Microsoft’s Patch Tuesday is a monthly news event. But new research from Secunia shows that focusing on patching Microsoft vulnerabilities can create a dangerous security blind spot.
According to a new report from Secunia, third-party programs – as opposed to software from Microsoft – are almost exclusively responsible for the growth in vulnerabilities. In its Yearly Report for 2011, Secunia found that 78 percent of the vulnerabilities uncovered last year were in third-party programs. Just 12 percent of the vulnerabilities were found in Windows, and the remaining 10 percent were in Microsoft programs.
For organizations, this means that having the perception Microsoft products represent the primary attack vector is dangerous.
“Patching raises many challenges, however, the first challenge is always to identify all the assets (systems and software) that may need patching,” said Thomas Kristensen, chief security officer of Secunia. “We often find that this is the biggest obstacle to efficient patching.”
Complexity is another enemy of patching, the firm contends.
“To fully patch a typical end-point, the user (or administrator of the system) has to master at least 12 different update mechanisms, as the Top-50 software portfolio comprises programs from 12 different vendors,” the vendor claimed in its report. “With one update mechanism, namely “Microsoft Update”, the operating system and the 28 Microsoft programs can be patched to remediate 22% of the vulnerabilities. In addition to this, another 11 update mechanisms are needed to patch the remaining 22 third-party programs to remediate 78% of the vulnerabilities.”
The good news is that 72 percent of vulnerabilities had patches available on the day of disclosure.
“When applying patches there may be a number of concerns, centralized systems such as database servers which often are business critical, is always more of a concern than a typical office application,” he said. “One needs to define a policy with regards to prioritizing different systems as well as a testing policy to ensure that no patches are applied to live systems before having undergone testing.”
The full report can be found here.
Related: 3rd Party Applications Responsible for 69% of Vulnerabilities on Most Endpoints
