The speed at which hackers are taking advantage of newly disclosed software flaws should be prompting companies to adopt stronger measures for dealing with such vulnerabilities, according to IT managers and analysts.
Several security experts say that IT departments need to look beyond just patching defects and devise broader and more holistic strategies to defend themselves against attacks seeking to quickly exploit new flaws.
The advice comes in the wake of an onslaught of worms that targeted a flaw in a plug-and-play component of Windows 2000. The worms hit several large companies, including The New York Times, CNN, Caterpillar, DaimlerChrysler and General Electric, when hackers made use of the hole disclosed less than a week earlier by Microsoft as part of its monthly patch release.
The rapid exploitation of the Windows 2000 vulnerability left some IT managers acutely aware of the need to be vigilant about keeping their systems up to date.
"We are going to have to fast-track the latest security upgrades, maybe the same day, unfortunately," says Satish Ajmani, CIO of California's Santa Clara County. "It is scary."
The trend has prompted Uline to accelerate its patching of desktops and servers, says Robert Olson, a systems administrator at the distributor of packing and shipping materials.
The Windows 2000 bugs caused infected systems to restart repeatedly and could allow remote attackers to take control of compromised systems. According to vendors of antivirus software, the malware targeted only older, Windows 2000-based systems.
Although none of those 11 or so worms are considered particularly serious by most security experts, they serve as a sobering illustration that hackers can take advantage of new flaws before many companies can patch them, says John Pironti, a principal security consultant at Unisys.
"I think these attacks show that there is still a fair bit of latency" between patch release and deployment in a lot of companies," agrees Fred Rica, a partner at PricewaterhouseCoopers in New York.
"Hackers have adopted new attack techniques," Pironti says. "Instead of going out and looking for vulnerabilities on their own, they are waiting for patches to be released to see what holes are being fixed." Then they go after those holes as quickly as they can, he says.
The trend could leave many companies dangerously exposed, especially large ones that typically test and analyse patches before deploying them, Pironti says.
"They have to assume that they are going to be vulnerable to attack from the moment a patch is out," he says. "They need to have countermeasures in place while the patches are tested" and deployed.
Enterprises should look at implementing the equivalent of the color-coded threat system used by the US Department of Homeland Security when dealing with newly disclosed flaws, says Dave Jordan, chief information security officer for the government of Arlington County. Once new flaws are disclosed, Jordan says, IT security personnel "should conduct business differently than they would day to day." They need to implement countermeasures as soon as possible to mitigate risk, he says.
Measures can include conducting thorough threat analysis, gaining an understanding of specific risks of new flaws, shutting down systems where possible, blocking access to affected ports and using intrusion-detection and -prevention systems to monitor for unusual activity and network behaviors, security experts says.
A vast majority of worms and viruses, including those launched this week, use common methods and take advantage of common flaws, such as buffer overflows, to attack vulnerable systems, says Thor Larholm, a senior security researcher at PivX Solutions.
Instead of relying solely on patches to fix every new flaw, it's better to address some common underlying vulnerabilities, he says. "There are multiple ways to protect against entire classes" of vulnerabilities without having to apply patches for each one, he says.
PivX is one of several vendors, including Immunix and eEye Digital Security, that sell tools to repair generic buffer overflows in the absence of vendor patches.
"About 90% of the worms out there can be mitigated just by hardening your systems," Larholm says. For instance, disabling so-called null-session accounts, which are enabled by default on Windows 2000 systems, would have prevented this week's worms from taking advantage of the plug-and-play flaw, though it is not always practical, he says.
Win 2k Bugs Called 'Routine'
Despite the media frenzy, none of the recent slew of worms targeting a Windows 2000 vulnerability was all that unusual or serious, security experts says.
"We would not characterise this as a widespread problem. The worms were similar in nature to worms we routinely see on the internet," says Debbie Fry Wilson, director of Microsoft's Security Response Center.
"There was nothing unusual about the exploit code or the type of worms created," she says. "The difference here was that you had an unusual number of media outlets that were impacted," resulting in a lot of publicity. The bug hit outlets such as CNN, The New York Times and ABC News.
Similar worms are spread "all the time," noted Ero Carrera, a virus researcher at F-Secure in Helsinki, Finland. "There was no major new trend or techniques that made these worms particularly virulent."
No estimates were available late this week on the extent of the damage caused by the worms, though most antivirus vendors assessed the worms as medium- to low-risk threats.
Trend Micro rated two of 10 of the worms as a medium risk, while the rest garnered a low-risk rating. Rival antivirus vendor McAfee pegged only one of 10 on its list as medium risk, with the rest said to be low risk.
Even so, it would be a mistake to underestimate all the worms, warned an advisory from security vendor Arbor Networks.
"Arbor Networks has received calls from a number of large companies that have been devastated by Zotob," one of this week's Windows 2000 worms, the advisory says. The appearance of several Zotob variants, including one that spreads via email, could portend problems for companies, Arbor warns.