Windows Update Can Hurt Security

An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

Microsoft's Response

[Anonymous Coward]

Microsoft has cautioned its enterprise customers by responding with a white paper that finds security and profits to be independent variables. The widely criticized paper uses Microsoft's own software history as a model business thriving in this manner.

Seriously, a reason that the consumer needs Microsoft more to bail them out? I couldn't think of better news for Microsoft's future ...

Doesn't matter

[Z00L00K]

You can never distribute patches synchronously to all the PC:s in the world. And you can't hide what the patch fixes.

You are damned either way. The only way to avoid complete damnation from security vulnerabilities is to run a large number of different operating systems, but then you are damned to live a life in complete confusion about system maintenance instead.

The onion principle is a general security term that has been defined a long time ago, but the fact that we are all online in some way or another all the time means that the onion is rotten.

Worst possible way to critize Windows Updates

[pembo13]

There is no good solution to this problem -- that fixing something makes it easier to find old problems. At some point, users need to be responsible enough to apply updates.

update this, fuckers

[Anonymous Coward]

Profitability is key, not security. Think of sysadmins as janitors. We pay you to wipe up the mess. It's not worth our while to invest in systems that don't create a mess as long as janitors are cheap enough to come with their electronic mops and buckets.

And you are.

Sorry.

Windows bashing aside ...

[utnapistim]

... patch based security is also the model linux uses (as far as I understand).

Furthermore, for Linux access to the unpatched code is also easy to obtain.

Somebody please correct me if I'm mistaken.

Re:Doesn't matter

[Loether]

I admit I didn't rtfa. however if you use bittorrent or a similar system everyone downloading at the same moment would work better and faster. Everyone would have the patches very close to the same time. At the very least that would decrease the amount of time a potential attacker has to attempt this.

Re:Doesn't matter

[Anonymous Coward]

You can never distribute patches synchronously to all the PC:s in the world.

True enough.

And you can't hide what the patch fixes.

Wrong. You can encrypt the patch.

Steam has no problem distributing games to players so that they can all unlock them on release day. All you have to do is preload the patch with staggered downloads but not send out the key until the same time. Then all machines can decrypt and patch and install them at roughly the same time, helping to greatly cut down on the time between when the patch can be figured out and the time that machines are still vulnerable.

Not fool-proof, of course, but it seems like something Microsoft should seriously consider doing.

Re:Quiz

[Anonymous Coward]

Fill in the blank:

Windows _____________ Can Hurt Security
1) "Applications"
2) "Network Connectivity"
3) "Update"
4) "Users"
5) ""

"Alternatives"

Show me a non-Windows OS, and I'll show you a huge security hole in your network security.

Three are risks in everything we do... or don't do. No big surprise. But honestly... trying to say that updating your OS is bad security? That's a huge stretch, even for Slashdot.

Re:Doesn't matter

[Nos.]

Its not that simple. My parent's turn their computer on maybe twice a week. Other's don't have constant net connections.

How is this limited to Windows?

[analog_line]

Couldn't this process (modified of course) do the same thing to any update for any software at all?

How exactly is this news? I mean, I should update my software when there's a new patch anyway, but now that THIS has been developed I...need to update my software when there's a new patch... Automating it is a pretty neat trick, and it pretty much destroys any argument for security through obscurity, since it means you couldn't patch any hole to maintain the obscurity, but it's not like security through obscurity in the computer software realm has that amazing a track record in any case.

Re:Windows bashing aside ...

[Kjella]

Right, in fact this probably indicates that patch tuesday [wikipedia.org] may not be a bad thing because then at least every admin worth his salt knows that's the time to update the systems. With patches coming in almost daily on Linux, you either have constant patch duty or it's a lot more staggered already. That's assuming you actually do something with the patches and don't just auto-apply everything, in which case I guess it doesn't matter. But, let's try to make everything with an anti-microsoft spin shall we?

Re:Doesn't matter

[Jarjarthejedi]

Which does nothing to help out those who either can't (insert system admin worries here) or don't patch their machines.

The current system works fine for those people who autopatch. It takes only a very short time to get the latest patch, shorter than it takes to get the bug, find a good page to work it onto, build up enough trust to get people there, and then deploy it. All this really affects is those users who don't patch their machines.

Re:Doesn't matter

[OzPeter]

How about image fresh system, apply patches, compare result with fresh system? No need to break encryption at all.

The only way you can stop this is if all system data was encrypted and the user was not trusted with the keys to decrypt.

