Microsoft’s Patch Tuesday is a monthly news event. But new research from Secunia shows that focusing on patching Microsoft vulnerabilities can create a dangerous security blind spot.
For organizations, this means that having the perception Microsoft products represent the primary attack vector is dangerous.
“Patching raises many challenges, however, the first challenge is always to identify all the assets (systems and software) that may need patching,” said Thomas Kristensen, chief security officer of Secunia. “We often find that this is the biggest obstacle to efficient patching.”
Complexity is another enemy of patching, the firm contends.
“To fully patch a typical end-point, the user (or administrator of the system) has to master at least 12 different update mechanisms, as the Top-50 software portfolio comprises programs from 12 different vendors,” the vendor claimed in its report. “With one update mechanism, namely “Microsoft Update”, the operating system and the 28 Microsoft programs can be patched to remediate 22% of the vulnerabilities. In addition to this, another 11 update mechanisms are needed to patch the remaining 22 third-party programs to remediate 78% of the vulnerabilities.”
The good news is that 72 percent of vulnerabilities had patches available on the day of disclosure.
“When applying patches there may be a number of concerns, centralized systems such as database servers which often are business critical, is always more of a concern than a typical office application,” he said. “One needs to define a policy with regards to prioritizing different systems as well as a testing policy to ensure that no patches are applied to live systems before having undergone testing.”
The full report can be found here.
Related: 3rd Party Applications Responsible for 69% of Vulnerabilities on Most Endpoints