Does Your 'Patch Tuesday' Policy Have a Zero-Day Gear?

Many organizations need to find another gear when it comes to zero-day vulnerabilities, according to a patching expert.

This week saw a huge Microsoft Patch Tuesday, with Microsoft releasing 14 patches, including four that fixed critical vulnerabilities. Sometimes those critical vulnerabilities can involve zero-days, which are vulnerabilities that are already being used in attacks before the vendor releases patches. The more usual order is that attackers develop exploits after a vendor issues a patch.

"With Microsoft Patch Tuesday, we see most people strive for 90 percent of their security patches applied within a week and a half. For zero days, it's a totally different story," says Rob Juncker, vice president of engineering at LANDesk Software. Juncker came to LANDesk via that company's acquisition of VMware's Shavlik unit.

According to Juncker, organizations need a separate, accelerated process to update systems threatened by zero-day vulnerabilities than they use for regular vulnerability patches.

"As soon as we release [a zero-day] patch, someone will pick up that patch, test it the next day and do some basic surface testing. After that's done they start pushing it out to critical systems, with awareness of how you would handle breakage.  They take a little more risk on the upgrade with that testing," says Juncker. But he says that risk is balanced by the fact that attackers are already exploiting the vulnerability.

In the October Patch Tuesday, Microsoft patched three zero-day vulnerabilities. This month's patch collection was less severe, with just one zero-day, and even that one was somewhat loaded with caveats.

"The most important bulletin MS14-064 addresses a current zero-day vulnerability -- CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions," wrote Qualys CTO Wolfgang Kandek in a commentary about the November Patch Tuesday. "Attackers have been abusing the vulnerability to gain code execution by sending Powerpoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary patch in the form of a FixIt. This is the final fix for OLE Packager (Microsoft had patched the same software in October already with MS14-060) that should address all known exploit vectors."

Juncker cautions that organizations need to be aware of how many more zero-day vulnerabilities are being discovered these days than in the recent past. He also warns against the outdated idea that Microsoft's systems are the most vulnerable, and therefor that keeping up with Microsoft patches equates with being generally up to date.

"I think a lot of us focus on Microsoft products," Juncker says. "That's where a lot of the exploits used to be. Now they lead out with Java, they lead out with Adobe. The operating system isn't enough anymore. Make sure that you have a patch process that emphasizes not just servers, but make sure you get the endpoints."

Posted by Scott Bekker on November 12, 2014