Now where have I heard that before??? Hmmm .. TPM anyone?

Re:Windows bashing aside ...

[phantomfive]

Kernels are usually distributed as binaries, but in general other software is distributed by source. Of course, different distros do it differently.

However, the fact that you can obtain the code makes no difference, and may even be a hinderance, since an exploit can be created here in as little as a minute just from the binaries.

The major difference here between Windows and Linux is that Windows is a lot more of a mono-culture. In the linux world, there is no guarantee that an exploit will be available the same way. It is also unlikely that two different distributions have the same binaries. In fact, different computers using the same distro can end up with different binaries.

Realistically, an exploit is bad. This research is just a way to make a bad thing worse.

Re:update this, fuckers

[somersault]

Meh, don't come crying to me when some guy in [insert-evil-country-here] steals your identity, uses it to buy a few Porsche's and setup illegal goat kid porn themed websites in your name. You keep making your messes, I'm happy to make $50000 a year cleaning them up as long as it doesn't happen more than two or three times a year..

Re:Doesn't matter

[Sancho]

You can't overwrite a file that's in use by Windows. You can overwrite a file that's in use by Linux. The old image is still there. Any new processes loading the file will get the new version, and any old processes which still have a file handle to the old file get to use the old image.
I don't know if that's the whole reason, but I bet that it's part of it.

Re:Doesn't matter

[legirons]

Or distribute encrypted patches over the course of a day, then when you publish the key everyone can update

Re:Worst possible way to critize Windows Updates

[realthing02]

I think you actually missed the worst part about this summary (not the article...)

From the summary: "Such as Windows Update... can detract from overall security, and should be redesigned."

The ellipse represents 14 pages of information in this sentence. And the Actual PDF doesn't say it detracts from security, but rather that the scheme is insecure. Which is quite a difference. Normally I don't do this, but the quote is really stupid when put the way the contributor or editor put in there. The article was interesting enough on its own accord (automatic patch-exploit generation) without having to throw your own personal cracks in there.

Let's grow up, people.

Ok, it's bad. Got any better ideas?

[Opportunist]

If you have a patch, you can diff the original and the patched file and find out what got fixed. No secret here.

So how can you close the gap between fixing and exploiting? That's nothing MS could fix. You have to. Patch early, patch often.

If any message is contained here, it's that if there is a patch out and you didn't use it, you're extremely vulnerable. That's pretty much it, nothing really new here.

Re:Doesn't matter

[Ahnteis]

99% of PCs are NOT:
1) Turned on
AND
2) Connected to the internet
at the ANY one time. It doesn't matter if it's 1 packet or 150 packets if the computer is off or not currently connected.

2 points

[v(*_*)vvvv]

1) Isn't this an old problem? Not only is this old, but it applies to any computer system, so to single out Windows Update seems naive (as others have said).

2) I think we are forgetting that the exploits still need to be distributed, and the article refers to worms, but how is this different from any other worm/virus?

Smarter viruses will attack weaknesses that are yet widely known or patched, so those that use exploits based on public patches are 1) stupider and 2) more predictable.

So this is less of an "update how" problem, and rather more of an antivirus problem. The previous might be impossible to solve, but the latter we have solutions for.

Liability problem?

[bkaul01]

And what happens when someone who has downloaded the encrypted patch has his system compromised because you're waiting for some idiot who hasn't to do so before you'll release the key that unlocks it? In a worst case scenario, you could end up facing a class action suit for not enabling the patch. I don't know if such a suit could be successful, but I'd bet someone would try it. At present, if someone has failed to update his system with the latest patch, it's not Microsoft's fault. Under this system, if Microsoft was refusing to actually make the patch available to one until others have it, that poses ethical and legal questions. I'm not a lawyer, and can't say what the legal answer would be, but I'm sure the question would arise.

Re:Doesn't matter

[Vellmont]

are you 100% sure you're not still running some vulnerable code?

If I've restarted the server process, yes.

What if bash had a vulnerability, and you installed the new version but old bash processes were still running?

I'd kill all bash processes.

if you're really lucky then the package manager will know to restart the service after installing a new version.

That's been quite standard for a long time. I know Redhat includes that in their RHEL distribution. So I wouldn't exactly call that "really lucky"

But how confident are you that everything is covered?

Unless it's something critical like a shared library vulnerability, very confident. In the case of a shared lib, it might be easier to just reboot the machine than restarting all the various processes. But at least you have a choice in the matter, which 9/10 of the time you simply don't with Windows.

