Patch first, ask questions later

Secunia just released its 2013 Q3 vulnerability report for the United States. I’m a big fan of Secunia and the data it’s collected in the fight against badness. As I said last week, it’s a lot better to use solid data rather than vendor suggestions to drive your security strategy.

Along with a few other sources (including Kaspersky Lab and Microsoft’s Security Intelligence Reports), Secunia has helped me realize that unpatched software is to blame for the majority of successful exploits. According to Kaspersky, Oracle Java and Adobe Acrobat accounted for more than three-fourths of all successful exploits last year. Got that? Then you should have your marching orders: Patch two programs and you’ll remove the bulk of the risk in your organization.

[ InfoWorld’s expert contributors show you how to secure your Web browsers in a free PDF guide. Download it today! | Learn how to protect your systems with InfoWorld’s Security Central newsletter. ]

Most reports back Kaspersky’s conclusion and note that socially engineered Trojans account for almost all the remaining risk. That means the remaining 1 percent of successful exploitations is caused by another agent.

That’s huge. It means that all your efforts to implement smart cards, stronger passwords, code review processes, secure networking channels — everything else — reduces security risk by a mere 1 percent. You’re far better off concentrating on improved patching and preventing end-users from installing programs they shouldn’t.

Finding the real threats in the numbers

It’s with this realization in mind that I couldn’t wait to review Secunia’s latest vulnerability analysis. Here are some of the key points:

• Nearly 15 percent of PCs users have an unpatched OS.
• The average PC has 10 percent unpatched programs.
• The typical PC has 25 mechanisms to update the software on it.

Perhaps the most interesting statistics was the list of the top 10 unpatched programs. It was led by Microsoft XML Core Services and Apple QuickTime. In fact, Oracle Java came in fifth. Per Secunia:

In the US, 79% of PC users who use Secunia PSI had Microsoft XML Core Services installed in Q3 2013. 50% of these users had not patched the program, even though a patch is available. This means that an estimated 39.5% of US PCs are made vulnerable by MSXML 4.

What’s up, you ask? Didn’t you say Java was the No. 1 problem?

It was and still is. There’s a big difference between the most common unpatched programs and the most common successfully exploited programs. Such is the case here. Understanding the difference is important.

Yes, you need to be worried about the number of attacks and the number of vulnerable programs — but you also need to be aware of how computers are successfully exploited. For example, any active firewall records millions of unauthorized probes. But if the firewall is doing its job, why worry about it? You can’t spend all your time researching and tracking an unauthorized probe. Just be glad your firewall is working.

Treat every threat that way. Focus on the most successful exploits, not the most common threats. That’s what counts. Everything else is noise.

Why so many XML Core Services are unpatched

Nonetheless, should you be worried about all the unpatched Microsoft XML Core Services?

For now, not so much — few successful exploits target XML Core Services, which exist to enable developers to call on services rather than write everything from scratch. It’s good to be aware of the vulnerability, and you should keep your eye on it, in case XML Core Services make it into the top 10 list of exploited vectors. Meanwhile, the risk remains more theoretical than real.

But, you may ask, why are so many instances of Microsoft XML Core Services unpatched in the first place? Why doesn’t Microsoft patch it like it does all its other programs?

Good question, especially in light of the fact it only takes one mechanism to update most Microsoft programs — which is one reason why other Microsoft software ranks among the most patched software on PCs. Secunia offers one answer on a related blog post, which explains that many unpatched XML Core Services components have reached “end of life”: no vendor updates or patches software past its end-of-life date, at least not without an expensive support contract.

But a larger reason stems from the way Microsoft XML Core Services are distributed. They’re most often installed by third-party vendors as part of their software. Microsoft didn’t put it on your system, so Microsoft can’t simply replace it without the risk of breaking something. Meanwhile, the software developer either wants you to upgrade to a new version where the vulnerability has been fixed or simply hasn’t considered the risk that an unpatched version of XML Core Services might pose.

As with any software program, you can always check the vendor’s website for the most recent patch. Go to Microsoft’s Download Center and search for XML Core Services. Be careful to back up your system (or at least the impacted application and system directories) before applying any updates, since you never know when an update may fail.

More obviously, if you don’t need the program that’s relying on the unpatched components, uninstall it. This advice applies to any unpatched program.

But remember the most important lesson: It’s far more important to patch 100 percent of the most exploited programs in your environment than it is to try and patch every program in your environment. You won’t be surprised to learn organizations that commit to patching all software all the time almost always fail — and frequently leave holes in the wrong places.

First things first: When you finish patching the 10 most successfully exploited programs, then worry about the stuff that makes up the other 1 percent — if you have the time to get to it.

This story, “Patch first, ask questions later,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.