Who Polices the Security Service?

Questions need to be asked of Patch Tuesday and Microsoft’s approach to it, says Robert Brown.

SC Magazine  |  Dec 17, 2014

The next Patch Tuesday, Microsoft’s usual day to issue security updates for its software, is looming again. It will be the 13th of January 2015, then in February and so on. It’s so frequent it’s easy to treat it as a’ business as usual’ exercise, so humdrum that it requires no second-thought or intelligence.

However, it really does need that a second-thought. Patching is obviously essential, companies do need to protect themselves from known software vulnerabilities, but there are problems with Microsoft’s approach to patching and simply installing every patch with the quick click of a button could be costly; worse, you might just see the Blue Screen of Death (BSOD) across your device fleet.

Microsoft’s approach to patching is very much a ‘fire and forget’ exercise where it issues patch updates each month and expects businesses to roll out the patches as soon as possible.  However, this is where your second thought is needed, as many IT managers will attest, they cannot and, should not, deploy them right away.  IT must take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems.

Just take a look at MS14-066 – a lot of users reported problems when implementing the update, forcing Microsoft to reissue the patch. Imagine if every business had implemented that immediately! If there is a compatibility issue with a patch and systems need to be rolled back, this extends downtime and can impact the business’s bottom line.

Compatibility aside, my real issue with Patch Tuesday is Microsoft’s rating system. It is relatively simple to follow:

  • ‘Critical’ – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
  • ‘Important’ – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.’
  • Moderate’ – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
  • ‘Low’ – The impact is comprehensively mitigated by the characteristics of the component.

Keep in mind that Microsoft self-certifies vulnerabilities for its products and November’s Patch Tuesday contained 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later; five of the updates, including the out of band patch, were rated by Microsoft as Critical, eight Important and two Moderate.

Where to start? With the obvious, surely? Patch the Critical updates first and take the rest in turn. Better still, do them all at once! This couldn’t be more wrong. My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as the Common Vulnerability Scoring System (CVSS) to get a more informed view. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving a much better understanding of the risk a particular vulnerability poses to the business.

If we look again at November’s Patch Tuesday, US-CERT gave the out of band patch, rated as Critical by Microsoft, a score of 10.0 – that’s as serious as it can get and gives a good starting point for patching activities. It’s now top priority.

Three other Critical patches were scored 9.3 by US-CERT, which suggests Microsoft has got this right and they should be the next area of focus. Time to get to work.

But, the last remaining Critical patch only scored 6.8 by US-CERT. This is a really important discovery, because actually six other patches, some deemed only Moderate or Important by Microsoft, were rated higher than 6.8 by US-CERT. In other words, some of those Moderate and Important patches should be tackled before the last remaining Critical patch.

This isn’t a one-off slip from Microsoft either. In October’s Patch Tuesday, three Critical and two Important updates were all rated 9.3 equally by US-CERT. Those two Important updates might have been delayed by IT managers if relying on Microsoft’s rating only.

Microsoft is providing a great security service that everyone is thankful for, but it does need policing by a second source. The critical is not always critical and sometimes the Moderate needs urgent attention too.