patch management

Microsoft record Patch Tuesday: Should flaws be counted?

Security experts say counting patches is senseless.

Another Microsoft Patch Tuesday has come and gone, but this one has trumped June for setting a new record for the number of flaws patched by the software giant. There were 34 vulnerabilities fixed in 13 Microsoft Security Bulletins. Seeing 13 security bulletins, eight of them critical didn’t phase me and I’m not sure knowing that 34 vulnerabilities were repaired should phase any IT administrator. They care most about the initial bulletin rating and the relative threat risk each bulletin addresses.

This month I’m reminded of Eric Schultze’s recent column. Schultze, formerly of Shavlik Technologies, wrote a column for our friends at Threatpost.com: “Patch Counting: Horseshoes and Hand Grenades,” in which he explained what really should be considered when looking at Microsoft’s patches each month.

As a Systems Administrator, one thing is clear to me: if my users visit an evil website, their machine’s can be exploited. How do I rectify this? I can apply the suggested patch.
Do I care that there were eight different underlying flaws that would lead to the evil code execution? No.

Even Microsoft has taken a little heat for counting flaws. In this case, Microsoft counted flaws in Vista in 2007 to show how secure the OS has been made.

Perhaps Mike Shaver vice president of engineering at Mozilla summed the issue up best in 2007 in his post titled “Counting Still Easy, Critical Thinking Sill Surprisingly Hard,” in which he was referring to a Microsoft report comparing vulnerabilities fixed in Internet Explorer to those repaired in Mozilla Firefox. According to Microsoft, IE was better since Mozilla repaired more vulnerabilities in the time period studied.

You can only count what a vendor wants you to see. … If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability “counted” for, say, seven defects repaired. Or maybe you don’t hear about it at all, because it was rolled into SP2 and they didn’t make any noise about it.

Software delivery could fix software patching issues

When was the last time you considered the state of your vendor relationship? Are they doing anything behind your back?

Google recently presented the results of its study touting that users of its Chrome browser are far more likely to have the latest version installed, because Chrome includes a silent update feature that automatically checks and installs the latest version with virtually no user interaction.

Software updates have become ubiquitous with all applications, regardless of their purpose. Sometimes the user must check for a new version, but often an automated process checks for an available update and then prompts the user to approve its installation.

I must admit that like many users, when I am moving quickly on a task, I’ll sometimes delay an application update for another time. But keeping that update process silent, without the user’s knowledge, strikes me as putting security ahead of the user. If I want to surf the Web without antivirus protection, I will do so. If I want to remain on version 1.x instead of 1.5, I want the ability to have that choice. When was the last time you got into an automobile and an automatic seat belt swung into place? Admit it, the auto industry caught on. Even though seat belts could save a customer’s life, automatic seat belts are a thing of the past. They were too intrusive, resulted in less choice for the driver and passenger, and ultimately, I bet they hurt sales.

Mozilla’s Johnathan Nightingale got it right when he said Mozilla prides itself on giving its users information. “We make certain choices, like telling users when security updates happen, and not automatically upgrading users to new ‘major’ versions … because we think it’s important to give our users that information and choice,” he said, explaining his take on the Google study.

Software as a Service and cloud computing services could dramatically change the discussion around patching. But perhaps more importantly are the questions that remain unanswered. Marcus Ranum, CTO of Tenable Network Security Inc., asked the following two questions:

• Why are we running software that is so bad it constantly needs patching?
• Since the “security researchers” have been saying for 15+ years that their bug-hunting activities are part of “making software better,” can we declare that effort to be a failure, yet?
  

It’s possible that if the industry starts to adequately address the issues within the software development lifecycle, the patching discussion will become a moot point. Bruce Schneier said something several times at the 2009 RSA Conference that stuck in my mind: Cloud computing is about trust. Do you trust your vendor? I suspect we are trusting our software and hardware vendors to a certain extent. By downloading a piece of software or buying an electronic device, we are engaging in a relationship. The fact is, by making software updates silent, the vendor is doing something behind our back. It’s something that begins to question our relationship. Isn’t that when relationships have a tendency to fail?

For now, I’ll happily continue to put off my software updates until they’re convenient for me. And yes. I wear a seatbelt.