[Dshield] MS Patching side-effects

David Taylor ltr at isc.upenn.edu
Thu Aug 18 18:40:20 GMT 2005

I think too many people put an emphasis on how to patch in time when more
thought should be put into preventing wide opened Internet access to these
vulnerable ports in the first place.

Most PC/Workstations shouldn't be acting as servers (accepting unsolicited
connections from other hosts).  IPSEC (which is included with Windows 2000+)
can be used to block these incoming connections and gives you granular
control based on IP/Subnet, hostname from port/to port, etc.  Using IPSEC
you can place a virtual IP/Packet Filter around all of your workstations
which would block most of these attacks from hosts outside the network as
well as hosts from within the network.  If you couldn't get to all the hosts
in time to patch them it wouldn't be that big of a deal. You can also use
IPSEC to mitigate the impact of buffer overflows on public services (such as
web servers) by adding rules that restrict ports the operating system can
access.  A normal web server should receive traffic to port 80/443 and send
traffic from port 80/443. Not from 65000 to 4444.  :)

I used this method at a previous network I managed and never worried about
worms.  0-day exploits and worms aren't as scary if you are setup right to
begin with.

Just my thoughts. Don't panic on black Tuesday just close the doors.

David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
LTR at ISC.UPENN.EDU               (215) 898-1236

SANS - The Twenty Most Critical Internet Security Vulnerabilities 

SANS - Internet Storm Center

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of John B. Holmblad
Sent: Thursday, August 18, 2005 12:39 PM
To: General DShield Discussion List
Subject: Re: [Dshield] MS Patching side-effects


your experience makes it clear that, in this instance, those experts 
like to criticize sysadmins for not patching soon enough are somewhat 
off base.  It sounds like you have had a "damned if you do, damned if 
you don't" kind of day! 

I have seen references on this list that the "vulnerability announcement 
to exploit code in the wild" interval was somewhere between 4 and 7 days 
in the case of MS05-039.  How many large organizations with 1000's of 
desktops can get the job done in 4 days, especially when it is a desktop 
as well as server exploit and especially if there are business critical 
custom apps that might get broken by the fix?

Best Regards,

John Holmblad

Televerage International

(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388

primary email address:     jholmblad at aol.com
backup email address:      jholmblad at verizon.net

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list