That question is relevant, because IT managers must constantly decide, based on bug severity and their business' product installation footprint, which newly disclosed bugs to address first.
Already this month, Microsoft released 22 patches for various products--a relatively low number, compared with other months. Firefox also pushed a Mac-only update. Next week, meanwhile, Oracle is set to release 78 patches, including a "critical patch update" that fixes 13 bugs in Oracle Database Server, some of which can be remotely exploited, without authentication.
Sometimes, however, getting to the root of what needs to patched, and why, can be quite difficult. In its patch preview, Oracle said that the Oracle Database Server vulnerabilities involve 17 different database components, ranging from the database vault and event management to the security framework and XML developer kit. It's up to IT managers to unravel that information, then compare and contrast it with the vulnerabilities, to be more fully detailed on Tuesday, that involve Oracle's Application Server, Identity Management, E-Business Suite, PeopleSoft, the Sun product suite, and more.
As that suggests, the sheer quantity of products and patches involved in even a single Oracle patch update can pose "where to start?" challenges. "Oracle releases security patches for the majority of products--Java is an exception, for example--on a fixed schedule, every three months. That, and the sheer number of products that Oracle owns, together make an Oracle patch release a complex undertaking, where customers--and we--have to be familiar with each different product and its characteristics," said Wolfgang Kandek, CTO of Qualys, which sells vulnerability management software, in an email interview. "We have quite different mechanisms for [patching] Solaris--largely automated--than for the Oracle database, for example."
Information accessibility is another issue. "The difficulty in parsing Oracle's Critical Patch Updates (CPU) is that they keep important details behind a 'wall' on their support site," said Andrew Storms, director of security operations for automated security and compliance provider nCircle, in an email interview. "For this reason, I don't feel comfortable commenting further on the content of the Oracle CPU."
In fact, many vendors' security bulletins don't tend toward ease of use. "If you try to decipher something like an Adobe advisory, it can be quite difficult to assess what the vulnerability is, and get good, actionable information out of them, including how it might harm you," said Thomas Kristensen, chief security officer of vulnerability information provider Secunia, in a phone interview.
Storms offered a similar assessment. "Adobe and Apple are neck-in-neck in the race to determine who has the least useful bulletin release," he said. "Both vendors often provide little or no mitigation information, and their information about the vulnerabilities is all foam, and no beer."
Of the two, Storms gives extra points to Adobe, however, based on its having a regular release cycle, and announcing patches before they're released. "Apple, on the other hand, is totally unpredictable--they always manage to deliver a surprise patch when you least expect it, usually when you have no resources available," he said.
Who does security bulletins well? Storms said that Microsoft's security bulletins--filled with workarounds and mitigation strategies--lead the industry. "Microsoft has really focused on transparency in their patching process. They have a consistent, predictable release cycle, and they communicate regularly with their customers about any changes in that process," said Storms. "They also have worked hard to develop secure software development methodologies, in order to bake security into all their newer products. The combination of all these factors make Microsoft the industry leader in security patching."
Beyond Microsoft's example, what might drive other software vendors to produce better security bulletins? "We hope that in the near future, CVRF (common vulnerability reporting framework) will gain widespread acceptance," said Kandek at Qualys. "CVRF establishes a common format and language to describe vulnerabilities that can be read by automated tools."
The XML-based CVRF framework, however, is quite new; the first version just debuted in May. But it has extensive backing, having been developed by the Industry Consortium for Advancement of Security on the Internet. Its founding members are Cisco, IBM, Intel, Juniper Networks, Microsoft, and Nokia, and Oracle and Red Hat also contributed to the CVRF.
With luck, and following the security bulletin standard set by Microsoft, the CVRF could serve as a one-stop shop for vulnerability information, for all.
In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)