Thursday, March 28, 2019

Patch Tuesday & Exploit Wednesday

Risk of Tuesday Patch

Level: Basic

In Computer Systems, the word “Patch” refers to a code correction in Software or Operating System. The correction is mandatory to fix a bug (the bug is a mistake in code logic or syntax) that might cause a security hole which known by Security Professionals as "Vulnerability". The person who discovers a bug could be a cracker or software programmer. However, the vulnerability might not be disclosed to the public which means the number of non-disclosure vulnerabilities is more than the number of discovered one, and there is a big business on the dark web behind on the non-published vulnerabilities.


The crackers might create an exploit to get full benefits from the discovered vulnerability, if this happened then we have a risk. The risk can be explained as this formula: 

Risk = Threat “Exploit” X Vulnerability.




Let's talk about Microsoft updates. The good news with Microsoft is that security updates are releases frequently every second Tuesday from each month. The bad news is when Microsoft releases an update, the attacker might use reverse-engineered technic in order to understand the idea/logic behind the released patch and then he/she can create and use the exploits to take over non-patch systems. This mean, the patch could become a danger if it was not rollout to machines immediately. The fancy name for this is “Patch Tuesday and Exploit Wednesday”.

Here is illustrator show this work







Complete image without animation


(1) Above is an example of a running MS-Apps and next Patch Tuesday and Exploit Wednesday. (2) Patches supposed to be released on Tuesday 9 of April 2019. (3) Organizations take from 1 to 10 days to patch all systems. (4) attacker use reverse-engineer technic to understand or get an idea about the bug. (5) Antivirus companies update their definition signature and HIPS "Host Intrusion Detection System" to protect machines... In the meantime, there is a big question on the time between (4) and (3) as the more time it takes to rollout patches it would be considered as risk on the non-patched systems, and if an incident occurs before (5) then it will be categorized as a zero-day attack. 

It is recommended to classify systems in three or more categorization here is an example: Testing, Critical, and Workstations. The patch should be tested before rollout patch to all servers. Personally, I recommend rebooting the tested server after the patch operation. System admins need to ready for any disaster in case the update makes damage to system/service. 

You can use the free tools “WSUS” for patching Management or use a commercial solution such as Lumension, Microsoft SCCM or Symantec Altiris.

let's waste attacker time and do a real change on the title to be from exploit Wednesday to Happy Wednesday 😄

Amir

No comments:

Post a Comment