INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET) International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 3, Issue 1, January- June (2012), pp. 250-257 IAEME: www.iaeme.com/ijcet.html Journal Impact Factor (2011): 1.0425 (Calculated by GISI) www.jifactor.com IJCET I A E M E PATCH MANAGEMENT AND ANALYSING STRATEGY FOR MICROSOFT BULLETIN SECURITY A.Sankara Narayanan 1, M.Syed Khaja Mohideen 2, and M.Mohamed Ashik 3 Department of Information Technology, Salalah College of Technology, Salalah, Oman sankar2079@gmail.com, mohamed.syedkhaja@gmail.com, mohamed_ashik@yahoo.co.uk ABSTRACT As many realize, patching computers is a fact of life as part of the defense in depth security strategy. While it is essential to protect company IT assets from attack, patching vulnerabilities is only one part of the risk equation. System administrators consider the patching process to be a single step that provides a secure computing landscape. In reality, the patching process is a continuous cycle that must be strictly followed. Each step in the process must be tuned and modified based on previous successes and failures. Security fixes and feature improvements don't benefit the end user of software if the update mechanism and strategy is not effective. This paper is written for information technology managers and system administrators who want to automatically and securely keep all the computers in their network up-to-date with security patches and other updates. This paper presents one methodology for identifying, evaluating and applying security patches in a real world environment along with descriptions of some useful tools that can be used to automate the process. KEYWORDS Patch Management, Diffing, Security Patch, Patch Analyzer 1. INTRODUCTION Microsoft Patches usually released on the second Tuesday of each month. Starting with Windows 98, Microsoft included a "Windows Update" system that would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates to other Microsoft products, such as Office, Visual Studio and SQL Server. Patch Tuesday begins at 17:00 or 18:00 UTC. Sometimes there is an extraordinary Patch Tuesday, 14 days after the regular Patch Tuesday. There are also updates which are published daily (e.g. definitions for Windows Defender and Microsoft Security 250
Essentials) or irregularly. Seemingly Microsoft has a pattern of releasing a larger number of updates in even numbered months, and fewer in odd numbered months. Earlier versions of the Windows Update system suffered from two problems. The first was that less experienced users were often unaware of Windows Update and did not install it; Microsoft's solution was the "Automatic Update," which notified each user that an update was available for their system. The second problem was that customers, such as corporate users, with many copies of Windows not only had to update every Windows deployment in the company but also uninstall patches issued by Microsoft that broke existing functionality. In order to reduce the costs related to the deployment of patches, Microsoft introduced "Patch Tuesday" in October 2003.In this system, security patches are accumulated over a period of one month and then dispatched all at once on the second Tuesday of the month, an event for which system administrators may prepare. Some who speculate that Tuesday was selected so that post-patch problems could be discovered and resolved before the weekend, but certainly not every patch induced problem may be cured in that time. The non-microsoft terms for the following day are "Exploit Wednesday" and "Day Zero", when attacks may be launched against the newly announced vulnerabilities. 2. PATCH ANALYSIS The operating system is divided into multiple components. Each component can consist of one or more files, registry keys, configuration settings, etc. Windows Serviceability (WinSE) releases updates based on components rather than the entire operating system. This reduces a lot of overhead with having to install updates to components that have not changed. Depending on the severity and applicability of the problem, there are different kinds of release mechanisms. When an individual customer reports a bug to Microsoft for a specific scenario, the WinSE team releases Hotfixes to address these problems. Hotfixes are not meant to be widely distributed and go through a limited amount of testing due to the customer's need for an urgent fix. Hotfixes are developed in a separate environment than the regular Updates. This allows Microsoft to release Updates that do not include the Hotfix files, thereby minimizing risk for the customer. Once the Hotfix is ready and packaged by WinSE, a KB article is written describing the problem, with instructions on how to obtain the Hotfix. Microsoft recommends that only customers experiencing the particular problem install the Hotfix for that problem. Patches are released in two different flavours GDR (General Distribution) and QFE (Quick Fix Engineering) or LDR (Limited Distribution Release). GDR contains only security related changes that have been made to the binary. QFE/LDR contains both security related changes that have been made to the binary as well as any functionality changes that have been made to it. In general, when you update a server from Windows Update the operating system will prefer to download only security related (GDR). If you have however manually installed a non security hotfix that updates a file on your system, that file will from now on be updated from the QFE/LDR tree. The term QFE is an old term that is mostly no longer used in reference to current versions of Windows. 251
