Strategien


Sicherheit

Patch and Pray

25.08.2003
Von Scott Berinato

Ironically, maintenance programmers write patches using the same software development methodologies employed to create the insecure, buggy code they ostensibly set out to fix. Imagine that 10 people are taught to swim improperly, and one guy goes in the water and starts to drown. Do you want to rely on the other nine to jump in and save him?

From this patch factory comes a poorly written product that can break as much as it fixes. For example, an esoteric flaw found last summer in an encryption program--one so arcane it might never have been exploited--was patched. The patch itself had a gaping buffer overflow written into it, and that was quickly exploited, says Hernan. In another case last April, Microsoft released patch MS03-013 to fix a serious vulnerability in Windows XP. On some systems, it also degraded performance, by roughly 90 percent. The performance degradation required another patch, which wasn't released for a month.

Slammer feasted on such methodological deficiencies. It infected both servers made vulnerable by conflicting patches and severs that were never patched at all because the SQL patching scheme was kludgy. These particular patches required scripting, file moves, and registry and permission changes to install. (After the Slammer outbreak, even Microsoft engineers struggled with the patches.) Many avoided the patch because they feared breaking SQL Server, one of their critical platforms. It was as if their car had been recalled and the automaker mailed them a transmission with installation instructions.

Confusion Abounds

The initial reaction to Slammer was confusion on a Keystone Kops scale. "It was difficult to know just what patch applied to what and where," says NTBugtraq's Cooper, who's also the "surgeon general" at vendor TruSecure.

Slammer hit at a particularly dynamic moment: Microsoft had released Service Pack 3 for SQL Server days earlier. It wasn't immediately clear if SP3 would need to be patched (it wouldn't), and Microsoft early on told customers to upgrade their SQL Server to SP3 to escape the mess.

Zur Startseite