Which just shifts the problem.

[Ungrounded Lightning]

Distribute an encrypted patch, and then once all clients have downloaded it reveal the key, which is short and can be sent in a single network packet.

Which shifts the problem from distributing the update to distributing the key.

Of course this does have another advantage: Distributing the encrypted update also distributes notification that there WILL be a key, and can tell the users when. Then it becomes a race to get the key and apply the patch before the bad guys can get the key, generate, and deploy an exploit.

And the downside: The bad guys also know the patch is coming, and when. So they can use their existing botnet(s) to grab a key as soon as possible, then (or simultaneously) DDOS the key distribution mechanism while they generate and deploy the exploit. This makes things WORSE: A much larger fraction of the machines are vulnerable when the exploit deploys.

Still worse: If the bad guys crack the encryption, or manage to break in and grab the key early, they get to automatically generate and deploy an exploit while NOBODY has the fix. Oops!

Ditto even if they don't crack the patch - but the patche exposes that a vulnerability exists and perhaps what module has it, and they find and exploit the vulnerability before the key deploys.

= = = =

In a battle between weapons and armor, weapons eventually win.

Re:Quiz

[Cairnarvon]

You don't have any e-mail addresses? Where do you think most spam comes from?
Windows' crap security affects everyone.

Which only works for small messes

[Ungrounded Lightning]

Think of sysadmins as janitors. We pay you to wipe up the mess. It's not worth our while to invest in systems that don't create a mess as long as janitors are cheap enough to come with their electronic mops and buckets.

That works for small messes.

It doesn't work for somebody getting hold of the company's trade secrets, client list, bidding information, road map, and headhuntable employee names and pay scale.

It doesn't work for somebody cracking the information on the company accounts and transferring the cash reserves to themselves via untraceable paths.

It doesn't work for somebody destroying or corrupting the IT infrastructure - especially the databases - and taking the company out of business for days or forever, causing key employees to quit or be fired, etc.

It doesn't work for somebody corrupting industrial process control infrastructure and literally destroy plants and kill employees, or cause the company to build and ship defective products.

I could go on.

Cleaning up IT graffiti is one thing. Cleaning up IT nuclear strikes is quite another.

IMHO any corporate IT exec who treats malware like graffiti, rather than an early warning of something more serious, is negligent in his fiduciary duty to the shareholders and perhaps criminally negligent in his duty to protect the lives and health of the employees. (Pity that most of 'em do treat the threat in this way. B-( )

Re:Doesn't matter

[Aram Fingal]

If you encrypt with a new salt value each time an update is performed, that makes the process much more difficult to work around.

What's important about this:

[Ungrounded Lightning]

What's important about this is that it can quickly and automatically generate exploits given only OBJECT code - faster even than a good programmer could do it from source.

This negates the claim that hiding the source code increases security.

Re:Nope. That's a logic error.

[RiotingPacifist]

Nope. If that were correct, then Apple would see 5% (or so) of the "virus" development out there.

You have to put alot of work into making an exploit, do you choose to put that work into something that gives you 90% or 5% returns. Its not like if there were 100 hackers and they all decide to pick on 100 machines at random, no they all try to infect the most machines possible (you need to infect 6% of Windows machines to have the same effect as writing an exploit so good it infects every mac machine), and that means all 100 hackers will go for windows!

While Apple may be more secure, until you get 50% market share your not going to get 50% of the effort put into attacking you.

Re:Doesn't matter

[RiotingPacifist]

No it doesnt hes got around all the encryption by taking the end points, no encryption can help here.

end - start = patch

As he pointed out the only way to keep the patch safe is to encyrpt the program and hide the keys.

Re:Quiz

[Sneftel]

I think you mean "__________ ___________ Can Hurt Security". There's nothing Windows-specific about this approach. It would work just as well with apt-get.

Re:Doesn't matter

[Aliencow]

Well, this is called Network Access Control, or NAP in Windows 2008.

The day my ISP starts controlling wether my machine is "up to date" enough to use it is the day I get a new ISP.

Plus, it would be over-estimating end-users to think they'd get some fancy router because it lets them wait a bit longer before using their computers....

Re:Doesn't matter

[gmack]

This is actually a good argument for package updates rather than security patches. With a package update several other bugs could have been fixed so it should be at least harder to find out what bugs were exploitable.

Also has the advantage of the first security update moving everything to the latest version instead of needing 30 patches to get there.