

13
Windows 2000

• Risks from anonymous connections
• From remote
• Coded up exploits typically work

14
Window to patch

• Patch comes out at 1000 a.m 1100 a.m Pacific
• Reverse engineer the patch to see what its
  fixing
• Determine issue
• Code vulnerability
• Typically within 20 minutes or so vulnerability
  is identified

15
Zero Days

• Vulnerability is out
• Used to exploit/to harm
• No patch
• But does that mean we are unprotected?

16
Window to patch

• Can it be automated?
• Can it be wormable
• Whats Metasploit?

17
Recent issues

• Focusing more on workstations
• Focusing more on applications
• Less on servers
• Zero day Word still unpatched!

18
When to patch?

• Do we have to do servers as soon as possible?
• Wheres our biggest risk of patching?
• Whats hurt in the past?
• Build an ouch database for your clients
  applications

19
When to patch?

• If weve mitigated already?
• Why do we need to patch now?
• Mitigate, patch later?

20
Now that we will patch

• Will it hurt?
• Check the caveat section
• Review the community
• Google on the KB number
• Review the Windows update newsgroup
• www.patchmanagement.org
• Are you seeing?

21
How/what to test?

• Microsoft performs patch testing
• Dont test the basics
• Identify the clients key applications
• Identify a patch canary

22
Patch gets approved

• Tested on one workstation
• Done your research?
• NOW deploy

23
Deploy with?

• WSUS
• SBS 2003 r2
• Shavlik
• Patchlink
• Other?

24
..but what about non MS?

• Adobe
• Flash
• Firefox
• Sun Java
• Even your antivirus

25
The SVCHost.exe issue

• 100 CPU
• There is a new hotfix 927891
• Aggravated by WSUS
• Seen on many platforms

26
Resources for Risk

• Security bulletins
• Advisories
• www.incidents.org
• www.patchmanagement.org
• Your group

27
Tuesdays patches

• Outlook
• Excel
• VML (again?!)
• Office 2003
• Were supposed to have 8
• We had 4

28
Patch guidelines
29
Patch Recap
30
Now then

• Do you agree?
• What issues have similar replaced patches have?
• Whats broken in the past?
• What files were patches with that?

31
And dont forget.

• Are you seeing.. ?

32
Eyeball the Windows Update newsgroup
33
Questions?

• Resources
• www.patchmanagement.org
• Security bulleitin
• Monthly security webcast