Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/21/2013
08:02 AM
50%
50%

Microsoft Patch Problems Underline Trade-Offs For Securing Systems

As the software giant works to fix the shortcomings in its latest set of patches, security experts debate whether 'trust the patch' is still the best course

For many companies used to problem-free patching, August's Black Tuesday -- the second Tuesday of the month when Microsoft releases its latest security fixes -- stands as a reminder that software systems are complex and patching software can lead to problems.

Last week, Microsoft warned that three of the Patch Tuesday software updates -- closing four security issues in its Exchange Server, one in the Windows kernel, and another in Active Directory -- caused problems for some of its customers. Companies that applied patches immediately may have lost the ability to search e-mail, had random crashes on Windows, or found that Active Directory's federation services stopped working.

Corporate IT departments could become a bit gun-shy and stop applying patches as quickly as possible, says Wolfgang Kandek, chief technology officer for cloud-security firm Qualys.

"Each time this happens, it is really bad for the cause because we always tell people to patch as quickly as possible, and these things are real setbacks," he says, noting that Microsoft has spent hundreds of millions of dollars on software security and does extensive regression testing of its updates. "Unfortunately, it happens."

On Tuesday, Microsoft rereleased the Exchange update, which had broken the content index used for searching for mail on the server, while the problems with the kernel and Active Directory remain. The company is still researching those issues, according to a Microsoft spokesperson.

"In some cases the programs may not successfully start," Microsoft wrote in an update to the kernel issue. "We are also aware of limited reports that certain users may encounter difficulties restarting their computers after applying this security update.  Microsoft is researching this problem and will post more information in this article when the information becomes available."

The common security advice for companies is to apply software patches as quickly as possible, yet to roll them out in stages so as to catch any show-stopping defects before they scuttle the entire business. That advice remains unchanged following Microsoft's bad patches, says Ollie Whitehouse, associate director of the NCC Group, an information security services firm.

"We would argue the risk faced by an organization by not patching security issues due concerns over patch quality will become much larger very quickly when compared to the risk of service disruption or long-term impact from a bad software patch," he says.

Yet others believe that the common advice may have become outdated. Increasingly, software complexity has made the interactions between patches more difficult to predict, leading to problems with the software updates, says Amichai Shulman, chief technology officer with Imperva, an application-security firm.

"I don't think this is a blip on the radar," he says. "The continued investment in code security is not paying off, and the patching process is starting to become very difficult."

[Companies should expect safer software as more companies adopt bug bounty programs and studies prove their effectiveness. See Better Bug Bounties Mean Safer Software, More Research Demand.]

Virtual patching, where a software system attempts to detect and eliminate exploits for particular vulnerabilities, has been used as a stop-gap measure, protecting corporate systems until a patch can be applied. In the future, more companies will rely on virtual patching to make the update process less critical, allowing companies to delay fixing security holes for much longer periods of time, he says.

"This is the reality of a complex software world," Shulman says.

Microsoft supports virtual patching through its Microsoft Active Protections Program, in which the company shares information on vulnerabilities with security providers before the final patch is released. The information-sharing program allows the provider to have detections for vulnerabilities and exploits in place right when a patch is released.

Other software vendors need to support such information sharing, says John Pirc, an analyst with NSS Labs, a security consultancy. While Pirc also advises companies to patch as soon as possible, despite the occasional problems with software updates, he urges software developers to allow security companies to provide the best protection possible.

"People need to trust the vendors and need to deploy patches," he says. "But making sure that the security products in place are protecting their customers should also be a priority."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19594
PUBLISHED: 2019-12-05
reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file.
CVE-2019-19595
PUBLISHED: 2019-12-05
reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file.
CVE-2019-3690
PUBLISHED: 2019-12-05
The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.
CVE-2013-0243
PUBLISHED: 2019-12-05
haskell-tls-extra before 0.6.1 has Basic Constraints attribute vulnerability may lead to Man in the Middle attacks on TLS connections
CVE-2018-10021
PUBLISHED: 2019-12-05
Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate c...