It’s been about a month since Microsoft released MS08-067 – which I posted about here. Since the patch was released, malware writers have scrapped together a worm that is spreading through the internet, swelling the ranks of their already impressive botnet. How does this happen? Wasn’t the bug fixed? Well, let’s take a look at what happened. First, the hole in the system stayed hidden for years – no one knew it existed, not MS security, hackers, or the all-knowing Slashdotters. This is not necessarily a bad thing – because a vulnerability that no one knows about isn’t really a vulnerability at the time, right? It isn’t once the bug was discovered and disclosed that we started having a problem. In this case, the turnaround was fairly quick. MS reacted appropriately and released an out-of-band update and pushed out a lot of press about how imperative it is that people update their machines. The problem is, not everybody is going to update their machine. These people are exceptionally vulnerable right now because in sending out a patch, Microsoft not only told everyone about the bug, but practically sent exploit code to the bad guys. You see, a patch is like the inverse of an exploit – and hackers can take these files and analyze them to figure out exactly what component of the system is vulnerable. There is a time span of mere hours between a patch release and the first sighting of in-the-wild exploitation.
So, my question is, what are we supposed to do? These bugs are going to exists. All operating systems will have a bug like this. Don’t believe the drivel that gets spouted about how Windows is architecturally inferior to all other systems, therefore it is the only one to have these problems. Programmers and testers are human, they make mistakes. The question here is, how do you deal with these bugs once their found. Obviously, you have to disclose them. People need to be made aware of the situation. But once you tell people about the bug, and patch it, then some people are more at risk than they were before. I guess you could take comfort in the fact that less people are at risk (those who patched) but maybe, the overall risk has increased – because now there is a worm spreading. So, do we need a less informative way to disclose the information – just tell people to update without saying what the problem really is? Well, that won’t work either, because really, all the important information is found in the binary patch that gets sent out from Windows Update. Bad guys have a Windows box too, and they get the update. OK – encrypt the patch? Won’t work, they’ll just diff their machines – it might slow them down a couple of hours, but that’s about it. So, I’m at a loss, I guess I have to accept the fact that patches will lead to full disclosure, which will lead to exploitation. I guess we just have to hope that people update their systems when they’re asked to. But, I hate this conclusion – most cause of that H word… maybe we can make updates work they do in video games land – force you to update before it will allow you to connect to the internet again. Any ideas?