Work on Microsoft patches extends beyond downloads

In the period between late December 2005 and January 2006, more than 10,000 computers across the country were hacked using a flaw in the Windows graphics-rendering engine - the software that processes images."The Windows Metafile vulnerability is still being exploited, and will continue to affect people not current with their patches," said Steve Gibson, president of Laguna Hills, Calif.-based Gibson Research Corp., a data recovery software publisher and Internet security and privacy educator.

Patch management - the process of fixing flaws in an application or computer operating system's code - is a very real concern for CPAs, as evidenced by its 14th-place ranking in the recent American Institute of CPAs' list of top technology issues for 2006.

As Microsoft is the dominant operating system, and one of the primary suppliers of business software for CPAs, a large amount of patch management consists of keeping current with Microsoft's 50 patches or updates per year. CPAs and experts in the field agree that Microsoft does a fairly good job at updating and fixing bugs in its systems, but CPAs need to do their part in making sure that their clients' information is safe with or without an official MS patch.

"I advised my clients to apply the sub-patch [a patch developed by a third party] - that's the only time I've ever done that," said Brian Tankersley, a CPA, CITP and sole practitioner in Knoxville, Tenn. "The combination of the seriousness of the vulnerability along with the period of time before Microsoft was going to come out with a patch forced me to make a business decision like everyone else - use an imperfect patch or have 24/7 vulnerability."

The metafile vulnerability was the first and only time that the security community has endorsed a third-party developer's patch for a critical bug, said Gibson.

In late December, Microsoft acknowledged that there was a vulnerability in the way Windows downloaded certain images from the Web. Hackers posted images with secret code on Web sites so that when the images were downloaded onto an Internet Explorer user's PC, a hacker could hijack the PC and download Trojans - malicious software used to steal private information - or spyware, which is software used to take control of a PC, or turn a user's computer into part of a botnet. A botnet is a collection of "compromised" PCs being used to attack other online users and corporations.

Microsoft came out with a recommendation for its users that Gibson called "lame" in a recent podcast for Security Now!, a weekly online technology radio show hosted by technology journalist Leo Laporte along with Gibson.

"It only protects some cases of Internet Explorer and disables displays of thumbnails," said Gibson.

Microsoft promised to release a real patch by January 10 - roughly two weeks after the vulnerability was publicly announced and judged as a low-to-moderate risk. Some in the security community felt that Microsoft did not take swift and appropriate enough action to deal with the bug. As a result, IT security consultants and CPAs began endorsing the third-party patch, developed by Ilfak Guilfanov, a senior developer at DataRescue, a Belgian software maker.

Technology concern Gartner Research Inc. did not support Guilfanov's third-party patch, advising against using outside fixes for Microsoft solutions.

"A big gray battleship moves slow; as with any corporation, it's not as fast and agile to push out updates as a smaller company," said Anne Stanton, CPA and president of The Norwich Group, a nationwide business and technology-consulting group. "However, I recommend going back to the source for the fix."

"From the moment we were made aware of the WMF vulnerability, our primary concern was producing an update to help protect customers. To that end, we activated our emergency response process and created an engineering plan to work non-stop throughout the holidays to get that update out," said Stephen Toulouse, security program manager with Microsoft's Security Response Center. "Customers have told us we absolutely have to get quality right when we produce an update. If we issue a security update that actually causes a problem on customer systems, then they won't deploy it. And a security update that no one deploys actually doesn't protect anyone."

Normally a third-party developer, beta tester or security expert will find a flaw and contact Microsoft. Usually the third party is not the one to provide the public with a patch, nor the one to publicly discuss what is wrong with the code either, for fear the hacking community will exploit the weaknesses before a patch is released. Microsoft has so many products that are intertwined that an update to one part of their Windows operating code could cause other software to come crashing down.

"They are very careful with patches. That's why they don't release them daily - they want to test them. Everything they do will cause a problem for somebody, and even if it's just 1 percent, that's a million people. But they do the best they can," said Laporte. "Occasionally it will cause problems in other areas [of the software or operating system], but they are getting better, there are not as many problems."

Patching things up

Every second Tuesday of the month, Microsoft releases a number of patches addressing vulnerabilities found in its products. The day has become to be known as Patch Tuesday.

With Windows XP Service Pack 2, automatic updates were turned on so users do not have to go to the Microsoft Windows Update or Microsoft Update pages every Patch Tuesday to download patches. Another automatic update that Microsoft makes available at the server level is Microsoft Windows Server Update Services. SUS is a free add-on for Windows Server 2003 that automatically downloads and installs updates to PCs on the network via the server.

"It might take someone four or five hours to implement, but then the occasional approving of updates is cost-effective," said Brent Goodfellow, CPA, CITP and partner at Hillsboro, Ore.-based CPA firm BKR Fordham Goodfellow LLP. "You can sleep at night knowing that all those machines have current patches. Patches are out in plenty of time to close the hole, but end users are notorious for not implementing them fast enough."

Both Gibson and Laporte echoed Goodfellow's concerns that users do not practice the best patch management or the best Internet usage policies. Vulnerabilities are not exploited if a user practices good Internet and e-mail work etiquette, they said. A hacker cannot just jump onto someone's computer without the user first coming to him through such traps as a phony Web site or a forwarded e-mail containing a virus.

"The No. 1 thing is education of employees," said Gibson, who claimed that his PC has never been infected, even though he does not use spyware, anti-virus software or any other malware-blocking products. "Explaining to people that this is serious business, their jobs are on the line, they are subject to termination. A distinction has to be made - the computers at work are company assets and must not be allowed to be treated like personal computers at home."

For reprint and licensing requests for this article, click here.
MORE FROM ACCOUNTING TODAY