The Blaster worm gave network and security mangers a scant four weeks to patch the critical Windows DCOM-RPC vulnerability. While there's little data to define a trend, many in the infosecurity community say the window for patching systems against publicly announced exploits is getting shorter.
"What we're seeing is if you don't already have a defense in place, you won't have any time to react anymore," says Kris Zupan, CEO of e-DMZ Security, a comanaged service provider. "It's no longer 'shame on the sysadmin' for not applying patches that are six or eight months old."
Worms are usually preceded by ample warning, which gives enterprises more than enough time to patch or secure their systems. In contrast, the DCOM vulnerability and patch were announced almost simultaneously in mid-July with the publishing of the exploit code. Blaster appeared Aug. 12, just as enterprises were implementing their patching program.
"A couple of weeks to test patches and put out a deployment plan isn't unreasonable," says Eric Schultze, executive director of product research and development at security tools vendor Shavlik Technologies. "If worms come out faster than that, major corporations are going to have a real problem."
One organization looking at the need for faster patch management is the Internal Revenue Service (IRS), which narrowly averted a major Blaster infection of its massive 125,000 Windows workstation environment.
"This new trend means we're going to have to react faster," says Jim Kennedy, an IRS program manager. "The next time Microsoft releases a patch, we will apply that patch with a greater sense of urgency."
Not all agree the patching window is closing, or that it needs to exist at all. Rather than worrying about patches, some say the answer resides in the basic network architecture, defense-in-depth security strategies and old-fashioned vigilance.
"The final strategy is going to involve patch management at the OS level, more network defenses, network segmentation that will provide protection even when you're unaware of an exploit," says Zupan.
FOR MORE INFORMATION: