Patching challenges and techniques

Get a copy of the upcoming book "Secure Operations Technology"

Wolfgang Kandek is the CTO and Vice President of Engineering at Qualys. In this interview he discusses Microsoft security bulletins, patching difficulties in general, patching tools and techniques as well as Adobe Reader and Flash.

You’ve been following Microsoft’s security bulletins very closely. What’s your take on Microsoft’s security practices in the past year?
Microsoft is improving product security with each new release. Windows 7 is more advanced than Windows XP in its fundamental security architecture and similarly the new Office 2010 has a number of new security features, such as Protected View and File Block.

Microsoft’s bigger problem lies in the unsupported legacy systems and the reluctance of customers to update to new and more secure versions. We still see plenty of Windows 2000 used in the server space and Windows XP SP2 continues to have a considerable presence on the desktop at enterprises.

What patching difficulties do you see your customers most worried about?
Attackers have been focusing on application attack vectors for the last couple of years and many enterprises are playing catchup to that trend. Applications that are widely installed on desktops such as Adobe Reader, Apple Quicktime and Microsoft Office are often not updated with the same diligence as the base Operating System.

This leaves the desktop open to indirect attacks that are triggered through user actions, such as opening an e-mail containing a malicious document or browsing on a website that serves a specifically crafted media file with an exploit. Web browsing has been becoming an acceptable or even necessary activity at many enterprises, and attackers have been able to use that increasing browsing activity to gain access to enterprise networks.

What patching techniques and tools would you recommend for large enterprises that need to take care of thousands of machines?
First, large enterprises need to get a handle on their inventory of computers. We frequently see companies underestimating the number of machines on their networks. This is often caused by the addition of new machines through mergers and acquisitions, plus through the growing independence of users and local IT departments and their ability to introduce new machines into the enterprise network.

Next, a professional patch management system will assist enterprise IT administrators to roll out OS and 3rd party application patches in a coordinated and prioritized fashion. Lastly, an independent patch audit tool should be used to audit the success of the patch roll-out and to identify problem areas and failure patterns.

Adobe products have been in the spotlight quite a lot in the past year. What are the challenges involved in patching Adobe Reader and Flash?
Adobe Reader and Adobe Flash have seen an elevated number of 0-day vulnerabilities and feature prominently in most of the exploit toolkits available on the black market. Enterprise IT administrators who have a professional patch management system should have all the tools necessary to deal with the patches in an expedited manner.

IT admins who rely on Windows/Microsoft updates alone are at an disadvantage, as they have to depend on scripted updates, end-user cooperation or the independent update engines included in the newer Adobe products. The success rate with these technologies will be spotty and require costly, manual follow up to gain acceptable patch coverage.

My favorite security initiative for this year is for enterprise IT administrators to petition Adobe to work with Microsoft to distribute Reader and Flash patches through the Windows/Microsoft update mechanism. This would immediately improve patch applications rates and prevent attacks against older versions. There are few technical hurdles for Microsoft to allow 3rd party updates, but the organizational and cultural obstacles are high and will require considerable negotiation between the two organizations.