III. Exploitation on Patch Management

/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 

Although patches aim to mitigate the risks caused by information system's vulnerabilities, they may expose these systems to additional channels of attack and even be manipulated by hackers to become the carrier of malware. Universities should pay attention to the following vulnerabilities relevant to patch management.
Major Vulnerabilities in Patch Management
1. Fake Security Patch Alert
This exploitation is a kind of social engineering, where the hacker exploits vendor's routine of releasing patches and sends out fake security e-mails bent on infecting their targets with virus, worm, Trojan or any other malware.
Vendors with large user population are more likely to attract such kind of malicious activities. A recently reported incident reveals a malicious program named "KB453396-ENU.exe" attached to a fake Microsoft Tuesday Security Update on 4 January 2011. Another rogue website was reported to pop up a fake "Windows Security Centre" and fraudulently claims to find many non-existent malware on the victims' systems. If the user clicks on the popup window, the website starts to download a scareware in the background.

2. Malicious Insider

IT staff responsible for applying patches to production possess privileged system access, especially such patches are for the underlying infrastructure including operating system, database, network or even BIOS. Any malicious activities done by people like them will have devastating impact on universities' IT environment.

In addition, without proper testing before production deployment, IT staffs responsible for downloading patches also have the means to alter or sabotage the information systems by providing fake patch files to the deployment team.

3. Reverse Engineering

Most major attacks tend to occur in the hours immediately following the release of a security patch, as those are the moments when IT department will be detecting, acquiring, testing and deploying the patch, therefore the system will be in a particularly vulnerable state. The common method used by attackers, upon immediate release of a security patch, is for them to reverse engineer the patch in as little time as possible, identify the vulnerability and subsequently develop and release exploit code, thus hitting information systems at their weakest moments.