A recent SolarWinds Patch Management survey indicated that 17% or nearly 1 in 5 respondents have had a security incident in the past year that could have been prevented by a patch.  The survey respondents noted that the implications of the breach resulted in service downtime, impacting business revenue, and many hours spent remediating the breach.  There is no doubt that both Microsoft and 3rd party applications can cause pain if left un-patched.  Which applications are the most vulnerable?

In reviewing the August 3rd party patch activity there were more critical patches, and more patches than normal.  For example, Adobe had 7 critical updates in August.  This is out of the ordinary.  In July, Adobe released 4 updates, none being critical and in June, the company released 3 updates, with just Air as critical. 

 

So…..what is normal?

 

Summary of 3rd party updates – March to August 2012

In looking at the 3rd party updates over the last 6 months, Adobe (primarily Flash), Mozilla and Oracle Java are causing sysadmins/network admins the most work with critical updates that need immediate attention – especially those with known exploits.  Including non-critical vulnerabilities, bug fixes and application enhancements, Adobe, Google Chrome, Mozilla and Oracle Java are the winners for greatest number of updates.

 

Below is a run-down of updates by vendor – including number of updates, number of critical updates and whether there have been known exploits of the vulnerability.  This table can be used as a gauge to help prioritize which applications should be patched.

 

Vendor

Total Updates

(March to August)

Critical Updates

(March to August)

Known Exploits

(March to August)

Adobe (Acrobat, Air, Flash, Reader, Shockwave)2111Yes (Reader, Flash)
Apple (Quicktime, iTunes)21
Corel WinZip2
Google Chrome111
Mozilla (Thundebird, FireFox)159
Opera41
Oracle Java83Yes
RealPlayer3

 

I patch Microsoft apps, isn’t this good enough?

Let’s compare 3rd party application critical vulnerabilities with vulnerabilities from Microsoft applications.  In August alone there were 9 3rd party application updates to fix critical vulnerabilities.  This compares with 5 critical fixes provided by Microsoft on Patch Tuesday.  Check out other research on the topic – the CSIS Security Group A/S published last year that 85% of all virus infections occurred as a result of automated drive-by attacks created with commercial exploit kits – targeting 5 applications: QuickTime, IE, Adobe Acrobat & Reader and JRE.

 

Automate your patch management process

Ensure you have a sound and automated patch management strategy for Microsoft, Adobe, Mozilla and Oracle Java.  Automation is key because of the time it takes to research, script, test and then deploy updates.  According to a recent SolarWinds customer survey, respondents spent on average 50 hours researching, scripting, testing and deploying each patch.  You might not even finish deploying a patch, and then the next one comes out (GRRR!).  With an automated patch management tool, Patch Manager, they now spend 2.5 hours on average per patch.

 

Criteria for Picking the Right Patch Management Tool

There are several criteria when choosing a patch management tool for 3rd party updates.  Key criteria include:

 

3rd party updates: Does the vendor provide updates for the applications that are important to your environment?  Do they provide both security updates and bug fixes?  This is easy to find out.  Most vendors list the applications they support on their website.  What is more difficult to determine is how QUICKLY they get the package from the ISV to you.  SolarWinds documents this explicitly and normally can get an update out the door in a day or two from the time of ISV publication.  VMWare/Shavlik also documents the latest patches they have released, but I am not quite sure how often this page is updated as the latest JRE 7u7 update (made available 8/30) is not on this list as of the time of this blog.

 

Custom application packaging & complex deployment scenario support: Does the vendor provide the ability to patch custom applications?  Does the vendor provide the ability to perform complex deployment scenarios (needed for Java)?

Platform Coverage: Do you need coverage for Windows or across your Windows, Linux and UNIX environment?  Be prepared, you will pay a pretty penny for cross platform coverage.

 

Patch Scheduling: Can you schedule a patch to be deployed within the maintenance window?  Can you deploy more than one patch at a time?

 

Out of the box reporting: How easy is it to report on compliance? Do you need SQL skills?

 

Cost and time to deploy the solution: If it takes you 6 months and $10k+ in professional services to roll out a patch management solution, you’ve missed the point of this blog.

 

Want to read more on this topic? Check out these blogs on PatchZone.org

 

 

Where do Application Vulnerabilities Lurk?

 

Patching 3rd Party Applications: Best Practices for What, Why and When

 

Patching 3rd Party Applications is Often Overlooked: How & When to Patch 3rd party apps