Qualys CTO Wolfgang Kandek talks security with The Tech Herald

by Steve Ragan - Feb 24 2009, 17:55

Every month Microsoft releases security updates. Sometimes these updates are for Windows, sometimes they are for Internet Explorer or Office, sometimes they are for all three, and then some. Yet, after each Microsoft release, new attacks on vulnerabilities addressed in the monthly updates appear online. This month, the attacks are aimed at Internet Explorer, which after all this time, many people fail to update consistently.

In business, updates are applied in order of need. There are critical systems to manage, and critical applications running on them. So when it comes time to roll out patches, browsers such as Internet Explorer will play second string to an update to Server 2003 or SQL Server.

While this seems strange, as IT often leave automatic updates running network wide on the desktops, the end users often never apply them. This is also assuming that the end user in a business hasn’t disabled automatic updates on their own thanks to being allowed to run as administrator.

When it comes to the order or importance of patch application, Microsoft has given companies the Exploitability Index,or EI for short. Microsoft created the Exploitability Index to help IT departments prioritize systems patching and updating. It predicts the likelihood of functioning exploit code appearing for various patches. The feature is now a part of the monthly Security Bulletin Summary that appears every Patch Tuesday.

“Every month when Microsoft issues its security advisories we get asked what patch to apply first? Typically we are reluctant to elevate one vulnerability over the other, however looking at the 2008 data we agree that Internet Explorer vulnerabilities should be given the highest priority and patched first,” said Qualys CTO, Wolfgang Kandek.

“The browser is the heaviest used software application that interacts with the Internet, the most likely source of malicious content. It is not only used for professional purposes but also in private interactions – e-commerce, social networking, private e-mail, etc. Browser patches are heavily tested by Microsoft and unlikely to break any existing functionality on the desktop.”

The comments come from an email sent to The Tech Herald on Patch Tuesday this month. While relevant, the comment that made the email standout was one that centered on Internet Explorer Updates.

“Unfortunately, the vulnerability data that we collect shows that companies treat browser patches just like all other patches – their deployment cycle correlates very closely with other critical patches; A daily automatic update check for Internet Explorer would be beneficial for its millions of users and make the Internet a safer place,” Kandek said.

All browsers have an automatic update setting. Firefox will see updates to the browser and alert the user to upgrade, sometimes depending on the setting, Firefox updates on its own. Google’s Chrome will update in the background, but the downside to that is a constant daemon running on the system that searches for updates.

With that thought in mind, The Tech Herald asked the Qualys CTO some questions.

When asked why Microsoft hasn’t implemented an auto patching mechanism for Internet Explorer, Kandek said, “Internet Explorer is tightly integrated into the Windows Operating System. It is most convenient to use the operating system’s patch capabilities, which take care of all the administrative steps such as authenticating to the update service, making sure that you are properly licensed and so on. As long as Microsoft does not treat Internet Explorer as a separate product it is difficult to argue for its own update service.”

Regarding the operating systems abilities, many end users disable the automatic updates offered by Microsoft. If one was added directly to Internet Explorer, the ability to disable it would also have to be included. So then wouldn’t that update process wind up disabled as well, leaving the state of things back at square one?

“Certainly some users would disable the update feature, but the majority would leave it in its default configuration if it was not paired with lengthy or intimidating additional software downloads, such as Windows Genuine Advantage,” pointed out Kandek. Adding, “In the corporate environment IT administrators would be empowered to install the well-tested and benign browser patches in this expedited manner, rather than forcing them to group the browser patches into the normal OS patch cycle.”

So what would be the ups and downs of an automatic update system for Internet Explorer?

“A separate auto patch module would in effect decouple Internet Explorer from the normal Windows update process. This would result in faster and less intrusive updates, as the patches tend to be smaller and typically only a browser restart would be required,” he explained.

“Authorization to apply the patches could be more flexible allowing even unlicensed users to install the latest version. On the corporate side separating the patch module would allow IT administrators to leave it in its default configuration of frequent updates, while they continue to tightly control and test the more intrusive operating system patches. The cumulative effect would be a healthier Internet.”

What other things could be implemented on a software level that could add to the layers of security needed on a business or home network? For example, there is the Windows Firewall, often regarded as useless by many in the security realm, the update system as mentioned, as well as layers of hardening on Vista, which earned complaints and often windup being disabled as well.

“Hardening and limiting the capabilities of the end user’s machine seems to be the most promising avenue to me. The recent success of small, limited capacity laptops (netbooks) shows that many users are willing to part with functionality in exchange for speed and portability and shift to applications that run in the cloud – in the Internet. The growing rate of inclusion of “splashtops” (http://www.splashtop.com/ - small, fast booting OS in the motherboard’s BIOS that typically offers browsing, e-mail, VOIP calls, music and DVD playback) in modern motherboards confirms that tendency,” Kandek said.

“Overall I expect typical home users to migrate to Smartphones as these devices become more powerful and cover more and more of our typical computing needs in conjunction with services provided by SaaS (Software as a Service) companies through the Internet.”

Recently, there have been attacks online that target the flaw in Internet Explorer patched by MS09-002. Auto patching for IE could have prevented this, but so would have the ability to block the reverse engineering of the patch itself. Kandek was asked his opinion as to why Microsoft hasn’t created an update that cannot be reversed.

“It would not help to try to hide the patch’s improvements. Windows is a complex piece of software with millions of lines of code. Obfuscating the code’s function would introduce an additional layer of complexity with its own bugs and cause a significant performance impact,” he said.

“In addition it would only deter simple attack attempts and the sophisticated attackers of today would at the most be slowed down. The recent Conficker / Downadup Worm used some obfuscation techniques but nevertheless multiple security researchers were able reverse engineer its code and were able to predict URLs used for command and control.”

The last question asked of Kandek focused on trends. Browsers exploits are huge, seen as one of the most common means of spreading Malware. With that in mind, he was asked what trends he’s seen in that regard. What tricks has he seen used, or off-the-wall attacks?

“An attacker needs to lure the end users to his websites in order to infect the browsers and take control of the underlying machines. Most commonly they will send e-mails that entice the end user to visit the website by appealing to their curiosity, exploring current social phenomena, or current events. Another way is to setup a website that offers some kind of useful or sought after service (pictures, videos, news updates). We have even seen malicious code embedded in security software that is disguised as a legitimate Anti-virus or Anti-Malware product. I assume that attackers will have no ethical boundaries in the choice of their means to get control of the end users computers.”

Around the Web