2.1 DIFFING Diffing is the practice of comparing two things for differences, especially after some change has been made. The two things in question could be files, Registry entries, memory contents, packets, emails almost anything. The general principle is that you take some sort of snapshot of the item in question (for example, if it s a file, save a copy of the file), perform the action you think will cause a change, and then compare the snapshot with the current item, and see what changed. In computing, diff is a file comparison utility that outputs the differences between two files. It is typically used to show the changes between one version of a file and a former version of the same file. Diff displays the changes made per line for text files. Modern implementations also support binary files. The output is called a "diff", or a patch, since the output can be applied with the Unix program patch. The output of similar file comparison utilities are also called a diff; like the use of the word "grep" for describing the act of searching, the word diff is used in jargon as a verb for calculating any difference. Diffing is a highly successful tactic that hackers use to analyze different versions of the same file in order to pinpoint the differences between the files. This comparative technique has been used by hackers for years. Now we re going to work with the real analysis. File Name: Msvcm80.dll File description: Microsoft C Runtime Library, Microsoft Visual Studio2005 Version: 8.00.50727.762 File size: 0.12 Mb File Name: Msvcm80d.dll File description: Microsoft C Runtime Library, Microsoft Visual Studio2005 Version: 8.00.50727.762 File size: 0.22 Mb 252
Figure 1. Diffing tool with two files MSVCM80.DLL MSVCM80D.DLL File Date/Time 13/11/2009 14:07:42 12/03/2012 12:55:24 Similarity 4% Added lines/words 37861 747149 Modified 22708 296261 lines/words Deleted 4325 124799 lines/words Total words 563316 1188677 Total chars 2007380 4254294 Table 1. Diffing Results Chart 1. Comparing two files See the (Table 1) both files date and values are different. Compare Suite is a very flexible tool. Once you ve chosen your files, you can also choose how to compare them. Compare by Keywords to find similarities between unrelated documents. Compare drafts of the same document word by word. Or, compare character by character perfect for software developers Compare Suite can also tell you the number of words in your documents, the number of changes between them, and more. Set up a list of your interests, and Compare Suite will watch for these personal keywords in every document. There are many diffing tools are available in the market, but most of them support text, html, word, C coding, etc. As,we already mentioned the tool support for DLL, and EXE files. 253
3. MICROSOFT SECURITY ADVISORIES This bulletin summary lists security bulletins released for March 2012 http://technet.microsoft.com/en-us/security/bulletin/ms12-mar Bulletin Bulletin Title and Executive ID Summary Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019) Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software MS12-021 This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. Important May require restart Microsoft Visual Studio Table 2 Executive Summaries This is a constant concept in the Microsoft Security Bulletins names For example: MS12-021 MS Microsoft 12 The year the bulletin published (2012) 021 The bulletin number in this year (21 st bulletin of the 2012 year) The Microsoft Security Response Center (MSRC) uses severity ratings to help organizations determine the urgency of vulnerabilities and related software updates. Rating Definition Critical A vulnerability whose exploitation could allow the propagation of an internet worm without user action. Important A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user s data, or of the integrity or availability of processing resources. Moderate Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation. Low A vulnerability whose exploitation is extremely difficult, or whose impact is minimal. Table 3 Severity Rating System 254
