Customers are judging the top vendors as much on how they respond to vulnerabilities as whether the vulnerabilities exist.

Larry Greenemeier, Contributor

August 11, 2006

6 Min Read

Microsoft last week had its worst Patch Tuesday yet in terms of critical bugs, while Cisco Systems has been hit by a wave of vulnerabilities, including a surprise revelation during the recent Black Hat conference--how's that for déjà vu? The situation highlights just how difficult it remains to secure their widely used products. And it calls attention, once again, to differences in how the vendors respond when trouble surfaces.

Microsoft's Patch Tuesday included disclosure of 16 critical bugs--a record for the company--out of a total of 23. The worst is a vulnerability affecting Windows 2000, 2003, and XP that could let an attacker execute a buffer overflow and take control of a system. The attacker could then install programs, view, change, or delete data, and even create new accounts with full user rights. Homeland Security's U.S. Computer Emergency Readiness Team issued a rare alert recommending that companies patch the MS06-040 bug immediately, since attackers were already exploiting it.

Cisco spent last week reacting to an apparent weakness in its PIX firewall security appliance. At this month's Black Hat USA IT security conference, Freenet Cityline developer Hendrik Scholz dropped a bomb during a Session Initiation Protocol presentation about a technique that could be used to exploit an unpatched flaw in PIX, letting an attacker bypass the firewall. Scholz says he discovered it while working on a voice-over-IP problem. Caught flat-footed, Cisco is now investigating the problem. (At Black Hat USA last year, security researcher Michael Lynn's controversial presentation proved attackers could take over routers and switches running Cisco's Internetworking Operating System.)

InformationWeek Download

Scholz's discovery follows six security advisories published by Cisco in the past two months, plus several other vulnerabilities reported by independent security researchers. Affected products include Cisco Security Monitoring, Analysis, and Response System appliances; CallManager; and Access Point Web interface. All the flaws in these products were assigned the highest level of severity by Symantec.

Cisco could do a better job of proactively alerting customers to security problems for all of its technologies, says Stan Turner, director of IT infrastructure for Laidlaw Transit Services. Turner gets E-mail alerts about IPS signature updates but says Cisco "should have some procedure where they send you alerts about all the products you've bought."

Cisco and Microsoft customers, and the security researchers who work on their products, realize there's no way to write bulletproof software. Instead, their test is how swiftly and decisively vendors react with patches and strategies for preventing vulnerabilities from being exploited.

"Vendor response may become the most important way to protect customers," says Herbert Thompson, an adjunct computer science professor at the Florida Institute of Technology and chief security strategist for Security Innovation. But most vendors provide little guidance as to how important a given patch is to a customer's IT environment. "With the number of patches issued every month, [customers] need to know if it's worth their time to actually install a given patch," Thompson says.

Different Approaches

Cisco and Microsoft have strikingly different approaches to managing vulnerabilities. Microsoft's monthly Patch Tuesday works for Windows, which can accept a patch even while a PC is in use. Cisco's ability to issue regular patches is limited by the Cisco IOS, which can only be patched if it's taken offline and rebooted.

Because of that complexity, Cisco says, issuing patches for every vulnerability doesn't make sense--instead it often offers customers free software that lets them work around a problem. In response to a flaw found in July in the Internet Key Exchange Protocol used by Cisco's VPN 3000 Series concentrators to enable remote IPsec VPN access, Cisco recommended that customers protect themselves by implementing Call Admission Control for IKE, which caps the number of simultaneous connections on a router.

The most recent crop of Cisco vulnerabilities is "pretty standard stuff," says George Roettger, Internet security specialist at NetLink Services and a Cisco customer. More troubling is the number of vulnerabilities found in Cisco security products, such as the PIX firewall, CS-MARS, and IPS. Says Roettger, "If any product should have been designed for security from the ground up, shouldn't these products represent the best of the best?"

Cisco's general approach is to keep mum unless it has an answer. "Customers don't want to know about a vulnerability just for the sake of knowing," a Cisco spokesman says. "They want to know when they can do something about it."

Summer Blues
Cisco in July issued vulnerability alerts for three products:

>> CS-MARS: Could allow unauthorized access

>> CISCO IPS 5.1: Denial-of-service attacks could stop packet processing and security alerts

>> UNIFIED CALL MANAGER 5.0: A logged-in admin could gain root access privileges and execute code, overwrite files, and launch denial-of-service attacks

Yet just the breadth of Cisco's product portfolio could leave customers feeling insecure. "I don't condone their approach to keeping security-related information bottled up, but they have so many different software versions that run on so many different platforms," says Greg Shipley, CTO of security consulting firm Neohapsis.

The differences between Cisco's and Microsoft's approaches are likely to dwindle over time. A year ago, Cisco started development on modular versions of IOS that would allow it to be patched without a major disruption. Cisco already offers a modular version of its IOS known as IOS XR, which is included in routers sold to service providers. The company's Catalyst 6500 switch can be patched without the system being taken offline. This migration will take years before it covers the majority of Cisco's products. At that time, Cisco plans to determine if customers want a more regular patching schedule, the spokesman says.

Given the impossibility of impenetrable code, customers should focus on how their vendors react as problems arise. Microsoft showed up at Black Hat en force, even providing a series of security sessions related to its upcoming Windows Vista, just to get a feel for the threats it will face when the operating system is released next year. Responding to a demonstration of potential vulnerability in Vista, Austin Wilson, Microsoft's director of Windows product management, said, "This is exactly why we're here." It's an offensive approach, and one Cisco would be wise to adopt.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights