Security Ripcord

Recent hardware and software problems got me thinking about patch management. Some companies have a handle on this effort. SMBs, SOHOs, and home users, however, are a bit more challenged because of funds and skill levels. The software manufacturers haven’t made it very easy either. Let’s list out the overall problem.

1. Vulnerabilities in software and drivers put computers and users at risk. The mitigation for this is to patch the software and driver whenever there is an update and especially when there is a security update.

2. Most software do have automatic update features. They can poll on bootup or when the program starts. They can be configured to run at granular start times or stopped completely. Unfortunately, there is not really a standard where to place this information and there is no way to determine when other softwares are scheduled to update unless you specifically open that piece of software and record the scheduled update time.

3. Drivers are more difficult to keep up with than other software. Users do not usually directly interact with drivers and most do not have an automatic update scheduler to determine if an update is available. Although some OSes handle this for some drivers they do not do it for all.

4. The more confusing and time consuming a process the less likely end users are going to perform the task. Most systems are vulnerable because people do not know how to update or just don’t want to take the extra time necessary to go through and configure automatic updates or monitor specific drivers that do not include the service. And, if the automatic update affects their user experience they are going to find a way to turn that feature off.

Here is my solution: Microsoft needs to come up with a Central Update Console that software and driver developers can hook to configure automatic updates. They already provide this type of feature through the “Add/Remove Programs” console. Good developers utilize this to help users and administrators manage the software that is installed on their systems. How hard would it be to come up with a solution that other developers could hook to help with centralizing the management of updates and provide a significant positive impact on the overall security of every computer on the Interweb? Although the design, development, testing, implementation, and maintenance of this project would be challenging, I am willing to be that this would be a small project in the grand scheme of Microsoft OS development. They don’t need to take every software vendor into consideration, they just need to come up with one method all of them could use. Once a system is developed software developers can start modifying their products to hook the console. They wouldn’t need to take out their current auto-update mechanism, rather, they could leave it in place. This is how the “Add/Remove Programs” console works. Software developers have not removed the mechanism to uninstall from their software, rather, they have placed hooks in the “Add/Remove Programs” console that calls their uninstall and repair mechanism. Users and admins who prefer a particular method are all satisfied.

Finally, it is not like this is not done other places. Linux in particular, and to a smaller context Apple, has been doing this for a while. Most distros have a packaging system the allows developers to centralize the patch management and automatic updates. End users and admins only have to worry about watching for updates to software that they have installed outside that packaging system. Very nice, very ease, very secure.

So, how about it Microsoft? Don’t you think that this would benefit everybody? It certainly could not hurt.

Go forth and do good things,
Cutaway

Microsoft, Apple, updates, patches, automatic updates, patch management, Security Ripcord

Finally, we are going to be able to merge the most popular operating systems onto one machine (well, almost all of them). Although I haven’t looked into it Martin McKeay points out that Apple is now going to support dual booting on their Intel machines. Apple’s Boot Camp will allow a user to install Windows XP onto a live OS X system. You just need your own copy of Windows XP and about 10GB on your hard drive.

LET THE RACES BEGIN!! It is only a matter of time until we see this with the capability to also install Linux. Of course the guys over at CyberSpeak Podcast have recently pointed out (I think it was the March 25th edition) that the Holy Grail is to be able to switch seamlessly between the systems without needing to reboot to the other operating system. Now, I will definitely by stock in the company that comes out with that feature.

This definitely has great implications for the security professional. Although vitual systems are reliable and very handy, vulnerabilites are going to be serious issues in the future. In the same episode (if I remember correctly) the guys at CyberSpeak mentioned that there is malware out there that avoids deploying itself in virtual environments. How long before they leverage this for exploits and viruses on the child and parent systems. Besides, although the software version of VMWare’s Server Beta edition is free (as in registration), not everybody can afford a system that can handle multiple virtual operating system running at the same time in a smooth fashion.

Now I just need to get a Mac. Can somebody talk to my wife about it?
Cutaway

Edit: More detailed information can be found at Hack in the Box.

A friend of mine recently informed me that he was considering the switch from Windows to Macintosh. Now, if this friend of mine were a computer geek, or a graphic artist, or even somebody who like messing with new things, I might not have been concerned. However, none of these things are the case. My friend’s sole reason for switching is because Apple’s Macintosh computers do not get viruses.

Unfortunately this type of attitude happens a lot around uninformed technology users. They are not aware that security is more than just a perception with a pretty case. It is a complex organism that consists of the operating system, applications, hardware, and firmware. The integrity of each one of these affects that rest. Here are a few examples that persons switching to a Macintosh based system should consider before making the move based on this logic.

• The recent move of Apple to Intel based chips exposes these systems to an area of technology that has been heavily researched by hackers and malicious users for years. Their knowledge of these types of systems will speed up the development of exploit code for newly discovered vulnerabilities. Additionally, because Macintosh programmers are moving from the world of PowerPC to Intel x 86 there is potential that they will make mistakes that have already been discovered and, possibly, exploited. See Paul F. Roberts January 26, 2006 article at eWeek.com for more information about this concern.
• The very recent and extremely serious vulnerability in OS X proves that even the best programmers, on what many consider to be a very secure operating system, can make huge and dangerous errors. The Handlers at the SANS Internet Storm Center cover this topic very well. All Macintosh owners should review this writeup and update their systems immediate once a patch for this security concern is available.
• Macintosh users that choose (or are forced) to use programs from the Microsoft Office Suite are subject to all of the Macro Viruses that affect their Microsoft Windows brethren. Although the ramifications may be different the potential for evil and destruction remains. Knowledge of this goes way back as can be seen in an old CNET article on this subject, aptly named “Security flaw in Microsoft Office for Mac,” from April 16, 2002.
• Network Windows and Macintosh computers together is not for the non-computer savy user. Although there are many sites that help overcome this problem the details can be a bit complicated and cumbersome (i.e. not for the keyboard challenged).
• There are Trojan Horse programs in the wild that specifically target the Macintosh OS X operating system. A staff writer for MacNewsWorld wrote about this in the article titled ” Mac Trojan Masquerades as MS Word Installer” that was published on May 13, 2004.

Hopefully, anybody out there considering making the switch from Windows to Macintosh will have a good reason to do so. The Macintosh systems are very good and personally I believe in the moto, “The right tool for the right job.” If a Macintosh is the right tool for the project you are working on then, by all means, make the switch. However, don’t go through all of the pain and suffering just because somebody (who doesn’t know what they are talking about) told you that they don’t make viruses for these systems. You just may be sadly mistaken.