If the Sasser worm's any indication, security experts said, malicious code writers will continue to find speedier...
ways to exploit weaknesses. That's why the IT security community needs to find a better way to respond.
Microsoft announced an unprecedented eight patches to fix 21 vulnerabilities on "Patch Tuesday" last month, one of which Sasser's creators exploited within three weeks. The next wave of security fixes is scheduled for release tomorrow.
Given the Sasser worm variants have hit 500,000 to 1 million unpatched machines to date, according to industry estimates, concern abounds that the window is rapidly closing between the time it takes vendors to identify holes and for attackers to take advantage of them. Each new assault taking the world closer to zero-day exploits, when hackers will have the means to strike the day a new gap is announced.
Mark Nicollet, analyst for Connecticut-based research and advisory firm Gartner Inc., said the challenge is for organizations to put systems in place to end the recurring nightmare where administrators scramble to update their security software ahead of the next worm or virus, only to discover later that the patches they installed conflict with other software, causing computers to slow down or crash.
"Looking at the most recent cycle between vulnerability, and attack and the impact rapid patching has had on an organization, it becomes apparent we'll need additional approaches to protect systems other than installing patches," Nicollet said.
He noted that some of his clients are able to patch systems quickly. But while they're able to minimize the impact of the attack or prevent it altogether, they're left to deal with unintended consequences.
"The patches and their interaction with the network's other components and software can cause shutdowns," he said. "When we update quickly, there's no time to document and predict the secondary effects. Server downtime is also an issue, with IT staff having to shut down the system to install the patches."
The bottom line, he said, is that "rapid patching is necessary but insufficient. We need to reach the point where blocking technology is effective enough to let us patch in a less disruptive, risky way, even without zero-day exploits."
Eric Schultze, chief security architect for Shavlik Technologies of Roseville, Minn., said when it comes to the prospect of zero-day attacks, his biggest concern is that software experts are putting too much information in the public domain and unintentionally helping the hackers.
"How bad the next worm will be or how quickly it gets out there will depend on whether we see a researcher publish a critical report on the next flaw," Schultze said. "Worms like Nimda, Code Red, SQL Slammer and Sasser were probably helped along by there being too much information out there."
He said researchers think they're helping the IT community by putting detailed reports outlining the latest security flaws on the Internet for all to see. If they had simply given their research to Microsoft and kept it from public view, Schultze asked, "Would we have Sasser?"
Schultze said the best approach is for researchers to "find the bug, alert the vendor and keep the rest out of the public domain." Then, "the vendor can simply put out a warning saying there's a flaw on this program and here's the patch."
As the industry waits for Microsoft's announcement and the next malicious code, some express skepticism that the zero-day attack will ever happen.
"I don't think it'll reach the point where hackers have a zero-time turnaround," said Dennis Racca, president of network security provider Umbra Networks in Andover, Mass. He predicts malicious code writers "will only narrow the gap to two weeks."