Patch Management Holds The Line Against Application Assaults

Third-party companies are stepping in to offer patches for software from major vendors like Microsoft and Oracle. That's making life more complicated for beleaguered security managers.
Installing the most recent patches on PCs and servers is widely seen as the last line of defense against the swarm of security threats attacking businesses from all angles. Patching seems like a pretty straightforward way to stay on top of the software vulnerabilities endangering important company and customer data. Except that, given the diversity of software used in any IT environment and the armies of hackers out there looking to break that software, patching is anything but straightforward.

In fact, just as security pros were getting into the rhythm and flow of managing regularly scheduled patch downloads from companies including Microsoft and Oracle, third-party patches are emerging to complicate matters. The most recent came this week when eEye Digital Security issued a mitigation patch for the Microsoft Internet Explorer CreateTextRange remote code execution vulnerability. Although not officially sanctioned by Microsoft, which will hold its next monthly Patch Tuesday download on April 11, eEye's patch has been downloaded more than 100,000 times so far.

EEye's patch follows a move in January by Russian programmer Ilfak Guilfanov, senior developer with Belgian software maker DataRescue, to issue his own piece of workaround code to help companies defend themselves from programs looking to exploit Microsoft's Windows Metafile vulnerability. This helped pressure Microsoft to issue its own patch five days ahead of its regularly scheduled Patch Tuesday in January.

Popular support for Guilfanov's Microsoft patch was unprecedented. "This was the first time we delivered a non-vendor patch," says Chris Andrew, PatchLink Corp.'s VP for security technologies.

PatchLink, which provides Internet-based security patch management software, will on April 3 release the results of a survey it conducted to better understand the market's patch management mindset. Of the 250 CIOs, chief security officers, IT managers, and network administrators surveyed, 70% said they waited until PatchLink distributed the tested and approved Microsoft WMF patch rather than take a chance on Guilfanov's patch. A slight majority--55%--indicated they would prefer not to use third-party patches at all.

Booz Allen Hamilton, which has been using PatchLink software since 2003, opted not to use the third-party WMF patch but rather to wait for Microsoft to issue its official patch. The consulting firm felt it simply wasn't necessary to disrupt its normal patch routine. "We have a pretty sophisticated user base that has technical savvy," says Brian Oswald, a Booz Allen Hamilton senior application analyst. "They know not to visit certain Web sites or to open certain e-mails."

A little more than half of PatchLink customers surveyed would like software vendors to release patches immediately when exploits surface in the wild, while also preferring that these vendors maintain their regularly scheduled patch release dates for unexploited vulnerabilities. More than 72% of respondents feel that regular patch release schedules, such as Patch Tuesday, improve the security patch and vulnerability management process. Good thing, more than 40% of those respondents said they have to have all of their systems patched within 72 hours after a critical patch is released.

Oracle has likewise had to begrudgingly contend with third-party patches. In January, David Litchfield, managing director of Next Generation Security Software Ltd., posted to Symantec's Bugtraq mailing list a workaround to protect Oracle users from a vulnerability in Oracle's Procedural Language extension to SQL that could let an attacker grab control of an Oracle database server via a compromised Web server. Oracle countered that the workaround kept certain E-business apps from working properly. Litchfield later removed his workaround when a more effective piece of workaround code surfaced on Bugtraq.

Patch management is a huge burden, particularly for companies in the health-care field that are strictly regulated by government organizations such as the Food and Drug Administration, says John Delano, information security officer for Integris Health in Oklahoma City. Integris, which is not a PatchLink customer, "can't just push a patch out to all of our systems," because the Food and Drug Administration must approve any changes to the health-care company's IT environment, he says. This makes for quite a challenge, given the increase in zero-day attacks.

The key metric in fixing a vulnerability isn't just amount of time it takes a vendor to create a patch but rather the amount of time it takes a user to deploy that patch, says Connie Sadler, director of IT security at Brown University, also not a PatchLink customer. "Most of the compromised machines on our campus are those that have been exposed to malware that's been known about for months," she adds.

Yet a serious downside to automated patching is that these systems rely on a standardized IT environment with a common configuration, Sadler says, adding, "If you're in an environment where the user can modify things at will, the risk of causing damage in an automated patching environment goes up."

Regardless of the challenges, patch management will continue to be a priority for the foreseeable future. The best options are those products and services that can quickly test and make available third-party patches. While Microsoft, Apple, or some other big software maker are never more than a few weeks away from its next big bug, the patch makers will be ready with some way to hold the line until reinforcements arrive.