Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/11/2009
02:09 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Crazy Patch Tuesday (And Not Because Of Microsoft, Either)

As Microsoft's Patch Tuesdays go, this one struck me as a fairly straightforward day. Yet, what was up with Symantec and Adobe? Patch Tuesdays aren't a good day to make the jobs of IT security and operation teams any more difficult than they already are.

As Microsoft's Patch Tuesdays go, this one struck me as a fairly straightforward day. Yet, what was up with Symantec and Adobe? Patch Tuesdays aren't a good day to make the jobs of IT security and operation teams any more difficult than they already are.When Microsoft initiated "Patch Tuesdays" a number of years ago, the point was to help IT teams better-align their resources to assess the systems that need to be patched, test those patches, deploy them, and finally make sure that those patches have been properly applied. It's a lot of work, and companies need to be able to assess and mitigate their risks as fast as possible.

That's why they don't need nonsensical, completely avoidable gaffes that make their workdays hell. But that's what they got from Symantec and Adobe yesterday.

Around end of day Pacific Time on Monday, Symantec released what it called a diagnostic patch "PIFTS.exe" for Norton Internet Security and Norton Antivirus 2006 & 2007. Here is what Symantec said about the incident on its blog:

This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned," which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

PIFTS.exe determines what Symantec products, and their version level, are installed on the system, and send that information back to Symantec. The data is used to let users know when new product versions are available.

It doesn't cause any direct security risks, for sure. But it certainly caused a lot of distraction as corporate users would certainly, upon returning to work Tuesday, or even end of day Monday for those on the West Coast, start contacting their help desk and security managers asking what the heck was going on.

That's certainly not the distraction companies need on Patch Tuesday. Maybe next time Symantec could wait to do this after Patch Tuesday -- or at least not on the eve of Patch Tuesday? Is a little consideration for business users too much to ask?

And shipping unsigned software is really not an excusable mistake for a software security company to make.

Then there was Adobe. Initially, Adobe said it would patch a zero-day vulnerability on March 11. Fine, security teams could budget some time to deploy this patch while they're patching Microsoft's patches from Tuesday.

That was the plan, until Adobe decided -- without warning -- that it wasn't. Adobe shows up early. After weeks of patch and vulnerability game playing, this software company releases the patch a day early. But not just any day. No. They do this on Patch Tuesday.

When I first thought about Adobe's action, I thought maybe I was being too tough. It's good to have a patch out, and sooner, rather than later. Except for when you already told the world you'd be releasing the patch on Wednesday, and the day early happens to be Patch Tuesday.

I entered an e-mail exchange with Andrew Storms, director of security operations for nCircle, on the Adobe's action, and here's part of what he had to say:

As if IT security teams didn't have enough to worry about today, Adobe released a patch for their high-profile zero day vulnerability in Adobe Reader and Acrobat.

Why would they decide to release today? The obvious thought is they wanted to deliver the patch once it was ready and any ramifications to release it on the same day as Microsoft was probably tossed aside as a minor problem.

It's actually too bad, since the timing will just further the confusion already with Adobe. Remember that it chose to release a patch for Flash that wasn't even being publicly exploited? That event, along with the delay in Adobe's public information dissemination, has caused it much angst in the last month.

I agree with Andrew. And I'll add that, in my discussions with other IT security managers, more people also are fed up with the lack of consideration software companies are showing about the ramifications their patch and update release cycles have on operations. It's one thing if you are a consumer, and you have one to half a dozen PCs to patch. It's quite another if you are a business with 500, 5,000, or more.

It's time more software companies take this into account in their decisions as to when they publish updates.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-20469
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log_edit.php files failing to filter the csa_to_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.
CVE-2020-20470
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.
CVE-2020-20471
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
CVE-2020-20472
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site.
CVE-2020-20473
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control_task.php, control_project.php, default_user.php files failing to filter the sort parameter. Remote attackers can exploit the vulnerability to obtain database sensitive information.