Are IT departments too slow to patch Windows?

Some companies wish to be hip and blame breaches on APT, while others bash Microsoft. Regardless of the excuse, why does it take some IT departments so long to patch Windows?

After reading that nearly half of U.S. PCs are infected by malware, Ed Bott at ZDNet called those statistics quoted by CNNMoney "bogus" and set out to get realistic numbers. He found the Panda Security report and realized those numbers were compiled from people who suspected their PCs were infected with some kind of threat and ran the online scanner. It skewed the statistics. Panda Security changed the stats to a more realistic, "In January, 50 percent of computers scanned by Panda ActiveScan worldwide were infected with some type of computer threat."

According to Microsoft's Security Intelligence Report which covered a year up to mid-2010, Microsoft Security Essentials "detected bots on 5.2 of every 1,000 computers scanned in the United States." Since Windows happens to be the OS on the majority of computers worldwide, all malware numbers would drop if all computers were kept "up-to-date with the latest security updates from Microsoft and other software vendors, including updates for browser add-ins. Ensure that Automatic Update is enabled and connecting to the Microsoft Update service."

In the real world of enterprise however, many networks run far behind on even critical Window updates. An example of that was recently captured by University of Utah Computer Science Professor Matthew Might (@mattmight).

He captioned this picture: *Not* what you want to see on the fetal monitor when your wife begins to push. Thanks, Microsoft.

Yet that picture was taken on April 9th and the newest set of Windows updates were sent out on April 12th, meaning these updates were most likely from March and the hospital IT department took its sweet time about pushing the patches.

IT departments that are lax about updating Windows to plug holes may be relying on their other security software. Yet according to Help Net Security, Veracode's most recent State of Software Security report analyzed 4,835 applications and found that 72% of "security products and services applications failed to meet acceptable levels of security quality."

  • 66 percent of software industry applications were found to be of unacceptable security quality upon initial submission, a clear sign that significant work needs to be done just to equal the 58 percent unacceptable rate for applications across all industries.
  • 72 percent of security products and services applications had unacceptable security quality: The two worst performers within the software industry upon initial submission were the categories of customer support, such as CRM and web customer support applications (82 percent unacceptable), followed by security products and services (72 percent unacceptable).

DefenseNews reported on Symantec's intentions to sell honeypot sensors and automatic analytic tools to detect malware to the U.S. government, NATO, and major corporations. Dave Marcus, Director of McAfee Labs Security Research Communications, said those tools are worthless without being able to "write some content to protect against it."

I'd agree with that. Even companies with "good IT security" can't seem to keep up with something as simple as Windows updates. Yes, I realize many networks need to test them first before pushing them through the network. But if that is problematic, then how quickly would IT be able to write content to protect itself after detecting malware?

Oak Ridge National Laboratory (ORNL), which sometimes conducts classified national security work for the federal government, had to shut down its Internet connectivity after being targeted by spear-phishing emails sent to about 573 lab employees. The emails were made to look like the lab's HR department sent them. Employees that clicked on the link for more details of supposed benefit changes resulted in malware exploiting an IE zero-day vulnerability that Microsoft patched on April 12th. The "cyberattack" happened on April 15th and resulted in only about 1GB of stolen data since ORNL cut off the Internet. If the moral of that attack isn't about social engineering, it might be that it's important to be on the ball about pushing critical updates.

ORNL director Thom Mason called the attack a "sophisticated Advanced Persistent Threat (APT), designed to gain a foothold on the lab's networks and then to quietly looking for and steal specific types of information."

But when Verizon released its 2011 Data Breach Investigations Report, it stated that APT "hysteria" has swept through the security community. The term started in regard to state-sponsored attacks from the People's Republic of China, but too many businesses are using it as a "perfect excuse" when recovering from a data breach. Verizon's director of investigative response, Bryan Sartin, told Robert McMillan,"It's almost as if it's become chic in the U.S. to blame it [on APT]"

Others, after not being fast to install critical Windows updates, but also not wishing to be hip and blame breaches on APT, tend to bash Microsoft. As Linux Foundation Executive Director Jim Zemlin said, kicking Microsoft is "kind of like kicking a puppy."

Please do consider how long a vulnerability is often floating around before Microsoft does get around to patching the flaw. When the update is finally made available, we should all act on it as fast as possible. With Microsoft's new vulnerability disclosure policy that basically says, enough already, everyone publicly discloses holes in our products, we're going to do the same for you . . . starting with Google Chrome, perhaps there will be more vulnerabilities to keep up with patching in all products?

Image Credit: Matthew Might

Like this? Here's more posts:

  • Watchdog to Obama: Schmidt policing online privacy is like Madoff heading SEC
  • TSA Surveillance: Peep Show, Police State, Privacy Invasion or All Three?
  • Security Researchers Exploit Logic Flaws to Shop for Free Online
  • Hacked: Xbox LIVE Banhammer Stepto Gets Jacked
  • Will Google's legal woes define how far it crossed the creepy line?
  • No Conspiracy Theory Needed: Tor Created for U.S. Gov't Spying
  • Ridiculous DHS list: You might be a domestic terrorist if...
  • Former FBI Agent Turned ACLU Attorney: Feds Routinely Spy on Citizens
  • Complain about the TSA and your First Amendment right might get you flagged

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)