A suggestion for security pros: Don't take your vacation in August. Indeed, a pattern has emerged in recent years...
in which attackers take a recently disclosed Microsoft flaw and exploit it in dramatic fashion, often in the first two weeks of the month.
Even the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 fix as soon as possible. At the Bethesda, Md.-based SANS Internet Storm Center (ISC), volunteer handler Swa Frantzen warned, "Those of you still testing patches ... better hurry up and get some of these fixed before you get hit."
By Sunday, attackers were targeting the Windows Server Services flaw with malware in a bid to expand their IRC-controlled botnets. Cupertino, Calif.-based Symantec Corp. labeled the malware W32.Wargbot, while Tokyo-based Trend Micro called it WORM.IRCbot-JK and Santa Clara, Calif.-based McAfee Inc. labeled it IRC-Mocbot!MS06-040.
This time last year, security experts were sounding the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its August 2005 batch of fixes. Attackers exploited the flaw a few days later with the Zotob worm.
So what is it about August that makes it such a threatening time of year? Some IT professionals have their theories.
Susan Bradley, network administrator for Fresno, Calif.-based Tamiyasu, Smith, Horn and Braun Accountancy Corp., thinks the bad guys like to cause trouble when the good guys are on vacation.
"Something always happens during the Christmas holiday, and it wrecks the holidays for IT administrators, and something always seems to happen in August to wreck their summer vacations," she said. "Also, System Administrator Day is July 28, so maybe things happen in August to reinforce the appreciation everyone has for us."
Paul Asadoorian, lead IT security engineer for Brown University in Providence, R.I., speculated that the annual Black Hat hacker event in Las Vegas is a factor.
"People go to Black Hat and pick up all this knowledge about how to exploit various technologies," Asadoorian said, "then they decide to use Patch Tuesday to practice their newest skills."
That's especially problematic in a university environment, he said, since students returning to campus in August tend to come with computers that are infected with malware.
In the case of the Windows Server Service flaw, Bradley and Asadoorian are bracing for what may be another awful August. Bradley noted that H.D. Moore, co-creator of the Metasploit Framework, has already released exploit code, as have other researchers, adding, "That means the clock is ticking."
In fact, the bot attacks against the flaw started little more than a day after Bradley warned of the imminent threat.
That doesn't mean IT administrators are panicking as they evaluate whether to patch immediately or focus on other options.
Asadoorian said IT shops that deploy a variety of defenses and educate users on smart computing habits can fend off whatever August exploits come their way. "We try to throw technology at the problem as much as we can," he said. "We separate student computers from the rest of the campus and check them for problems before letting them on the network."
Organizations also need to have their VPNs and firewalls in place, and make sure antivirus signatures are kept up to date, he said, adding that network access control (NAC) is an essential element of a strong security program.
"Network access and/or endpoint assurance are two technologies every organization should try to take advantage of, something that checks the host when it tries to plug into the network," Asadoorian said. "You also need to educate the users because that goes a long way. Each semester we offer 15 hours of training for staff and about four hours for students."
Bradley has also noted some positive developments that may make future August attacks much less harmful.
"The good news is that the newer platforms are in wider use," she said, noting that her environment is now made up of machines running Windows XP SP2 and Windows 2003. While the Windows Server Service flaw can be exploited to take complete control of older platforms, she said, attackers can only use it to cause a denial of service on the newer platforms.
"As an administrator, a denial of service isn't as worrisome as someone taking over my machine," she said.
Bradley's advice for dealing with the current threat is to separate the MS06-040 patch from the rest of this month's urgent updates and deal with that one first.
"Leave the other 11 [bulletins] behind, test this one and fast-track it," she said.