FUD Watch | Patch Tuesday Panic? No Thanks

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry’s most egregious FUD, send an e-mail to bbrenner@cxo.com.

The public relations folks love the second Tuesday of each month.

That’s when Microsoft releases its latest batch of security updates, and It’s a time for security vendors to drum up a little publicity by issuing grim warnings about the attack potential of this flaw or that.

This month, Redmond gave them fresh ammunition with seven security updates for 10 flaws, including “critical” vulnerabilities in Internet Explorer, DirectX and Bluetooth wireless software for Windows.

Qualys Vulnerability Lab Manager Amol Sarwate told IDG News Service reporter Robert McMillan that desktop users must install the critical Internet Explorer and DirectX updates as soon as possible, since the bad guys could exploit them in Web-based attacks where a criminal tricks the victim into visiting a malicious Web page and then takes advantage of the bug to install malicious software on the Windows machine.

When I was reporting on Patch Tuesday each month in my previous job, my e-mail inbox would start clogging by 10 a.m. with messages from PR reps eager to get me on the phone with one of their clients to discuss the latest cause for alarm. Then I’d get on the phone with the vendors and hear pretty much the same grim scenario – regardless of the flaw – that I heard the month before. Most of the time, the warnings were not followed by the big attack.

I don’t hold this against the PR machine. These people are just doing their jobs. I don’t necessarily hold it against the vendors, either. Most of the people I talk to are researchers who try to call it as they see it.

But when I talk to the IT admins dealing with this from the trenches, many of them wonder aloud what the fuss is all about.

Most of them have a patching process that stretches across several days. The first couple days are for running the patch on test systems to see if any compatibility problems would result from a full deployment. The answer is often yes, requiring the IT staff to make the right network adjustments so the patch will play properly with business-critical applications. A full week often passes between Patch Tuesday and when IT shops deploy all the patches across the network.

My IT sources usually don’t understand why vendors are yelling at them to patch immediately. For the reason described above, they can’t rush the process. Meanwhile, they are not too worried about fresh flaw exploits because they have a multi-layered array of security tools and policies to keep out any malware that may target the latest Microsoft holes while the patches are being tested and tweaked.

This begs the question: Are security vendors right to bang the alarm bell with a hammer whenever patches are released for a major application or operating system?

Yes – to a point.

While most of the security pros I deal with are diligent in the practice of defense-in-depth, many others are not as protected as they should be. Many studies, including the just-released Verizon Business report on data breaches, show that the attacks that succeed are often the simple ones that slither through gaping network holes that could have easily been closed with available patches and other security tools.

Among the findings, Verizon said nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place. Among other things, the report noted, companies usually find out after a breach that it could have been prevented simply by applying patches that have been available for a long time, sometimes years.

When findings like that emerge, it’s easy to see why some security researchers feel the need to cry doom and gloom.

At the same time, vendors often make too much of the prospect that attackers are cooking up massive exploits the second those patches flow down the pipeline.

Attackers have launched significant malware outbreaks on the heels of a Microsoft patch release in the past, one example being the Zotob attacks that hit many companies within a week of the August 2005 Patch Tuesday release. Even then, the scope of the assault was overblown and the damage would have been minimized if not for the fact that those affected were running Windows 2000 machines with missing patches.

In the last couple years, however, big attacks right after Patch Tuesday have been rare. Why write new malware when you can keep flinging the same old stuff through cracks that should have been sealed with a patch that came out in 2003?

The bottom line is this: If you run a tight IT ship and have a layered security program, you should ignore the monthly vendor cries (you already do anyway). But if youre not guarding your infrastructure with basic defenses such as firewalls, antivirus and patch management procedures, you should start paying more attention.