Runsafe:Update Software

Defects are frequently found in almost all commercial and open-source computer software. Many of these so-called bugs are just a nuisance but some of them can result in the ability of third parties to run their code on our computers without our permission. This allows them to take control of our computers for their own purposes. Of particular importance, are defects in programs that interact with other computers over the network. A defect in this type of program can enable our computers to be compromised from a remote location. With 600 million of us connected together around the world, that presents a lot of opportunity for mischief...or worse.

Running a computer with such vulnerable software on a network is like leaving the doors of our homes and offices wide open for anyone to enter. The difference is opportunity. Because of our Internet connectivity, people can go through open computer doors from anywhere in the world in seconds almost undetected. Because this activity is almost continuous, a vulnerable computer will be found and compromised in short order.

People don't need to be experts to perform a sophisticated crime. One expert can write a program that gives anyone that downloads it the benefit of the expert's knowledge.

We see scans and probes looking for open doors in our networked computers almost every day as do others. Tools exist that automatically scan large segments of a network and exploit any vulnerable systems that are found giving the user of the tool a cadre of compromised computers for later perusal and expansion. Worms, such as Code Red and Nimda, automate the scanning and exploit process to spread themselves. Most software is out-of-date and full of vulnerable defects on the installation CDs and even sometimes when downloaded from vendor web sites. Scanners and automated worms may find a vulnerable server almost as soon as it is connected to the network. A freshly installed Windows computer can be infected within minutes of it being connected to the network.

Defects in almost any type of software may result in a computer's compromise:

• Defects in client software like web browsers and email readers may allow others to run code on our computer if we receive hostilely formatted email, scripts, or web pages. Such is the case with the Kak virus.
• Defects in server software like web, ftp, and file sharing servers may result in allowing others to run code on our server by improperly handling maliciously created service requests. Software doesn't have to service hundreds of people to qualify as a server. Microsoft peer file sharing on a Windows 95/98 box is a file server. The Personal Web Service started along with Front Page on a Windows 95/98 box is a web server. Napster, gnutella, and Scour are file servers.
• Defects in core operating system software like Microsoft Windows and Unix may result in allowing unprivileged operators to execute hostile code as a privileged process thus compromising our computer.
• Even defects in seemingly innocuous software like printer drivers and network games have bee known to have security implications.

We can prevent most of these issues from causing us problems by regularly updating our software.

Defects in popular add-on programs are often discovered that are not covered by automatic update sites. If you run any of the following programs, you will need to visit the vendor's site to make sure you have the most recent, and secure, version:

• Instant Messaging Programs (AOL IM, Yahoo Messenger, Trillian, etc.)
• Media players (RealOne, RealPlayer, Winamp, etc.)
• Document viewing programs (Adobe Reader, Shockwave, etc.)

The Cassandra service will allow you to set up profiles indicating products of interest to you and receive email notifications when vulnerabilities associated with those products are reported. The service is offered by the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

Microsoft Windows Systems

Due to several defects discovered in Microsoft Windows NT, 2000, XP, and 2003 since August 2003, and associated exploitation of those defects by automated worms and criminals, it is no longer safe to plug a new computer running those versions of Windows into a network without following special procedures. To do so would mean a race against worms and hackers to get patches installed.

Recommendations for Windows Desktop Operators:

(note: Microsoft no longer supports Windows 95 and 98)

