nCircle.com >> 360 Security

« Customer's 24-hour SLA | Main | SCADAGard SIG To Be Established »

What do you mean I'm not patched?

So you are an administrator within random company 'X'. You have been happily using a certain product that has had some known vulnerabilities within it. However this isn't a problem as you've patched them as the patches have come out. The vendor came out with a new version of the product a year ago and has been pushing all users to upgrade. Being a safe administrator worried about the interaction of new products and desktop installs, you've been testing the product in your test lab and everything seems a-ok. So you decide to push the new product out to all the desktops slowly department by department. Everything works well. All users are happy.

After a couple of weeks though, users are reporting that their boxes are acting funny. After some detective work, you've noticed that the boxes have been exploited with an old exploit in one of the vulnerabilities within the product you just upgraded to. Knowing that you patched already a couple of months ago when the patch came out, you believed that you were safe. Taking a look at the patch management system, the system reports all the exploited boxes as patched to this vulnerability. Management is unhappy and you are SOL.

So, what happened here? This is very similar to an issue with upgrading Microsoft's Windows Media Player (WMP). Let's say you are running WMP 9 on Windows XP SP2 fully patched with all the latest WMP patches (explicitly MS06-005 and MS06-024). You want to upgrade to version 10, so you do. The issue is that the version of WMP 10 from the Windows Media Player website , is old. It is still vulnerable to MS06-005 and MS06-024 because it ships with an older version of wmp.dll. Also, on upgrade, it does not remove any of the references to all the patches previously installed for WMP9 so it *looks* like you're patched, but you are not.

So, if you're a regular user, diligent on the patching of your computer, how would you ever know? The answer is that there is almost no way that you would. For a company that is starting to focus heavily on security, why would they let users download a vulnerable version of a program? It's not like the product is sitting on a CD somewhere that is out of their reach. They are the ones shipping a vulnerable version to all users who are willing to upgrade. It would be like an automotive company recalling a part with a car they ship to solve safety issues, but still including the part in all new cars. It's counterproductive and puts all your users needlessly at risk, which is odd because it is something the company controls.

I can understand why a big vendor may have difficulty consolidating all the information for patches between all the different groups within the company. I can understand why it might take some time for an upgraded package to be placed on the product website. However, putting your users at risk to vulnerabilities that already have patches for them is tough.

As a note, I'm not here to bash this vendor solely. There are probably a lot of other vendors who are guilty of this.

Posted by Ryan Poppa on August 28, 2006 1:40 PM |

Search


About

This page contains a single entry from the blog posted on August 28, 2006 1:40 PM.

The previous post in this blog was Customer's 24-hour SLA.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]