News

Faster IT Deployment Plan Needed for Microsoft Zero-Day Flaw Patches

IT should incorporate a different, faster procedure when applying critical zero-day vulnerability fixes.

This week saw a huge Microsoft Patch Tuesday, with the company releasing 14 patches, including four that fixed critical vulnerabilities. Sometimes those critical vulnerabilities can involve zero-days, which are vulnerabilities that are already being used in attacks before the vendor releases patches. The more usual order is that attackers develop exploits after a vendor issues a patch.

"With Microsoft Patch Tuesday, we see most people strive for 90 percent of their security patches applied within a week and a half. For zero days, it's a totally different story," says Rob Juncker, vice president of engineering at LANDesk Software. Juncker came to LANDesk via that company's acquisition of VMware's Shavlik unit.

According to Juncker, organizations need a separate, accelerated process to update systems threatened by zero-day vulnerabilities than they use for regular vulnerability patches.

"As soon as we release [a zero-day] patch, someone will pick up that patch, test it the next day and do some basic surface testing. After that's done they start pushing it out to critical systems, with awareness of how you would handle breakage.  They take a little more risk on the upgrade with that testing," says Juncker. But he says that risk is balanced by the fact that attackers are already exploiting the vulnerability.

In the October Patch Tuesday, Microsoft patched three zero-day vulnerabilities. This month's patch collection was less severe, with just one zero-day, and even that one was somewhat loaded with caveats.

"The most important bulletin MS14-064 addresses a current zero-day vulnerability -- CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions," wrote Qualys CTO Wolfgang Kandek in a commentary about the November Patch Tuesday. "Attackers have been abusing the vulnerability to gain code execution by sending Powerpoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary patch in the form of a FixIt. This is the final fix for OLE Packager (Microsoft had patched the same software in October already with MS14-060) that should address all known exploit vectors."

Juncker cautions that organizations need to be aware of how many more zero-day vulnerabilities are being discovered these days than in the recent past. He also warns against the outdated idea that Microsoft's systems are the most vulnerable, and therefor that keeping up with Microsoft patches equates with being generally up to date.

"I think a lot of us focus on Microsoft products," Juncker says. "That's where a lot of the exploits used to be. Now they lead out with Java, they lead out with Adobe. The operating system isn't enough anymore. Make sure that you have a patch process that emphasizes not just servers, but make sure you get the endpoints."

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.