by Bharat Mistry
The recent public dispute over vulnerability disclosure between Google and Microsoft threatened for a few weeks to catapult the humdrum topic of patch management into mainstream discourse. And while Google seems to have diffused the tension somewhat by agreeing to add a fortnight’s “grace period” onto its 90-day disclosure time frame, huge challenges remain. But most of the conversation thus far has been focused on whether the vendors are being given enough, or too much, time to patch flaws. We should more properly be asking: “What about their customers?”
Today’s system administrators are under unprecedented pressure to keep mission critical systems up-to-date. Vendors like Microsoft might be paying more attention to their code these days, but so are the bad guys, which means more exploits being made public than ever before. Add to this the gung ho approach of Microsoft’s Project Zero team, and you get a perfect storm for a never-ceasing deluge of new patches to be applied. The number of reported Microsoft flaws nearly doubled in 2014, for example.
Part of the problem lies with the fact that each vendor has a different system for customers to install security fixes. According to vulnerability management firm Secunia, of the 74 separate programs installed on the average UK PC, over half (59%) are from non-Microsoft vendors – which means managers have to master 25 different update mechanisms.
Yet it’s more important than ever to make sure systems are patched as soon as possible. The SANS Institute was forced to issue an alert in December after it discovered the infamous Shellshock flaw was still being exploited on Network Attached Storage boxes from QNAP, despite the release of a patch for the issue in October. Dean of research, Johanes Ullrich said at the time that “applying the patch is not automatic and far from trivial for many users.”
This gets to the heart of the matter. Administrators must have policies in place to prioritise threats to systems and data, and the means to apply patches as soon as they become available. But it’s not just as simple as that. Microsoft has of late been issuing an increasing number of dud fixes. The most recent were three issued in February’s Patch Tuesday, including one which effectively broke PowerPoint. Testing by sysadmins is therefore vital to ensure patches do not cause more harm than good.
Here are a few more tips on patch management best practice:
- Audit all of your software and systems including versions, IP addresses, location etc
- Do the same for your security controls. This will help when you come to drawing up a patch management policy.
- Consult the business when creating this policy, so risk assessments on systems are made in line with business objectives
- Assess any incoming patches according to the policy
- Consider third party testing software if you don’t have an accurate mirroring system for testing patches