Why Patches? - Personal Psu

crookpatedhatΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

106 εμφανίσεις

COMPSEC

Dr. Gerry Santoro



Founding Associate Professor

Module
6


Operating

System and Application Patches

Introduction

It can be useful to think of any computing device as consisting of three layers of technology.

The first
layer is the hardware

the act
ual physical components of the compute

and associated
firmware

programs that allow that hardware to interact with other hardware.

The second layer is the operating
system.

This basic layer of software integrates hardware functionality
and

provides
for impo
rtant
services such as user interface,

file structure, memory management, and basic utilities such as
networking.

The third later is comprised of various user applications such as word processing,
music/video players, Web browsers, and the user data associ
ated with these applications.

The hardware layer is generally fixed.

The only way to alter the hardware is by removing and installing
new hardware components.

In today’s IT
market,

it is generally easier for the user to purchase a newer,
more powerful, set

of hardware.

While this
is more convenient to users, it has created
a problem with
the disposal o
f outdated hardware
. As a result,

many communities offer services to recycle or properly
dispose of outdated electronics.

The operating system is

developed to

work closely with the hardware.

Today
,

there are
three

major
versions of operating system
s

available for desktop, laptop
,

and tablet computers: Microsoft Windows,
Apple’s OS, and Linux. There are also
three

primary operating systems available for mobile d
evices:
Apple’s
i
OS
and Google’s Android

and Windows 8
.

A major function of the operating system is to
mediate between user applications and the hardware of the computer, so a user acquiring an
application or hardware peripheral need only be concerned with

the operating system of their computer
and specific features such as available memory, storage
,

and input/output ports.

The third
layer, applications, is

the programs that provide the functionality the user desires.

Typically,

a
user will want certain app
lications

and will purchase a computing device, along with its associated
operating system that will support those applications.

Today
,

most applications have versions that will
run on all popular operating systems
,

so the choice between, for example, a Ma
cintosh and a Windows
computer depends more on user preference for that vendor than on the availability of specific
applications.

Why
P
atches
?

The operating system and the applications on any computing device

may
develop

security
vulnerabilities.

In some c
ases
,

these are due to the design of the software
. F
or example
,

a particular
design that provides convenience to the user may actually be exploited by malware.

In other
cases,

these vulnerabilities result from software bugs, such as the buffer overflow
,

wh
ere software array
bounds may be exceeded and legitimate programs
are
overwritten by malware.

Unfortunately, it is not
possible to guarantee that any piece of software more than a few lines of code in length is bug free.

In
addition
, software developers ty
pically worry about functionality and performance, and
not

willful
misuse.

As a result, all operating systems and most applications will periodically receive security and
performance upgrades
, which are also
known as

patches.

Organizations such as the U
.
S
.

Government
Computer Emergency Readiness Team (CERT) release frequent lists of known vulnerabilities along with
upgrade information.

Companies that develop operating systems and
applications

regularly issue
upgrades.

The
P
roblem
with
P
atches

The major pr
oblem with OS and application
patches

is that

many people do not take the
time to
download and install them
.

This is dangerous
. As soon as

vulnerabilities are announced
,

they become
available to hackers and malware developers.

This would be like someone an
nouncing at a party that
they were outside and saw that
you
ha
d

left the windows to your car open and
your

keys on the driver’s
seat.

While the announcement is important for
you,

it also has notified every possible criminal that your
car is vulnerable.

Onl
y if you immediately go to your car, retrieve the keys, close the windows, and lock
the car is the risk of theft mitigated.

Why would someone ignore

this risk?

In many cases
,

people are busy

and do not want to stop what they
are doing to install the patch
.

In an
organization,

the work of
patching

is multiplied across all applicable
systems.

Because
the risk is not perceived as immediate, the user

believes they

can accept deferring the
patch

for a later time.

In most cases
,

installing a patch is as simple as

downloading the installation file
and running it. In some cases applying a patch will require that you provide your computer’s
administrator password.
Considering how easy the process can be, it is surprising that many users leave
their applications unpat
ched.

Operating
S
ystem
U
pgrades

Operating system
patches can

also

be
simple

to implement.

In the case of Microsoft Windows and Apple
OS,

the user need only turn on the system option to check for OS upgrades

automatically
.

The user can
then elect to install

the patches manually
,

which is as simple as being connected to the Internet and
clicking on a button
. The user may also

allow the computer to install them automatically.

I generally
recommend the second option to ensure that OS
patche
s are installed as so
on as they are released.

You
should consult the help information for your specific OS version to see the steps for doing this.

If you have a laptop computer or a system that is only occasionally used, it is a good idea to turn it on
occasionally (once a mo
nth) specifically to allow it to download and install appropriate OS
patches
.

