News

Faster IT Deployment Plan Needed for Microsoft Zero-Day Flaw Patches

IT should incorporate a different, faster procedure when applying critical zero-day vulnerability fixes.

This week saw a huge Microsoft Patch Tuesday, with the company releasing 14 patches, including four that fixed critical vulnerabilities. Sometimes those critical vulnerabilities can involve zero-days, which are vulnerabilities that are already being used in attacks before the vendor releases patches. The more usual order is that attackers develop exploits after a vendor issues a patch.

"With Microsoft Patch Tuesday, we see most people strive for 90 percent of their security patches applied within a week and a half. For zero days, it's a totally different story," says Rob Juncker, vice president of engineering at LANDesk Software. Juncker came to LANDesk via that company's acquisition of VMware's Shavlik unit.

According to Juncker, organizations need a separate, accelerated process to update systems threatened by zero-day vulnerabilities than they use for regular vulnerability patches.

"As soon as we release [a zero-day] patch, someone will pick up that patch, test it the next day and do some basic surface testing. After that's done they start pushing it out to critical systems, with awareness of how you would handle breakage.  They take a little more risk on the upgrade with that testing," says Juncker. But he says that risk is balanced by the fact that attackers are already exploiting the vulnerability.

In the October Patch Tuesday, Microsoft patched three zero-day vulnerabilities. This month's patch collection was less severe, with just one zero-day, and even that one was somewhat loaded with caveats.

"The most important bulletin MS14-064 addresses a current zero-day vulnerability -- CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions," wrote Qualys CTO Wolfgang Kandek in a commentary about the November Patch Tuesday. "Attackers have been abusing the vulnerability to gain code execution by sending Powerpoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary patch in the form of a FixIt. This is the final fix for OLE Packager (Microsoft had patched the same software in October already with MS14-060) that should address all known exploit vectors."

Juncker cautions that organizations need to be aware of how many more zero-day vulnerabilities are being discovered these days than in the recent past. He also warns against the outdated idea that Microsoft's systems are the most vulnerable, and therefor that keeping up with Microsoft patches equates with being generally up to date.

"I think a lot of us focus on Microsoft products," Juncker says. "That's where a lot of the exploits used to be. Now they lead out with Java, they lead out with Adobe. The operating system isn't enough anymore. Make sure that you have a patch process that emphasizes not just servers, but make sure you get the endpoints."

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.