Application Security
8/21/2013
08:02 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Microsoft Patch Problems Underline Trade-Offs For Securing Systems

As the software giant works to fix the shortcomings in its latest set of patches, security experts debate whether 'trust the patch' is still the best course

For many companies used to problem-free patching, August's Black Tuesday -- the second Tuesday of the month when Microsoft releases its latest security fixes -- stands as a reminder that software systems are complex and patching software can lead to problems.

Last week, Microsoft warned that three of the Patch Tuesday software updates -- closing four security issues in its Exchange Server, one in the Windows kernel, and another in Active Directory -- caused problems for some of its customers. Companies that applied patches immediately may have lost the ability to search e-mail, had random crashes on Windows, or found that Active Directory's federation services stopped working.

Corporate IT departments could become a bit gun-shy and stop applying patches as quickly as possible, says Wolfgang Kandek, chief technology officer for cloud-security firm Qualys.

"Each time this happens, it is really bad for the cause because we always tell people to patch as quickly as possible, and these things are real setbacks," he says, noting that Microsoft has spent hundreds of millions of dollars on software security and does extensive regression testing of its updates. "Unfortunately, it happens."

On Tuesday, Microsoft rereleased the Exchange update, which had broken the content index used for searching for mail on the server, while the problems with the kernel and Active Directory remain. The company is still researching those issues, according to a Microsoft spokesperson.

"In some cases the programs may not successfully start," Microsoft wrote in an update to the kernel issue. "We are also aware of limited reports that certain users may encounter difficulties restarting their computers after applying this security update.  Microsoft is researching this problem and will post more information in this article when the information becomes available."

The common security advice for companies is to apply software patches as quickly as possible, yet to roll them out in stages so as to catch any show-stopping defects before they scuttle the entire business. That advice remains unchanged following Microsoft's bad patches, says Ollie Whitehouse, associate director of the NCC Group, an information security services firm.

"We would argue the risk faced by an organization by not patching security issues due concerns over patch quality will become much larger very quickly when compared to the risk of service disruption or long-term impact from a bad software patch," he says.

Yet others believe that the common advice may have become outdated. Increasingly, software complexity has made the interactions between patches more difficult to predict, leading to problems with the software updates, says Amichai Shulman, chief technology officer with Imperva, an application-security firm.

"I don't think this is a blip on the radar," he says. "The continued investment in code security is not paying off, and the patching process is starting to become very difficult."

[Companies should expect safer software as more companies adopt bug bounty programs and studies prove their effectiveness. See Better Bug Bounties Mean Safer Software, More Research Demand.]

Virtual patching, where a software system attempts to detect and eliminate exploits for particular vulnerabilities, has been used as a stop-gap measure, protecting corporate systems until a patch can be applied. In the future, more companies will rely on virtual patching to make the update process less critical, allowing companies to delay fixing security holes for much longer periods of time, he says.

"This is the reality of a complex software world," Shulman says.

Microsoft supports virtual patching through its Microsoft Active Protections Program, in which the company shares information on vulnerabilities with security providers before the final patch is released. The information-sharing program allows the provider to have detections for vulnerabilities and exploits in place right when a patch is released.

Other software vendors need to support such information sharing, says John Pirc, an analyst with NSS Labs, a security consultancy. While Pirc also advises companies to patch as soon as possible, despite the occasional problems with software updates, he urges software developers to allow security companies to provide the best protection possible.

"People need to trust the vendors and need to deploy patches," he says. "But making sure that the security products in place are protecting their customers should also be a priority."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web