The
problem with having a system unused for too long is that the number of
patches

will accumulate and it
could take hours for all of them

to be downloaded and installed when you

do finally turn the computer
on and connect it to the Internet.

Application
U
pgrades

Many security vulnerabilities are based in specific application programs or application runtime systems.
An example of an application vulnerability is a memory corruption

flaw in Microsoft Internet Explorer,
reported in April 2013, called a

use after
free


vulnerability that

allows an attacker to inject and
execute arbitrary code on your computer. This essentially gives the attacker administrative control.


An example of

an application runtime system vulnerability is the set of multiple vulnerabilities
discovered in Oracle’s Java runtime engine (various versions) in late 2012. These vulnerabilities also
permit the execution of arbitrary code on your computer. These vulnera
bilities were so severe that the
U
.
S
.

Department of Homeland Security issued a warning for users to disable Java on their Web browsers.
(
http://www.z
dnet.com/homeland
-
security
-
warns
-
to
-
disable
-
java
-
amid
-
zero
-
day
-
flaw
-
7000009713/
)

Companies that produce applications will periodically issue security upgrades for their programs

to
remove identified vulnerabilities
. In some
cases,

the program will check a
utomatically for upgrades and
notify the user that action is required.

In other
cases,

it may be up to the user to check with the
application vendor

periodically
.

In the latter case, most vendors will maintain an e
-
mail list so that they
can notify the use
r when
a

patch

is issued.

In general, the more popular an application is, the more likely that vulnerabilities will be discovered and
patches issued.

Vulnerability
S
canners

Programs

called vulnerability scanners automatically scan a computer or network and

report on
vulnerabilities including unpatched applications.

These programs are generally used in a business or
organization with networks containing many individual desktop and server computers.

A vulnerability
scanner works much like an anti
-
malware pro
gram, but with a twist.

While an anti
-
malware program uses a database of malware identification strings and scans files looking for these
strings, a vulnerability scanner starts with a database of known vulnerabilities and scans applications
and OS compone
nts looking for unpatched vulnerabilities.

There are a number of free and commercial vulnerability scanners available for individuals and small
businesses. One popular commercial scanner for business use is Nessus
, which supports multiple
operating systems

and comes with frequent updates and support.

A popular scanner for individuals is
Secundia PSI, which runs on Microsoft Windows and scans for vulnerabilities in third
-
party applications.

Summary

Regardless of the approach you select, it is important that
you ensure that your computer’s operating
system and applications receive the

patches that are issued.

OS patches are, by far the most important,
but are not sufficient

alone
.

Patches for applications such as Adobe, Microsoft
,

and
other

products

also
prote
ct you from vulnerabilities.

Please remember
,
once a vulnerability has been announced
,

every hacker in the world becomes aware
of it.

Diligence in applying OS and application patches will help to protect your system from infection
and your data from corrup
tion or theft.

Sidebar for small businesses

Patch management is a major issue for businesses.

Unfortunately,

most business
es

do not have an
effective patch management strategy, or do not allocate the necessary resources.

Small business IT
management should

be sure to exercise control over which operating systems and applications are
installed on company systems

and

on
bring your own device (
BYOD
)

systems that are permitted access
to company networks.

IT staff should carefully monitor for patches and apply t
hem to all systems as soon as they are available.
In some
cases,

this may be done through use of a commercial vulnerability scanning service or the
installation of vulnerability scanners.

In other
cases,

it may be sufficient to check

vendor notifications o
r
vendor Web sites for announcements.

Vulnerability summaries, such as those published by CERT, can
also be an important source of information.

Managing vulnerability translates to managing the window of risk opportunity. While it may not be cost
-
effective

to eliminate all vulnerability, it is certainly possible to reduce the amount of risk to an
acceptable level.


Resources:



Secundi
a Personal Software Inspector:
http://secunia.com/vulnerability_scanning/personal/v1/?utm_expid=629622
-
4&utm_referrer=http%3A%2F%2Fforums.techguy.org%2Fgeneral
-
security%2F90
8909
-
list
-
vulnerability
-
scanners
-
descriptions.html



Nessus:
http://www.tenable.com/products/nessus



CERT Vulnerability Bulle
tins:
http://www.us
-
cert
.gov/ncas/bulletins/



Wikipedia p
age on Vulnerability Scanners:
http://en.wikipedia.org/wiki/Vulnerability_scanner



Introduct
ion to vulnerability scanning:
http://netsecurity.about.com/cs/hackertools/a/aa030404.htm




E
ssentials of patch management:
http://www.patchmanagement.org/pmessentials.asp



USDA
on Pat
ch Management:
http://www.ocio.usda.gov/sites/default/files/docs/2012/DM3535
-
002.htm