Application Security
08:02 AM
Connect Directly
Repost This

Microsoft Patch Problems Underline Trade-Offs For Securing Systems

As the software giant works to fix the shortcomings in its latest set of patches, security experts debate whether 'trust the patch' is still the best course

For many companies used to problem-free patching, August's Black Tuesday -- the second Tuesday of the month when Microsoft releases its latest security fixes -- stands as a reminder that software systems are complex and patching software can lead to problems.

Last week, Microsoft warned that three of the Patch Tuesday software updates -- closing four security issues in its Exchange Server, one in the Windows kernel, and another in Active Directory -- caused problems for some of its customers. Companies that applied patches immediately may have lost the ability to search e-mail, had random crashes on Windows, or found that Active Directory's federation services stopped working.

Corporate IT departments could become a bit gun-shy and stop applying patches as quickly as possible, says Wolfgang Kandek, chief technology officer for cloud-security firm Qualys.

"Each time this happens, it is really bad for the cause because we always tell people to patch as quickly as possible, and these things are real setbacks," he says, noting that Microsoft has spent hundreds of millions of dollars on software security and does extensive regression testing of its updates. "Unfortunately, it happens."

On Tuesday, Microsoft rereleased the Exchange update, which had broken the content index used for searching for mail on the server, while the problems with the kernel and Active Directory remain. The company is still researching those issues, according to a Microsoft spokesperson.

"In some cases the programs may not successfully start," Microsoft wrote in an update to the kernel issue. "We are also aware of limited reports that certain users may encounter difficulties restarting their computers after applying this security update.  Microsoft is researching this problem and will post more information in this article when the information becomes available."

The common security advice for companies is to apply software patches as quickly as possible, yet to roll them out in stages so as to catch any show-stopping defects before they scuttle the entire business. That advice remains unchanged following Microsoft's bad patches, says Ollie Whitehouse, associate director of the NCC Group, an information security services firm.

"We would argue the risk faced by an organization by not patching security issues due concerns over patch quality will become much larger very quickly when compared to the risk of service disruption or long-term impact from a bad software patch," he says.

Yet others believe that the common advice may have become outdated. Increasingly, software complexity has made the interactions between patches more difficult to predict, leading to problems with the software updates, says Amichai Shulman, chief technology officer with Imperva, an application-security firm.

"I don't think this is a blip on the radar," he says. "The continued investment in code security is not paying off, and the patching process is starting to become very difficult."

[Companies should expect safer software as more companies adopt bug bounty programs and studies prove their effectiveness. See Better Bug Bounties Mean Safer Software, More Research Demand.]

Virtual patching, where a software system attempts to detect and eliminate exploits for particular vulnerabilities, has been used as a stop-gap measure, protecting corporate systems until a patch can be applied. In the future, more companies will rely on virtual patching to make the update process less critical, allowing companies to delay fixing security holes for much longer periods of time, he says.

"This is the reality of a complex software world," Shulman says.

Microsoft supports virtual patching through its Microsoft Active Protections Program, in which the company shares information on vulnerabilities with security providers before the final patch is released. The information-sharing program allows the provider to have detections for vulnerabilities and exploits in place right when a patch is released.

Other software vendors need to support such information sharing, says John Pirc, an analyst with NSS Labs, a security consultancy. While Pirc also advises companies to patch as soon as possible, despite the occasional problems with software updates, he urges software developers to allow security companies to provide the best protection possible.

"People need to trust the vendors and need to deploy patches," he says. "But making sure that the security products in place are protecting their customers should also be a priority."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web