Home > Samples > Update > January 2004
          Back to associated article: Client Patching at Microsoft
  Vulnerabilities, Exploits, and Patches (Sidebar)    
   

Posted: Dec. 15, 2003

Software security issues are generally characterized as vulnerabilities, exploits, and patches. Vulnerabilities are bugs or other holes in software, such as worms or viruses, that expose the software, or systems built on the software, to malicious attacks. Exploits, such as SQL Slammer, are attacks that target known vulnerabilities. Patches are small pieces of code that fix vulnerabilities.

Vulnerabilities in Microsoft products are ordinarily flagged by external sources; for example, a customer using SQL Server or an independent security watchdog group such as the colorfully named "The Last Stage of Delirium," which discovered the vulnerability responsible for the SQL Slammer exploit. When a user or a group uncovers a vulnerability, they alert the Microsoft Security Resource Center (MSRC), which determines the potential risk associated with the vulnerability and alerts the appropriate Microsoft development organization. Once aware of the vulnerability, the development organization addresses the vulnerability in the underlying code. If a vulnerability is deemed sufficiently threatening, Microsoft will release the patch immediately through the MSRC. For vulnerabilities not deemed highly threatening, the fix will typically be rolled into the product’s next service pack, a collection of product bug fixes and previously released patches that the company releases periodically.

Generally, Microsoft officially announces vulnerabilities at the same time as the release of the patch that addresses them. At this point, the race is on: hackers scramble to write exploits targeting the vulnerability while corporate IT departments start the process of examining the vulnerability, testing patches, and hardening their networks and clients to potential exploits by deploying patches. The time that elapses between public knowledge of a vulnerability and the appearance of an exploit that targets it has steadily decreased, and it is down to between two and three weeks as of Dec. 2003. For example, the Aug. 2003 Blaster worm appeared about 17 days after the corresponding vulnerability was revealed, whereas the July 2001 Code Red worm appeared several months after the vulnerability was revealed. A zero-day attack—an exploit that is released as soon as the vulnerability is known—is an increasing possibility.

In all cases, the goal for IT departments is to have 100% of vulnerable corporate clients patched before an exploit of a known vulnerability is released publicly.

  
Member Log On | Contact Us | About Us | Samples | Subscribe | Jobs
©Directions on Microsoft