Risk
9/7/2012
01:31 AM
Connect Directly
RSS
E-Mail
50%
50%

Fixing The Patch Problem

Many companies are patching systems more slowly than in the past. Using a service that packages fixes can speed updates and give businesses a better chance of closing security holes

Before joining IBM's security division, Dave Merrill handled the company's strategy for securing its desktops and laptops. In that role, Merrill saw the major problems in patching endpoint systems.

With application and operating-system vendors releasing a constant stream of security fixes and a lack of maturity among update services, managing the patch process was nearly impossible. More than a third of systems were missing a critical patch, but the company did not, at the time, have the visibility to find and fix the issues. Searching for a solution to the problem resulted in, among other things, IBM purchasing endpoint monitoring and patch management service BigFix in 2010.

Many companies are still wrestling with similar problems, says Merrill, now a senior technical staff member in IBM's security division.

"I was seeing the security issues that were the result of inadequate patching," Merrill says. "We were not patching fast enough and patches were not accurate enough to successfully fend off attacks."

Today, the problems persist and may even have become worse. While attackers quickly find ways to exploit known vulnerabilities, businesses have actually become slower at patching, according to data from vulnerability management firm Qualys. Earlier this year, the company released data on the vulnerability half-life -- the time it takes to fix a flaw on half the instances of an application -- for its customers. In 2009, companies took an average of 30 days to fix a vulnerability on half its population of computers; in 2012, that period had lengthened to 35 days.

Take Java, for example. Vulnerabilities in the software are essentially the uranium of information technology, with a half life so long that Qualys has not been able to measure it.

"Where we see still problems is the real third-party software, such as Java and Flash and PDF," says Wolfgang Kandek, chief technology officer for Qualys. "For Java, I cannot even plot it; there is no discernible movement at all."

That's not true for all applications, however. Both Internet Explorer and Microsoft Office have improved their half-life to about 15 days, says Kandek.

[There is a whole rag-tag class of systems--many of them extremely critical--that frequently run unpatched and ridden with vulnerabilities. See 5 Systems You're Forgetting To Patch.]

To fix patching problems, companies need to know what vulnerabilities are out there, which applications they have, and an ability to create or retrieve the patches. Most companies cannot do all -- in some cases, any -- of these, making a patch management service a good option.

Services that provide custom patches can slow down the patch cycle, but -- in the end -- pay off, because building a patch internally can be expensive.

"The cost of creating a patch quickly is on me as a single customer -- it ends up being too much of a financial burden," says IBM's Merril. "Buying a service from a company that can spread it across the space is important."

Another bonus of a good patch management service is better quality patches. Many companies quickly deploy fixes created by Microsoft, because the company has spent so much time testing their patches. Other patches, however, can cause more problems than they solve, and companies tend to test such updates more extensively. Half of companies surveyed by business technology provider GFI have had to roll back at least one patch every year.

With testing, however, patches have become more reliable, says Cristian Florian, product manager for GFI.

"We have noticed that the testing of patches had improved," Florian says. "Still, we recommend to our customers that they stage a patch, first testing it on not-so-critical systems."

In addition to creating patches, companies need the ability to take stock of the software on their systems to be aware of all the vulnerabilities present, says software security firm Secunia.

"Instead of focusing on the applications that have the highest marketshare, if they focus on the vulnerabilities and patching the applications with the most critical vulnerabilities they can remediate much more risk," says Morten Stengaard, director of product management at Secunia.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RSIMONS
50%
50%
RSIMONS,
User Rank: Apprentice
9/7/2012 | 2:58:52 PM
re: Fixing The Patch Problem
One effience solution is the concept virtual Patching for oeprating Systems and applications closing Security holes by vulnerabilities using DeepS Security by Trend Micro.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.