Microsoft often takes a fair amount of heat and ridicule for its Patch Tuesday–especially ones like this month where Microsoft published 17 new security bulletins and patched 64 separate vulnerabilities. However, instead of focusing on the volume of flaws addressed by Microsoft, IT admins should be considering how many vulnerabilities remain unpatched on other software applications that don’t have a dedicated patch management program and regular cycle of updates.
Microsoft used to release security bulletins and patches ad hoc as they arose, but switched to the Patch Tuesday monthly release cycle to make it easier for IT admins. The regular, predictable release of updates enables IT departments to be prepared and have the appropriate resources allocated to analyze and deploy the batch of patches.
Most software doesn’t have any such patch management framework, though–putting the burden on IT admins to try to keep up with vulnerability details and patch releases. The lack of a consistent patch release and deployment schedule results in vulnerabilities that fall through the cracks and remain unpatched.
Some attacks leverage previously unknown zero-day vulnerabilities, but many viruses, worms, and other types of malware often attack vulnerabilities which are already known, and for which patches have already been published. Norman–a security and patch management company–claims that nearly two dozen new vulnerabilities are discovered on average each day.
Paul Henry, Forensic & Security Analyst at Lumension, points out, “Time and time again, we’re finding that spear phishing exploits are taking advantage of the weaknesses in third party applications,” adding, “While the rest of the world is focusing on Windows, the bad guys are taking advantage of the applications we aren’t patching with free patch software that Microsoft makes available.”
“IT departments should make patch and remediation a priority,” said Audun Lodemel, vice president, Norman Marketing, “Remember to look into all your OS platform and applications vulnerabilities, not just focus on Microsoft issues around Patch Tuesday.”
Bottom line: Microsoft makes it easy because Patch Tuesday is reliable, and predictable, and Microsoft provides the tools to download and implement the latest updates for both consumer and business systems. But, don’t get lazy and forget that you have a wide variety of software installed on those systems, and that those applications are just as likely to contain exploitable flaws.