Patching Gets More and More Complicated but is Critical for Managing Risk
Patching vulnerabilities has always been challenging, but these days, it is getting more and more complicated as manufacturers try to stay abreast of zero-day vulnerabilities and issue patches as quickly as they can.
Microsoft is well-known for its Patch Tuesday, which is a monthly roll-out of the patches for vulnerabilities it has become aware of in the past month. This past Tuesday, October 13, 2020, was Patch Tuesday for the month of October. It was not the largest release that Microsoft has had on Patch Tuesday this year, with a mere 87 patches. That is down from more than 100 patches released every month between March and September of 2020. In September, Patch Tuesday produced 129 patches.
When IT professionals receive 87 patches from one manufacturer in a month, it puts in perspective just how complicated and hard it is to keep up with all of the patches received from every software vendor and manufacturing companies are using in day to day operations. It could be a full-time job.
The failure to patch a vulnerability in a timely manner has been the cause of well-known security incidents and data breaches, which magnified the importance of timely patching. However, the number of patches continues to grow exponentially, making it difficult for IT professionals to keep up with the alerts. It is hard to imagine how they don’t become a little numb to the issuance of another patch.
When issuing the patches on Patch Tuesday, Microsoft categorizes the patches into “critical,” “important” and “moderate” in severity so that IT professionals can prioritize the patches when applying them to systems. They also provide helpful information about whether the vulnerabilities are known to be actively exploited by criminals at the time of the release. This month, 11 of the 87 patches were categorized as critical, 75 were categorized as important, and one was classified as moderate. Six of the vulnerabilities were publicly known at the time of the release, so were potentially available to criminals before the release.
According to reports by security experts, the recently released patches IT professionals may wish to concentrate on first this month are the ones that address vulnerabilities in remote code execution or RCEs, which allow attackers access to a system without user action—like clicking on a phishing email. Once in the system, the attacker can obtain privileges, start a ransomware attack or steal data.
Although patching gets more and more complicated, it is important for IT systems to continue to prioritize them and stay on top of security alerts from vendors regarding vulnerabilities. It is easy to become numb to the number and frequency of the issuance of patches, but it is critical to minimizing risk.