Patch Time
Well, that certainly didn't take long. It took hackers only one week from patch to exploit for the ASN.1 vulnerability. It seems the more nefarious elements of our digital world are getting more proficient at reverse-engineering security patches. This unfortunate situation only emphasizes the need for a good patch management policy.
You must have a patch deployment plan in your organization. Whether your organization is 1 to 100,000 computers, you should have a patch management policy. The plan should include testing patch installs on your standard machine image, regression testing of key applications with the patch, understanding how how back-out the patch, deploying the patch, auditing the deployment process, and doing patch inventory on your machines. You gotta do it. Ain't no way 'round it. Period. Check out NTBugTraq for a good list of patch management tools.
I know this sounds like substantial amount of work, but it really could be as simple as backing up your box, installing the patch, and testing your favorite apps.
One other very important part of having a good patch management policy is following your patch management policy. It's like we say in diving: Plan your dive, dive your plan. You could have a very safe dive plan, but if you don't follow it you could get bent, or worse. You can also have the best patch management plan ever devised, but if you don't follow it, it's worthless.
Every major attack against the Windows OS was against a vulnerability that had a patch available. 331 days from patch to Nimda. 180 days from patch to SQL Slammer. 151 days from patch to Nachi. 25 days from patch to Blaster. Time is getting shorter. How many until the next one (and you know there will be a next one)?
I've patched my boxen; all 15 of them within 2 days of the patch release. Are yours patched?
Cheers,
m²
