Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

08:02 AM

Microsoft Patch Problems Underline Trade-Offs For Securing Systems

As the software giant works to fix the shortcomings in its latest set of patches, security experts debate whether 'trust the patch' is still the best course

For many companies used to problem-free patching, August's Black Tuesday -- the second Tuesday of the month when Microsoft releases its latest security fixes -- stands as a reminder that software systems are complex and patching software can lead to problems.

Last week, Microsoft warned that three of the Patch Tuesday software updates -- closing four security issues in its Exchange Server, one in the Windows kernel, and another in Active Directory -- caused problems for some of its customers. Companies that applied patches immediately may have lost the ability to search e-mail, had random crashes on Windows, or found that Active Directory's federation services stopped working.

Corporate IT departments could become a bit gun-shy and stop applying patches as quickly as possible, says Wolfgang Kandek, chief technology officer for cloud-security firm Qualys.

"Each time this happens, it is really bad for the cause because we always tell people to patch as quickly as possible, and these things are real setbacks," he says, noting that Microsoft has spent hundreds of millions of dollars on software security and does extensive regression testing of its updates. "Unfortunately, it happens."

On Tuesday, Microsoft rereleased the Exchange update, which had broken the content index used for searching for mail on the server, while the problems with the kernel and Active Directory remain. The company is still researching those issues, according to a Microsoft spokesperson.

"In some cases the programs may not successfully start," Microsoft wrote in an update to the kernel issue. "We are also aware of limited reports that certain users may encounter difficulties restarting their computers after applying this security update.  Microsoft is researching this problem and will post more information in this article when the information becomes available."

The common security advice for companies is to apply software patches as quickly as possible, yet to roll them out in stages so as to catch any show-stopping defects before they scuttle the entire business. That advice remains unchanged following Microsoft's bad patches, says Ollie Whitehouse, associate director of the NCC Group, an information security services firm.

"We would argue the risk faced by an organization by not patching security issues due concerns over patch quality will become much larger very quickly when compared to the risk of service disruption or long-term impact from a bad software patch," he says.

Yet others believe that the common advice may have become outdated. Increasingly, software complexity has made the interactions between patches more difficult to predict, leading to problems with the software updates, says Amichai Shulman, chief technology officer with Imperva, an application-security firm.

"I don't think this is a blip on the radar," he says. "The continued investment in code security is not paying off, and the patching process is starting to become very difficult."

[Companies should expect safer software as more companies adopt bug bounty programs and studies prove their effectiveness. See Better Bug Bounties Mean Safer Software, More Research Demand.]

Virtual patching, where a software system attempts to detect and eliminate exploits for particular vulnerabilities, has been used as a stop-gap measure, protecting corporate systems until a patch can be applied. In the future, more companies will rely on virtual patching to make the update process less critical, allowing companies to delay fixing security holes for much longer periods of time, he says.

"This is the reality of a complex software world," Shulman says.

Microsoft supports virtual patching through its Microsoft Active Protections Program, in which the company shares information on vulnerabilities with security providers before the final patch is released. The information-sharing program allows the provider to have detections for vulnerabilities and exploits in place right when a patch is released.

Other software vendors need to support such information sharing, says John Pirc, an analyst with NSS Labs, a security consultancy. While Pirc also advises companies to patch as soon as possible, despite the occasional problems with software updates, he urges software developers to allow security companies to provide the best protection possible.

"People need to trust the vendors and need to deploy patches," he says. "But making sure that the security products in place are protecting their customers should also be a priority."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.