Patching the unpatchable – After Microsoft Update comes the real work

I think it is safe to say that the majority of organisations have mastered Microsoft Update. More and more we see regularly updated Windows installations, which greatly reduces the number of exploitable vulnerabilities within the core operating systems of your organisation. This is good news. Not that long ago, a large percentage of organisations were still exploitable through the penetration tester’s old favourites such as MS08-067, years after a patch had been released to fix the issue.

But what about third-party applications? Remember; Adobe Reader, Flash and Java remain some of the most exploited code on the planet. What about your appliances? And what about your network infrastructure? Here, we don’t see a take-up rate anywhere near as high. Many organisations’ security patch efforts involve only Microsoft Update. As a direct result of this, attention has moved away from exploitation of operating systems; you’re much more likely to open an email or website which exploits any number of common applications that are simply not updated by the old faithful. Ask yourself these simple questions:

1. Do you have an inventory of third-party applications used in your organisation?
2. Do you regularly apply patches to both the desktop and server estate for common third-party applications?
3. Do you regularly review and update your network infrastructure as new patches are released?
4. Do your third-party managed systems have an auditable update procedure?

If you answered yes to all four, then sadly you’re in a minority.

The last question raises an interesting point. Often, systems that are managed by third-party suppliers are the least secure in the estate, because all contractual metrics are concerned with nothing but availability of service. This quickly leads to vulnerabilities being present, and the client left in a helpless state as they realise that (as ISO27001 teaches us) it is essential to include security requirements in third-party contracts:

When will the managed system be updated?
How will the supplier prevent the use of vulnerable, outdated software?
How will the supplier harden the system before deployment?
What controls will the supplier implement to ensure their staff and operational security?

And this is where many organisations are at today, regularly patching operating systems, while leaving third-party applications and outsourced systems to grow increasingly insecure. As we approach the “Internet of Things”, we will have to learn quickly that our patching and update efforts will need to reach far wider in order to be truly effective.