Saturday, January 27, 2007

Patch Tuesday and the Cu Chi Tunnels

A few years back, my wife and I went to visit Vietnam. One of the more interesting stops on this fascinating trip was a visit to the Cu-Chi Tunnels - a network of hand-dug caves that formed part of a materiel and personnel supply chain that ran the length of the country during the Vietnam war. Inside the caves were dining halls, sleeping compartments, munitions stores - even a hospital. Pieces of the cotton ceiling of what was once the operating theater of the surgery were still visible. But that wasn’t what stayed with me.

During the tour, the tour guide, a gruff, ex-Viet Cong colonel, took us to see some of the craters left by the visiting B-52s. Despite years of tropical rain, the craters were still immense - I went down inside one and the resulting photo shows me standing in a crater at least twice as high as myself. Because there were many of these craters spaced closely together, I asked the colonel how it was possible that any of the local population had survived these attacks.

“Simple”, he replied, pointing to his watch. “Everyday, they come at the same time. Every day, exactly. Because of this, we know. So we hide,” he said, pointing to the tunnel entrance.

Which brings me to Patch Tuesday.

If you’ve not heard of Patch Tuesday, this is the one day every month that Microsoft releases patches for its operating system and applications. Like lots of policies, Patch Tuesday was created by Microsoft for what seemed at the time to be sensible reasons - i.e. to enable administrators to plan in advance for patch releases and more easily manage their IT resources against a timeline.

Unfortunately, when you create a timeline for the good guys, you create a timeline for the bad guys as well. It is hard for me to believe that hackers, especially of the financially-motivated persuasion, would not be timing their own “product release schedules” around Patch Tuesday. And, after asking around this week, it seemed that there is at least anecdotal evidence that they are doing so.

So where does this leave us? As we all know, Microsoft is moving into antivirus vendor territory - and is starting to compete with traditional vendors, many of whom have labs that are dedicated to issuing virus definition updates - and application patches - often at a rate of several times per day (certainly Authentium, F-Secure and Kaspersky can back up that claim). If Microsoft is going to gain our respect about being serious on security, “Patch Tuesday” needs to be consigned to history.

There is evidence that this might be happening - slowly. Microsoft’s recent “non-Patch Tuesday” release of Security Advisory MS06-055 may signal a new trend. If so, this is a move in the right direction. Allowing hackers to “look at their watches”, plan their “product” releases, and target business and consumer devices for a full month between Patch Tuesdays is *not* a good policy when it comes to winning a battle - just ask the colonel.

No comments: