Sidewinder does some patch work
In the past couple of weeks, some 9 million PCs have become infected by a worm that would not exist if their users had applied a Windows security patch in October 2008. Davey Winder considers the impact of poor patching on NHS security.
IT managers get quite excited every fortnight, on what has come to be called “Patch Tuesday.” That’s when Microsoft releases its scheduled security patch updates, and it has become a permanent fixture on the IT calendar.
“The people behind Cornficker will almost certainly unleash a mega-botnet when enough users are infected; although you might think close on 10 million was enough for anyone.”
It isn't just Microsoft operating systems and applications that need to be maintained. Whichever operating system you use, whatever applications you have installed, you need to ensure they are always kept up to date with the very latest security fixes.
If everyone did that, and kept their antivirus applications bang up to date as well, then we would not have problems like the Cornficker worm running riot right now.
Cornficker outbreak
Ah yes, Cornficker. Or Conficker. Or Kido, or Downadup. Call it what you like, it’s widespread right now. As I write this, Cornficker has managed to infect in excess of 9 million users in little over a couple of weeks. It adopts the guise of the Windows services.exe executable in order to bury itself deep in the operating system, after which the registry gets modified and it gives itself permission to run as a service proper.
Then the “fun” starts with the installation of an HTTP server on your system. This is done so it can start loading more malware and readying itself for whatever payload it has coming at some point in the future.
By resetting the Windows System Restore point, it even makes sure it can come back from the dead. The people behind it will almost certainly unleash a mega-botnet when enough users are infected; although you might think close on 10 million was enough for anyone.
The blame game
And what allows Cornficker to survive? Poor patch management, that's what. If people had installed MS08-067, a patch from way back in October 2008, it would simply not be a problem. But millions, as evidenced by the numbers getting infected, have not done so.
“Patch management should be treated as a security priority rather than a systems maintenance issue.”
Others, who are usually on the ball regarding patches, took their eye off said ball at just the wrong moment. According to reports, teaching hospitals across Sheffield have been infected by Cornficker because 8000 PCs had their Windows security updates switched off, meaning that they got no more security patches.
While the clean-up process goes on, some non-urgent appointments have had to be cancelled. Apparently the updates were temporarily disabled after some PCs rebooted mid-surgery just before Christmas.
Although I am sure the IT department acted with the best interests of patients in mind, disabling updates across an entire network to “avoid further disruption” is a typical case of using a sledgehammer on a nut. Still, the incident certainly helps to highlight the importance of patch management.
The bottom line
Patch management is a vital, critical part of your security strategy. The patch management process should be seen as the channel through which your security updates are deployed, and treated as a security priority rather than a systems maintenance issue.
The bottom line, as can clearly be seen with the Cornficker problem, is that unless you have both a mechanism to install security updates in a timely fashion and a will to ensure that such patch distribution is a high priority, then the virus writers will take advantage of your apathy and that will impact upon your users.
About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years. In June, he won the Security Journalist of the Year 2008 award: the second time he has been given this honour in three years.