Bekker's Blog by Scott Bekker, Editor in Chief

Blog archive

Does Your 'Patch Tuesday' Policy Have a Zero-Day Gear?

Many organizations need to find another gear when it comes to zero-day vulnerabilities, according to a patching expert.

This week saw a huge Microsoft Patch Tuesday, with Microsoft releasing 14 patches, including four that fixed critical vulnerabilities. Sometimes those critical vulnerabilities can involve zero-days, which are vulnerabilities that are already being used in attacks before the vendor releases patches. The more usual order is that attackers develop exploits after a vendor issues a patch.

"With Microsoft Patch Tuesday, we see most people strive for 90 percent of their security patches applied within a week and a half. For zero days, it's a totally different story," says Rob Juncker, vice president of engineering at LANDesk Software. Juncker came to LANDesk via that company's acquisition of VMware's Shavlik unit.

According to Juncker, organizations need a separate, accelerated process to update systems threatened by zero-day vulnerabilities than they use for regular vulnerability patches.

"As soon as we release [a zero-day] patch, someone will pick up that patch, test it the next day and do some basic surface testing. After that's done they start pushing it out to critical systems, with awareness of how you would handle breakage.  They take a little more risk on the upgrade with that testing," says Juncker. But he says that risk is balanced by the fact that attackers are already exploiting the vulnerability.

In the October Patch Tuesday, Microsoft patched three zero-day vulnerabilities. This month's patch collection was less severe, with just one zero-day, and even that one was somewhat loaded with caveats.

"The most important bulletin MS14-064 addresses a current zero-day vulnerability -- CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions," wrote Qualys CTO Wolfgang Kandek in a commentary about the November Patch Tuesday. "Attackers have been abusing the vulnerability to gain code execution by sending Powerpoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary patch in the form of a FixIt. This is the final fix for OLE Packager (Microsoft had patched the same software in October already with MS14-060) that should address all known exploit vectors."

Juncker cautions that organizations need to be aware of how many more zero-day vulnerabilities are being discovered these days than in the recent past. He also warns against the outdated idea that Microsoft's systems are the most vulnerable, and therefor that keeping up with Microsoft patches equates with being generally up to date.

"I think a lot of us focus on Microsoft products," Juncker says. "That's where a lot of the exploits used to be. Now they lead out with Java, they lead out with Adobe. The operating system isn't enough anymore. Make sure that you have a patch process that emphasizes not just servers, but make sure you get the endpoints."

Posted by Scott Bekker on November 12, 2014


Featured

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Google To Acquire Cloud Startup Wiz for $32 Billion

    Google has announced a pending agreement to acquire Wiz Inc., a cloud security platform, in an all-cash deal worth $32 billion.

  • FTC Expands Microsoft Antitrust Investigation Under Trump Administration

    The Federal Trade Commission (FTC) is pressing ahead with a broad investigation into Microsoft's business practices, an inquiry that began in the final weeks of the Biden administration.

  • Microsoft to Shut Down Skype Services

    Microsoft will discontinue its Skype telecommunications and video calling services on May 5, 2025, marking the end of the platform's decades-long run.

Most   Popular