"Patch on Demand" Saves Even More Time?

I n the June 2004 Security column (" A Patch in Nine Saves Time? " pp. 82-83), Bill Arbaugh makes two interesting observations: first, whoever has the tightest observe-orient-decide-act (OODA) loop will prevail in a confrontation; second, the infection rates of recent worms suggest that the good guys are losing the battle. Arbaugh offers some sensible suggestions to vendors and security professionals on improving patch management. However, the best indication that we are losing the battle is not the infection rates of worms such as Slammer and Blaster, but the shrinking interval between discovering and announcing a new vulnerability and the appearance of a worm or attack that exploits it. The most recent example is the Witty worm, which effectively exploited a vulnerability present in a small population of hosts—approxi-mately 12,000 computers. Although it was first discovered on 8 March 2004, the vendor didn't announce the vulnerability until 18 March, after it had made a patch available. A little over a day after the announcement, Witty made its first appearance. Given such a short turnaround time, we can reasonably expect to soon experience a zero-day worm. Zero-day attacks are those for which users receive no prior warning and thus have no preventive measures in place. To date, a combination of aggressive packet filtering and proactive application patching could—at least in prin-ciple—defeat all the worms we have encountered. Although we could, in theory, deploy patches and network filters automatically, the practicality of employing such measures and their effect on regular system operation are an entirely different story. Witty came close to being a zero-day worm; for most organizations, it was. Few system administrators had even seen the announcement before the attack, much less downloaded and installed the necessary software patch. Furthermore, as Arbaugh (" Windows of Vulnerability: A Case Study of Analysis, " Computer, Dec. 2000, pp. 52-59) and others such as Eric Rescorla (" Security Holes … Who Cares? " Proc. 12th Usenix Security Symp., Usenix, 2003, pp. 75-90) have noted, many administrators find it impractical, if not otherwise unacceptable, to patch or upgrade their systems when a vulnerability is announced. Instead, they wait for news of an actual exploitation. In many cases, this is simply too late. What to do then? One new idea is to integrate the vulnerability discovery, patch generation, and patch application cycles into a system that would automatically detect a new attack, analyze its modus …