Record Patch Tuesday Hits Older Software Hardest

Today is Microsoft’s monthly Patch Tuesday, and as predicted October sets a new record for security bulletins in a single month. More than ever, IT admins need to understand the risks and prioritize the various patches to effectively manage the deluge of updates, and protect vulnerable systems as efficiently as possible. This month also demonstrates yet again that legacy software is inherently less secure.

Andrew Storms, director of security operations for nCircle, says, “Microsoft released the largest patch in history today with 16 security bulletins and 49 individual bugs. It seems quite possible that Microsoft will hit the triple digit mark for bulletins in 2010; with today’s patch 86 bulletins have already been released so far this year. Another 14 bulletins over the next two months seems more than likely.”

Storms added “This month it’s more important than ever to be able to prioritize the release. The Internet Explorer bulletin along with the Embedded OpenType bug fixes should make it to the top of the list for everyone because they can both be used for dangerous drive-by attacks. Consumers and corporate enterprise teams must make sure these patches get installed as quickly as possible.”

James Walter, manager of the McAfee Threat Intelligence Service points out, “The volume is indicative of a trend we are seeing among various software vendors. As the awareness of vulnerabilities increases, the number of patches gets bigger as well.”

Jason Miller, data and security team leader for Shavlik Technologies, has a more detailed explanation for the dramatic rise in security bulletin volume. “There are a couple of factors that are coming into play for this. First, Microsoft is the grandfather of patching and has spent years refining their process to develop the mature patching process we see today. Second, Microsoft is working closer than ever with security researchers in their Coordinated Vulnerability Disclosure (CVD) program.”

Miller continued, “By working with researchers, Microsoft is closing the gap on the time to release fixes for vulnerabilities found. This is a key factor that a lot of people have been asking for, so we shouldn’t be too surprised that we are seeing an uptick in security bulletins.”

Joshua Talbot, security intelligence manager, Symantec Security Response provided this analysis. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”

Talbot also remarked, “One of the two remaining Stuxnet-related zero day vulnerabilities was also fixed today. Stuxnet uses the Win32 Keyboard Layout Vulnerability to gain administrator privileges on infected computer systems. This functionality ensures that none of the threat’s malicious actions get blocked on targeted systems due to lack of permission.”

While consumers should simply use the Windows Automatic Update to check for and apply any necessary patches, IT admins generally don’t have it so easy. Software updates have to be tested and validated to ensure they don’t have bugs themselves, or cripple functionality for other applications. With such a large number of updates to address all at once, it is critical for IT admins to review the Severity and Exploitability Index provided by Microsoft, and apply the information based on the exposure and risk to critical systems to develop a logical approach to implementing the patches.

Andrew Brandt, lead threat researcher for Webroot, notes, “several of the patches address security issues affecting users of Windows 7. This should not be seen as diminishing the reputation for Windows 7’s security, but as a welcome enhancement. On this front, the good guys appear to be ahead of the bad guys for the moment.”

As nCircle’s Tyler Reguly points out, the bigger issue is that once again the writing is on the wall illustrating why businesses need to focus on upgrades and migrating to newer operating systems and applications that have better inherent protection and security controls. “The most important message this month is ‘upgrade’. This month should be a wakeup call for anyone still running Office XP, the number of vulnerabilities affecting only that product are a clear indicator that it’s time to upgrade to a newer version, perhaps Office 2010, which has only a single CVE affecting it.”