Under the dark cloud of recent zero-day attacks, Microsoft is quickly working to update its enterprise patching tools to incorporate short-term, quick fix technologies to thwart malware that is already actively exploiting vulnerabilities.
Microsoft's goal is to add its Fix-it technology, introduced in January, into its overall patch management toolbox, which is anchored by Patch Tuesday. The idea is to streamline blockers for zero-day attacks into current patching best practices.
The Fix-it code provides immediate protection and can act as a placeholder until a patch is developed and tested. Fix-its are MSI files that once installed turn off vulnerable ActiveX controls by changing registry settings in the OS. MSI files allow administrators to install, maintain and remove software from the OS.
“We want to figure out how better to integrate Fix-it into the rest of the Microsoft patching story,” says Paul Schottland, product unit manager in the product quality and online organization within Microsoft's support and services group. The group has been doing the majority of the work on the Fix-it technology.
Microsoft has released more than 300 Fix-its since January, mostly to correct issues that vex non-techies such as replacing an IE shortcut deleted from the desktop or fixing issues with the sound system.
But more recently, the majority of Fix-its have been for security vulnerabilities.
“The path we would like to take is a sort of best practices across the industry,” said Schottland. “The path we are heading down is making sure the IT industry collectively can say this is a new tool and this is how it fits into the overall enterprise that we manage.”
Microsoft plans to publish a white paper next month outlining that strategy.
Schottland says Fix-it technology is not applicable to every security vulnerability but works well when certain features need to be turned on or off rather than fixes that have multiple configuration options.
Earlier this week, Microsoft issued Fix-it “kill-bits” for an ActiveX vulnerability in Office Web Components. A patch is still being developed, according to Microsoft. The company also issued kill-bits for two other zero-day attacks exploiting ActiveX controls.
On Tuesday, Microsoft issued its first ever patch – MS09-032 – made up of a collection of “kill-bits” from previously released Fix-it code.
While the kill-bits are effective, the problem for companies is getting them deployed in an automated manner. Fix-it technology today is mostly done manually at each machine via Microsoft’s Web site. The technology is mostly designed for consumers, although some vendors are beginning to provide corporate users with tools to centrally manage rollout of Fix-it code.
Microsoft for its part is recommending its System Center Configuration Manager or the group policy features associated with Active Directory for rolling out Fix-it code via a network. Schottland's group is working with the Microsoft Security Response Center and the Windows Update team to develop an enterprise solution for rapid deployment.
Microsoft is already allowing IT administrators to download the Fix-it MSI files and push them out from within their own networks as an install that does not require end-user action.
“They can use log-in scripts, Group Policy or Configuration Manager,” he says. OEMs are also getting rights to distribute the MSI packages.
Those rights are in sharp contrast to patches, whose distribution is tightly controlled by Microsoft to ensure the integrity of the software. MSI files will be digitally signed, however, just like patches.
Schottland also says some Fix-it tools are coming out with more diagnostic capabilities but they require PowerShell, which runs on XP, Vista and Server 2003 and ships as part of Windows Server 2008 and Windows 7.
“Will [Fix-it] be another avenue into applying some security fixes? Absolutely,” says Schottland.
Some experts say Microsoft is applying its efforts in the right places.
“This is a tailor made problem for group policy to solve,” says Darren Mar-Elia, CTO and founder of SDM Software, which develops Group Policy tools. “Group Policy was designed originally to push out registry settings.” He says the newer Group Policy Preferences introduced with Windows Vista and Windows Server 2008 make the process easier. Mar-Elia outlined the Group Policy options in a blog post Thursday.
The unsolved issue, however, is one of logging and reporting of success or failure of installation.
“We have some free PowerShell commandlets that let you find out if policy processing worked, but it does not verify the results,” said Mar-Elia. SDM is working on a tool to add that verification.
Still others say Microsoft is on the right track toward protecting users.
“Microsoft is new to this, but I think they are doing the right thing,” says Eric Schultze, CTO of Shavlik Technologies. “In the days of old they just waited for Patch Tuesday. It's great they now have a way to turn around a fix in 24 hours. The question is can they make it easier for IT admins to roll out. I think they will do that.”
Schultze says Shavlik customers are already asking it to provide packages they can install via Shavlik patch management tools and Shavlik is pushing out Fix-it packages via its software.
“It is kind of a slippery slope. We start to become vulnerability management instead of patch management,” he says.
But IT administrators are turning to whomever they trust as they scramble to deal with the rising trend of zero-day attacks. Microsoft has reported five since February.
Wolfgang Kandek, the CTO of Qualys, says the security vendor has 60 zero-day exploits listed in its database. He says other vendors have more than 100.
“I don’t think the zero-day trend will end anytime soon,” says Amol Sarwate, manager of vulnerabilities research lab of Qualys.
Kandek says the interesting trend here is how these recent zero-day attacks are targeting ActiveX, a technology that allows code from a Web page to execute locally. Java Applets implement a similar concept although many feel they are less powerful and less dangerous because they don't command the same sort of OS control as ActiveX.
Google also is developing technology called Native Client for its recently unveiled Chrome OS that allows code to execute locally to boost the performance of Web-based applications. Google engineers admit the technology can be “ambitious and risky” and are working on security such as sandboxing and prohibiting certain actions.
Some say Microsoft's action of disabling Active X is a quick fix.
“They are going to have to get around to fixing the underlying code,” says Paul Henry, security analyst for security vendor Lumension. “Disabling is not the solution.”
Henry says the problem involves more than just Microsoft. He notes that Mozilla is instructing users to disable the Just-in-time (JIT) JavaScript compiler in Firefox 3.5 as Mozilla works to fix a vulnerability that is the focus of a zero-day attack. Adobe patched a zero-day PDF bug last month.
