utomatic Software Updates

by Russ Rogers - 2/22/01

If you work in the realm of Attack and Penetration testing, then you probably already know that your best opportunity to get into a target network in through the apathy of a network or system administrator to apply new patches to the box. And when you consider the sheer number of operating systems and applications (not to mention each individual version number), that can really add up.

This brings us to a recent debate that centers around automatic updates. Now, when I say automatic, I mean that it happens without any help (or interference) from the administrator. Patching software becomes a responsibility of the particular vendor who created the product. When a vulnerability is recognized by a vendor, a patch is developed that will be made available for download by all registered machines on the network.

Bruce Schneier, author of Applied Cryptography and founder of Counterpane, Inc, refers to the amount of time between the recognition of a vulnerability to the release of an effective patch as the "Window of Vulnerability". This is the time when a hacker can most easily exploit the vulnerability. Obviously, if an administrator does not patch the system when the patch is released, the window of vulnerability is expanded.

Wow! It sounds like a great idea, but who is to blame if a corporate box on the network gets hacked? Does the vendor take responsibility and become liable for damages on the customer box? They ARE the ones who are supposedly upgrading the server automatically, right? Or does the person implementing the software on their network maintain the responsibility?

That's a tough question. What happens when an automaker releases a new vehicle with seat belts that don't adequately protect the occupants? Will the company be held liable for any deaths that occur before all the vehicles are recalled and refitted with new and safer belts? What happens if someone who didn't heed the recall gets injured with the old restraint system?

Now, let's talk directly to the people who run the servers, the administrators. Do you really trust vendors enough to allow these automatic updates? How do you know that the patches they are applying won't crash the machine? What if the patches are actually coming from someone else, someone with other intentions? The implications of such a situation are astounding.

Marcus Ranum, CTO of NFR, Inc., is one of main proponents of the Automatic Upgrade option. His theory is that by removing the administrator from the patch process, you give yourself and your network a much better chance of maintaining the latest patch levels. Whether intentional or accidental, administrators have proven that they can and will miss some patches.

In the end, you'll have to decide for yourself whether you trust the vendor and their security process enough to allow automatic updates. Will the lure of a constantly upgraded server be enough to diminish the risks associated with the upgrade process?