I’ve seen a lot of Patch Tuesdays. If you look back at history, the concept of updating (“patching”) the Windows operating system began with the release of Windows 98. The term “Patch Tuesday” didn’t actually start until 2004 when the ritual became more scheduled in an attempt to reduce patch cycles. Each month Microsoft would reduce a small number of “patches” to address vulnerabilities, but this week was different. Microsoft released 13 security bulletins that cover a total of 34 vulnerabilities, the most that Microsoft has ever addressed on a single Patch Tuesday.
According to PC World: “Microsoft says it will deliver its largest-ever number of security updates on Tuesday to fix flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and the enterprise-grade Forefront Security client software.”
Of the 13 bulletins, eight are rated “critical” by Microsoft, the company’s highest risk rating. Five are deemed “important,” one notch lower on Microsoft’s severity scale. Nine of the vulnerabilities had been previously disclosed, allowing cyberattackers a way to break into Windows systems before the fix was available.
This kind of craziness leads companies around the world to engage in what I call “patch panic” – security administrators and IT management scrambling to try to understand each patch, what systems might be vulnerable, what threats could exploit those vulnerabilities, potential implications to their business (and how many nights and weekends they are going to have to work). Some companies will spend weeks trying to collect this information to make decisions on which systems to patch and many will patch systems that don’t require it. Hours, days and weeks of productivity will be lost. What a waste of time.
The good news is, it doesn’t have to be this way. McAfee recently announced one of the most creative products I’ve ever been associated with – McAfee Risk Advisor – the first and only risk analytics solution to eliminate the manual, time-consuming and error-prone approach associated with patching efforts. We do this by correlating threat, vulnerability and countermeasure information to pinpoint which assets are truly at risk for a specific threat. It works in conjunction with McAfee Labs Global Threat Intelligence and Vulnerability Manager (formerly Foundstone), as well as countermeasures such as McAfee’s Network Security Platform (formerly IntruShield), Host Intrusion Prevention and VirusScan Enterprise to provide a complete picture of risk posture.
McAfee customers with our Host Intrusion Prevention and antivirus products had protection in place before these vulnerabilities were announced, due to our partnership with Microsoft. Buffer overflow protection capabilities within these products mean that customers receive out-of-the box protection and are not dependent on signature updates, unlike other vendors’ offerings. Customers using our Application Control (formerly Solidcore) have absolutely no need to patch those systems, because they are completely blocked from these vulnerabilities. This week’s news also highlighted the most popular threat trend around malicious sites and web attacks, like last week’s Adobe PDF vulnerability. McAfee’s Web Gateway protected our customers from these vulnerabilities even before the announcements.
The bottom line is that life in IT security doesn’t have to be a huge process any more – we can eliminate “patch panic” and the countless lost hours, money and downtime that most people now take for granted. We can also reduce the number of patches that need to be applied and let you apply them when it is least disruptive – drastically reducing patching costs and risks, while improving overall system availability and security.
We help customers patch on their schedule, not someone else’s.