Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

08:02 AM

Microsoft Patch Problems Underline Trade-Offs For Securing Systems

As the software giant works to fix the shortcomings in its latest set of patches, security experts debate whether 'trust the patch' is still the best course

For many companies used to problem-free patching, August's Black Tuesday -- the second Tuesday of the month when Microsoft releases its latest security fixes -- stands as a reminder that software systems are complex and patching software can lead to problems.

Last week, Microsoft warned that three of the Patch Tuesday software updates -- closing four security issues in its Exchange Server, one in the Windows kernel, and another in Active Directory -- caused problems for some of its customers. Companies that applied patches immediately may have lost the ability to search e-mail, had random crashes on Windows, or found that Active Directory's federation services stopped working.

Corporate IT departments could become a bit gun-shy and stop applying patches as quickly as possible, says Wolfgang Kandek, chief technology officer for cloud-security firm Qualys.

"Each time this happens, it is really bad for the cause because we always tell people to patch as quickly as possible, and these things are real setbacks," he says, noting that Microsoft has spent hundreds of millions of dollars on software security and does extensive regression testing of its updates. "Unfortunately, it happens."

On Tuesday, Microsoft rereleased the Exchange update, which had broken the content index used for searching for mail on the server, while the problems with the kernel and Active Directory remain. The company is still researching those issues, according to a Microsoft spokesperson.

"In some cases the programs may not successfully start," Microsoft wrote in an update to the kernel issue. "We are also aware of limited reports that certain users may encounter difficulties restarting their computers after applying this security update.  Microsoft is researching this problem and will post more information in this article when the information becomes available."

The common security advice for companies is to apply software patches as quickly as possible, yet to roll them out in stages so as to catch any show-stopping defects before they scuttle the entire business. That advice remains unchanged following Microsoft's bad patches, says Ollie Whitehouse, associate director of the NCC Group, an information security services firm.

"We would argue the risk faced by an organization by not patching security issues due concerns over patch quality will become much larger very quickly when compared to the risk of service disruption or long-term impact from a bad software patch," he says.

Yet others believe that the common advice may have become outdated. Increasingly, software complexity has made the interactions between patches more difficult to predict, leading to problems with the software updates, says Amichai Shulman, chief technology officer with Imperva, an application-security firm.

"I don't think this is a blip on the radar," he says. "The continued investment in code security is not paying off, and the patching process is starting to become very difficult."

[Companies should expect safer software as more companies adopt bug bounty programs and studies prove their effectiveness. See Better Bug Bounties Mean Safer Software, More Research Demand.]

Virtual patching, where a software system attempts to detect and eliminate exploits for particular vulnerabilities, has been used as a stop-gap measure, protecting corporate systems until a patch can be applied. In the future, more companies will rely on virtual patching to make the update process less critical, allowing companies to delay fixing security holes for much longer periods of time, he says.

"This is the reality of a complex software world," Shulman says.

Microsoft supports virtual patching through its Microsoft Active Protections Program, in which the company shares information on vulnerabilities with security providers before the final patch is released. The information-sharing program allows the provider to have detections for vulnerabilities and exploits in place right when a patch is released.

Other software vendors need to support such information sharing, says John Pirc, an analyst with NSS Labs, a security consultancy. While Pirc also advises companies to patch as soon as possible, despite the occasional problems with software updates, he urges software developers to allow security companies to provide the best protection possible.

"People need to trust the vendors and need to deploy patches," he says. "But making sure that the security products in place are protecting their customers should also be a priority."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
Sympa before 6.2.56 allows privilege escalation.
PUBLISHED: 2020-05-27
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
PUBLISHED: 2020-05-27
Fork before 5.8.3 allows XSS via navigation_title or title.
PUBLISHED: 2020-05-27
Centreon before 19.10.7 exposes Session IDs in server responses.
PUBLISHED: 2020-05-27
Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the page parameter to service-monitoring/src/index.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.0...