The Fundamental Flaw In Microsoft’s Patching Schedule
Once each month, Microsoft releases a batch of patches to close security vulnerabilities and fix bug and compatibility issues in their products. Last month, just days after the monthly patch release, an exploit was discovered and publicized for Internet Explorer 10. That exploit stayed vulnerable until this week when March’s patch release included a fix. This situation, as Antone Gonsalves of Network World points out, reveals the flaws in the current patching schedule for Microsoft and many other software manufacturers.
Not only was a known exploit unpatched for weeks, but that exploit was also made public. That means those with the means and motivation to attack unprotected users knew exactly how and where to strike.
After a few days, Microsoft did release a temporary solution in their “Fix It” tool. Unfortunately, very few users know how to access that tool, which leads to low numbers of installations. So, while a temporary fix was available, it was neither widely publicized or used.
The other option for overcoming this particular vulnerability was to upgrade from IE 10 to IE 11. For most individual users, this was a viable solution. However, for enterprise level users, changing web browsers company-wide often takes more time and planning.
Meanwhile, attackers struck multiple websites in multiple countries on multiple continents.
Despite this specific shortcoming in the patch schedule, Microsoft is actually ahead of many other software companies in this regard. For example, while Microsoft routinely releases new patches and updates once per month, Oracle releases updates quarterly and Cisco releases updates only twice per year.
The best solution suggested so far is to remove Internet Explorer from this monthly patching schedule. While it’s more than enough to update most applications once per month, IE faces a high number of attempted attacks and exploits each day. It’s much more likely that a critical vulnerability will be found and immediately exploited in IE than other applications. Even with a faster patch release, however, some IT departments might struggle to stay up to date and fully patched.
For those companies affected by unpatched vulnerabilities, there are some ways to better protect yourselves while you wait for the application manufacturer. Segmenting network assets, limiting user permissions and using application whitelisting are all ways to significantly improve security and lower the chances of a devastating and costly attack.
For help implementing an improved security infrastructure, call Geek Rescue at 918-369-4335.
March 14th, 2014