Security Watch

Security Comes in Patches

IT pros have some complex reasons for rolling out patches, but one thing is for sure: Threats always loom, so do it sooner rather than later.

• By Jabulani Leffall
• 12/08/2008

As reports with varying perspectives and conclusions on patches released this week indicate, it's better to have patches and not need them than the other way around. That said, many still agree that enterprise security programs should be more comprehensive and that patches aren't the end-all-be-all.

Russ Cooper, security analyst with Verizon Business and contributor to MCPmag.com, points out in this blog post from June, "Patching is seen far too often as the solution rather than as a solution."

Luckily though, creating a secure processing environment is more often than not about asking the right questions beforehand -- such how to react to patch rollouts, how pervasive threats are and where the most threats can be found -- instead of coming up with answers on the fly during a knee-jerk reaction to a security threat.

How do IT pros respond to patch bulletins?
IT security firm Qualys tracked the evolution of vulnerabilities to see how Microsoft customers apply patches. As an example, they tracked the response and installation patterns to see if IT pros and users paid any special attention to the highly critical, out-of-band vulnerability released in October, MS08-067.

Did users and IT pros respond quickly and enmasse to this patch?
"Unfortunately, no," said Wolfgang Kandek, chief technology of Qualys in an e-mail note to MCPmag.com. "Part of the reason is because the emergency patch (MS08-67) didn't show erratic reductions in occurrences of vulnerabilities and it appears customers were patching at a normal rate."

The normal rate, security experts explain, is usually a two-week to four-month window depending on immediate needs. The question here is, is it enough to hope hackers don't exploit that gap between patching?

Is malware becoming impervious to patching?
Some attacks these days, especially those using automated and coded exploits, such as bots and malware, are able to get around patch systems based on user indiscretion or carelessness, a report this week found. Trend Micro Inc. researchers said the majority of incursions among the top 100 classes of malware this year stemmed from the fact that client-side users got caught surfing on malicious sites and clicking on malicious links on browsers such as Internet Explorer or downloading non-pertinent files or applications apps that led to the infection of 53 percent of the users tracked between Jan. 1 and Nov. 25. Also 12 percent of the infections tracked globally came as the result of users opening e-mail attachments.

The kicker is that according to Trend Micro's findings, just 5 percent of the infections were related to an exploit of a software vulnerability, especially one that was reported beforehand and patched. This is an indication that many hackers may be counting more on aspects of human curiosity than writing firewall-breaking programs or unlocking encryption protections.

Many if not most Windows-based patches are client-side fixes that focus on user behavior, but they often touch on a variety of products and services during any given patch cycle. So, that leaves the decision when and if to patch in the hands of IT pros.

When should one patch?
Despite the downtime that a full install can create through restarts the answer to this question is "all the time." Danish security vendor Secunia released annual numbers this week on how many PCs are running insecure software. The startling answer to that question is 98.09 percent of tracked workstations, a 2.5 increase from last year's numbers. Secunia used a wide sweeping criterion in assessing what makes a computer unprotected: It counts software as insecure when the vendor has released a patch or a new version that a PC does not yet have. Better safe than sorry.

Where does one find threats?
Protecting a system from a threat often begins with indentifying from whence the malicious activities emanate. Michael Jackson might have found the Middle Eastern Kingdom of Bahrain as a safe haven from the paparazzi, but as to the question of whether it's safe from infected software -- not so much. Microsoft's Europe, Middle East and Africa Chief Security Advisor Roger Halbheer said the Persian Gulf island nation is one of world's most-infected countries when it comes to malware and potentially unwanted software. With remote servers in places such as this as well as Eastern Europe sending out bugs via Web browsers, this is definitely a reason to patch everything. Because while patching may only plug the dam for a time, at least it works to prevent a flood.