• Use the Windows Update Service after every new installation.
• Re-use the Windows Update Service once a month to keep the computer up to date. You can configure your computer so that it automatically checks for the availability of critical updates and notifies you with a popup window when one is available. Instructions are on Microsoft's web site.
• Use Microsoft's Baseline Security Analyzer tool to check Windows NT, 2000, XP, and 2003 systems for updates and best practices configuration recommendations when the computer:
  • Is used to access accounts with elevated privileges.
  • Runs remotely accessible services such as web, database, or file shares.
• If Microsoft Office is installed and you're not using NCSU's Novell services for software management, visit the Office Update Site monthly.
• Double-click the Norton Anti-Virus gold shield icon in the lower left of your screen. A Norton window will come up. Check the date of the Virus Definition File. If it is more than two weeks old, the Norton Anti-Virus program is not updating itself correctly.
• Upgrade or replace software which Microsoft doesn't support with security patches. Of particular importance in this respect are:
  • Internet Explorer versions 3 and 4
  • Office 97 and 98 for Windows
  • Windows 95 and Windows 98
• Cygwin users must also check for defect updates in Unix programs packaged with Cygwin or installed separately. For example, OpenSSH.
• Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you.

Recommendations for Windows Server Operators:

Servers need to have more timely patches as they run software that is accessible to anyone on the Internet. Patches should be installed as they become available.

• NEVER bring up a server until all patches and configuration changes have been completed. Unpatched servers have been found and compromised in minutes by automated worms and scripts. Install the software while the machine is disconnected from the network, make sure all servers are shut down, connect to the network and download the patches, disconnect from the network, and apply patches.
• Use Microsoft's Baseline Security Analyzer tool to check Windows NT, 2000, XP, and 2003 systems for updates and best practices configuration recommendations. Windows Update is not sufficient for servers. It does not check some software for updates nor does it check for vulnerabilities due to configuration mistakes.
• Subscribe to Microsoft's Security Bulletin Mailing List and apply patches as soon after they are announced and can be tested as possible.
• Cygwin users must also check for defect updates in Unix programs packaged with Cygwin or installed separately. For example, OpenSSH.
• Review computer security Hot Topics page weekly for announcements of software defects or other issues that may affect you.
• If you install non-Microsoft software, subscribe to vendor security bulletins or check their web site regularly for updates.

Linux and other Unix Systems

These systems often have server programs running after even a default desktop installation.

• NEVER bring up a server on the network until all listening services have been stopped. Unpatched servers have been found and compromised in minutes by automated worms and scripts. Install the software while the machine is disconnected from the network, make sure all services started in the inetd.conf file, /etc/rc* files, or your vendor's equivalent have been disabled and stopped, connect to the network and download the patches, disconnect from the network, and apply patches.
• Subscribe to vendor security bulletins and apply patches as soon after they are available as possible. Click here for a list of various vendor security sites and notification services.
• Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you. Server operators should check the Hot Topics page weekly.

Macintosh OS X

Macintosh OS X is based on unix. Many unix related defects also affect Macintosh OS X.

• You can use the Apple Software Update feature to keep your Macintosh OS X computer up to date.
• Current security roll-up patches can be viewed and downloaded at http://www.info.apple.com/usen/security/security_updates.html
• If you run Windows in Virtual PC, you'll need to use the Windows Update Site to get Windows patches.
• Email notification of security defects in MacOSX can be obtained by subscribing to the Apple notification service at http://lists.apple.com/mailman/listinfo/security-announce

Other Systems

• Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you.
• Keep anti-virus software up to date.
• If available, check your vendor's security site monthly for critical security updates.

The aforementioned sites include updates for the respective vendors' operating systems and software applications. If you're running software not written or distributed by those vendors, you'll need to visit the applicable software vendors' sites for the packages you're running. You'll need to do this on a regular basis. You can also monitor the Hot Topics! page and other vendor specific sites where notices are posted of serious security defects and the need for new patches. For example, a defect allowing the possible compromise of a computer through the popular Adobe Acrobat reader was posted to the Hot Topics! page that wouldn't be found on the Microsoft or Linux web sites.

Antivirus tools are designed to detect code patterns or behavior known to be associated with hostile code. People seem to constantly create new hostile code so, like a flu vaccine, antiviral tools must also be updated in order to recognize the new code. If you have installed the campus provided Symantec anti-virus software or had it installed for you on your office computer by Desktop Services, it will automatically and continuously update itself once it is installed. Otherwise, you will need to update the software yourself.