3.1 Patch management Patch management is one of the most critical and complex Windows-security-related issues. Security patch management is one of the important processes on all platforms every major software vendor that is committed to security will release security patches in response to newly identified vulnerabilities. There is no widely used operating system or application that is immune from attackers who spend their time trying to locate vulnerabilities to exploit. The patch management describes the tools, utilities, and processes for keeping computers up to date with new software updates that are developed after a software product is released. The Microsoft Windows Software Update Service (WSUS) is a tool for management and distribution of critical Windows patches. These patches address known security vulnerabilities and stability issues in Microsoft Windows 2000, Windows XP, and Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008 operating systems. Patches released through WSUS Currently, WSUS provides: Windows Critical Updates Windows Critical Security Updates Windows Security Roll-ups Patches for other Microsoft products such as Microsoft Office or Exchange Server It is not possible to use WSUS to deploy: Your own updates or third-party updates. It is also not possible to update to a newer version of Internet Explorer via WSUS. WSUS will provide the latest patches available for the version currently running on your system, but it will not install a different version on your system. 3.2 Patch Detection and Deployment Microsoft Baseline Security Analyzer (MBSA) is a very useful tool designed for the IT professionals. It will allow administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. 255
Figure 2. Microsoft Baseline Security Analyzer Installation: Download the MBSASetup-x86-EN (1588kb) file to your computer Double click the File Click Run Click Next Select I Accept the licence agreement Click Next Click Next Click Install Click O.K Usage: a) Scan a computer: Check a computer using its name or IP address, this scan using for home or personal computers. Click Scan a Computer; then you will enter IP address or Computer name Click Start Scan, it will check online Microsoft Security Updates, and then your system scan will start b) Scan multiple computers: Check multiple computers using a domain name or a range of IP addresses, this scan using for network environment. Click Scan multiple computers, then you will enter Domain name or IP address range Click Start Scan, it will check online Microsoft Security Updates, and then your system scan will start Both scans detailed report will show Security Update, Administrative Vulnerabilities, Additional System Information, Internet Information Services, SQL Server, Desktop Application results. 4. CONCLUSION For an organization to implement a sound patch management process, time and dedication need to be given up front to define a solid process. Before you can dive into a patch management deployment process, you must establish the prerequisites for implementing the process by knowing your computing environment, preparing end 256
user education, assigning responsibilities, understanding the current process, developing a chain of communication. This paper presents one methodology for identifying, evaluating and applying security patches in a real world environment along with descriptions of some useful tools that can be used to automate the process. In this paper, we describe the end user s security exposure and the complexity of the task of keeping their systems secure. 5. REFERENCES [1] http://dl.packetstormsecurity.net/papers/presentations/patching-ms.pdf [2] http://mis.umsl.edu/bov/bov04-1.pdf [3] http://www.sans.org/reading_room/whitepapers/bestprac/practicalmethodology-implementing-patch-management-process_1206 [4] http://www.darungrim.org/ [5] http://blog.eeye.com/patch-tuesday/microsoft-patch-tuesday-august-2010 [6]http://www.viewfinity.com/Resources/WhitePapers/Viewfinity_Privilege_Manage ment_mitigates_ Microsoft_Patch_Vulnerabilities.pdf [7] http://csrc.nist.gov/publications/nistpubs/800-40-ver2/sp800-40v2.pdf [8] http://en.wikipedia.org/wiki/patch_tuesday [9] http://technet.microsoft.com/en-us/security/bulletin/ms12-feb [10] http://www.phreedom.org/presentations/reverse-engineering-andsecurity/reverse-engineering-and-security.pdf [11] http://www.computerweekly.com/blogs/it-fud-blog/2011/11/microsoft-patchtuesday-compat.html [12] http://www.abysssec.com/blog/2008/11/27/microsoft-patch-analysis-binarydiffing/ [13] http://technet.microsoft.com/en-us/library/cc512589.aspx [14] http://www.windowsecurity.com/uplarticle/patch_management/asg_ Patch_Mgmt-Ch2-Best_Practices.pdf [15] http://technet.microsoft.com/en-us/library/cc768045.aspx [16] http://en.wikipedia.org/wiki/diff [17] http://blogs.msdn.com/b/ntdebugging/archive/2008/10/21/windows-hotfixesand-updates-how-do-they-work.aspx [18] http://blogs.technet.com/b/instan/archive/2009/03/04/qfe-vs-gdr-ldrhotfixes.aspx 257