Alan Bentley, Managing Director of PatchLink EMEA, has sent us this interesting and thoughtful comment.
This Patch Tuesday, Microsoft released 9 critical patch updates for issues that could allow remote code execution - 3 browser-related vulnerabilities, 3 Windows vulnerabilities, an Office vulnerability in PowerPoint, and 2 other critical vulnerabilities, of which the Windows and Browser issues are likely highest risk for most customers due to wide usage within a typical network.
Four out of the nine critical patches actually supersede previously published patches, and in total around two dozen CVE (Common Vulnerabilities and exposures) vulnerabilities are fixed by new patch updates this Patch Tuesday.
Because security vulnerabilities are usually errors unintentionally put in code by programmers, the chances of finding a new vulnerability in an adjacent area of code or functionality is much more likely than your chances of identifying a brand new and unique vulnerability. This issue can be seen clearly in the number of patches that "supersede" one another - where the same buggy code has been fixed again and again. Software bugs are a lot like roaches, if you find one, there are likely many more lurking somewhere close by.
Also with over 120 new vulnerabilities across all platforms and applications reported just last week (a rate of 6,000 new vulnerabilities per year!) - clearly the rate of vulnerability discovery is still outpacing the number of patches being released.
Between the backlog of unpatched issues, and the chances of new vulnerabilities being discovered in adjacent areas, PatchLink sees a clear trend towards exploits coming out before patches are available - and "Exploit Wednesday" is likely to become a reality sooner rather than later.
The issue of backlog across all applications and operating systems will have a greater impact on the IT organisation - unpatched issues that still need to be fixed by the respective vendors. From the IT administrators side, the only thing they can do is ensure that their systems are up to date and ready to patch once the patches are released using best practices guidelines.
[We certainly agree and look forward to the release of Vista, which has been engineering under Microsoft's new risk management based software development process. People in any way responsible for the development of software should read Gary McGraw's newest book Software Security.
Another serious issue is that, unlike Microsoft, many large vendors (e.g. Adobe and Corel) still do not push security patches to their customers - or even inform them of security issues. The market should not only apply pressure on Microsoft! --Ed].
Related links: (Open in a new window.)
www.microsoft.com/technet/security/current.aspx
www.patchlink.com/redirect.asp?IDr=157&IDd=315
View printable version (opens in new window)
Back