November 19, 2002 12:01 PM PST
Study: System admins slow to zap bugs
In fact, even after the Slapper worm highlighted the existence of a vulnerability in the Web security software known as OpenSSL, three out of 10 systems that had the flaw continue to be vulnerable even today, said Eric Rescorla, an independent security consultant.
"Administrators aren't as responsive as they should be," he said. "Even after a relatively serious hole is found, administrators don't do the right things."
Over the past three years, software makers have been forced by their customers to be more responsive to security vulnerabilities in their products. The U.S. government has gotten into the act as well, with Richard Clarke, presidential adviser on cybersecurity, making repeated calls for companies to shore up holes in the servers for which they are responsible.
However, system administrators--many of them overworked--haven't taken the message to heart, according to Rescorla's research. The research studied the response to the release of information in July relating to a flaw in OpenSSL, a commonly used open-source program to secure data going between Web servers and browsers using channels encrypted with the secure sockets layer (SSL).
Tipped off to the coming
Do admins patch Windows servers often?
CNET White Papers
"I had a couple people complain (about my scanning), but remarkably few," he said. "The two people that sent me mail asked me not to continue."
About 40 percent of administrators patched their systems in the seven weeks between the public announcement of a flaw and the release of the Slapper worm. Another 30 percent apparently patched the software after the Slapper worm started infecting SSL servers in September."It's not just that some people are lazy, but also that many people appear to wait until they feel vulnerable (i.e., an exploit is released) before they apply fixes," he said. "This seems to be a distinct population from those who are just lazy and don't do anything at all."
System administrators that manage the remaining third of the servers scanned by Rescorla fall into that last category, he said.
The low rate at which system administrators patch their servers has been a problem for a long time. Software makers, such as Microsoft and Symantec, and most Linux companies have created services to help system administrators keep up with patches.
Much of the problem should be laid at the feet of management, said system administrator Scott Hoffman.
"Many smaller firms don't have a full-time administrator, (which is) a management decision," he wrote in an e-mail to CNET News.com. "In other firms, administrators may be given specific tasks or deadlines that don't allow (them) time for applying the numerous patches that are issued or, as Microsoft patches are (in)famous for, rebooting key servers."
Moreover, as systems become easier to install and with consumers now connected to the Internet over broadband lines, responsibility for server maintenance may be turned over to people who don't always know enough to keep abreast of security issues.
"I'd call that (an) administration vacuum, not laziness," Hoffmann said.
Those who did patch tended to be working at hosting service providers, said Rescorla. "The big hosting companies are good about patching, which isn't surprising because they maintain a security staff," he said.
The security consultant also found that people who keep their systems up-to-date--that is, running the latest version of software--tended to patch more frequently.
"There is some evidence that the class of people that upgrade in the first round (before a worm is released) differ from those that upgrade in the second phase," he said.
Several reasons could explain the late-patching behavior, he added. System administrators may be wary of patches that could break their systems, so they wait until a threat appears that requires the patch be installed. Also, administrators may think that it's not necessary to patch until a real threat, such as a worm or a mass hack, seems imminent.
"That's a pretty dangerous strategy, because the 'black hat' community tends to have the exploit way before the administrator knows about it," he said. He pointed to the fact that the OpenSSL flaw was discovered after a network administrator found someone attacking their machine with the exploit.
Finally, he added, some administrators don't patch because they're just too lazy.