Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/11/2009
02:09 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Crazy Patch Tuesday (And Not Because Of Microsoft, Either)

As Microsoft's Patch Tuesdays go, this one struck me as a fairly straightforward day. Yet, what was up with Symantec and Adobe? Patch Tuesdays aren't a good day to make the jobs of IT security and operation teams any more difficult than they already are.

As Microsoft's Patch Tuesdays go, this one struck me as a fairly straightforward day. Yet, what was up with Symantec and Adobe? Patch Tuesdays aren't a good day to make the jobs of IT security and operation teams any more difficult than they already are.When Microsoft initiated "Patch Tuesdays" a number of years ago, the point was to help IT teams better-align their resources to assess the systems that need to be patched, test those patches, deploy them, and finally make sure that those patches have been properly applied. It's a lot of work, and companies need to be able to assess and mitigate their risks as fast as possible.

That's why they don't need nonsensical, completely avoidable gaffes that make their workdays hell. But that's what they got from Symantec and Adobe yesterday.

Around end of day Pacific Time on Monday, Symantec released what it called a diagnostic patch "PIFTS.exe" for Norton Internet Security and Norton Antivirus 2006 & 2007. Here is what Symantec said about the incident on its blog:

This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned," which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

PIFTS.exe determines what Symantec products, and their version level, are installed on the system, and send that information back to Symantec. The data is used to let users know when new product versions are available.

It doesn't cause any direct security risks, for sure. But it certainly caused a lot of distraction as corporate users would certainly, upon returning to work Tuesday, or even end of day Monday for those on the West Coast, start contacting their help desk and security managers asking what the heck was going on.

That's certainly not the distraction companies need on Patch Tuesday. Maybe next time Symantec could wait to do this after Patch Tuesday -- or at least not on the eve of Patch Tuesday? Is a little consideration for business users too much to ask?

And shipping unsigned software is really not an excusable mistake for a software security company to make.

Then there was Adobe. Initially, Adobe said it would patch a zero-day vulnerability on March 11. Fine, security teams could budget some time to deploy this patch while they're patching Microsoft's patches from Tuesday.

That was the plan, until Adobe decided -- without warning -- that it wasn't. Adobe shows up early. After weeks of patch and vulnerability game playing, this software company releases the patch a day early. But not just any day. No. They do this on Patch Tuesday.

When I first thought about Adobe's action, I thought maybe I was being too tough. It's good to have a patch out, and sooner, rather than later. Except for when you already told the world you'd be releasing the patch on Wednesday, and the day early happens to be Patch Tuesday.

I entered an e-mail exchange with Andrew Storms, director of security operations for nCircle, on the Adobe's action, and here's part of what he had to say:

As if IT security teams didn't have enough to worry about today, Adobe released a patch for their high-profile zero day vulnerability in Adobe Reader and Acrobat.

Why would they decide to release today? The obvious thought is they wanted to deliver the patch once it was ready and any ramifications to release it on the same day as Microsoft was probably tossed aside as a minor problem.

It's actually too bad, since the timing will just further the confusion already with Adobe. Remember that it chose to release a patch for Flash that wasn't even being publicly exploited? That event, along with the delay in Adobe's public information dissemination, has caused it much angst in the last month.

I agree with Andrew. And I'll add that, in my discussions with other IT security managers, more people also are fed up with the lack of consideration software companies are showing about the ramifications their patch and update release cycles have on operations. It's one thing if you are a consumer, and you have one to half a dozen PCs to patch. It's quite another if you are a business with 500, 5,000, or more.

It's time more software companies take this into account in their decisions as to when they publish updates.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.