Do you have a software patch installation strategy?

Google's Project Zero security team has an impressive track-record when it comes to chasing down and addressing the most critical security flaws found. They're tireless in their work, which has saved untold billions of dollars and hampered the efforts of hackers all over the world.

The team has gathered some shocking statistics, however, including this revelation: based on their research, fully one fourth of the Zero-day exploits being discovered in use in the wild could have been avoided entirely if vendors and IT admins had properly patched their products.

Over the course of 2020, the team detected a total of 24 zero-day exploits. Six of these were variations on a theme; vulnerabilities disclosed in prior years, where hackers had access to older bug reports and had plenty of time to study older issues, making a few simple tweaks and winding up with a brand new zero-day exploit.

For example, these software flaws

For instance, CVE-2020-0674, which is a Zero-Day Internet Explorer flaw is a variant that combines elements of CVE-2018-8653, CVE-2019-1367, and CVE-20191429.

In a similar vein, the devastating Google Chrome flaw tracked as CVE-2020-6572 is a variant that combines elements of CVE-2019-5870 and CVE-2019-13695. The Apple Safari zero-day issue tracked as CVE-2020-27930 is virtually identical to the one discovered back in 2015 and tracked as CVE-2015-0093.

On the one hand, this news is rather depressing as it seems that many in the IT security profession seem to be making things harder on themselves than they need to be. On the other hand, as Maddie Stone, a member of the Project Zero team observed, these kinds of insights are the exact reason the team was formed to begin with.

On the other hand, the bad reputation of patches

The problem with patching is that an enormous number of patches are ineffective or causes other issues. For example, Microsoft monthly patches of Windows operation systems has a terrible track record of breacking features or functions of Windows when installed. Which causes many SysOps to hold off installing them for a week or so, to see if the patches cause issues. And Adobe Flash patches often did not work or caused problems.

You should have a patch strategy that takes into account what happpens if there is a problem with the patch. Too often that is the case.

My perspective

By studiously identifying and shutting down the most glaring and serious flaws and gathering statistics and data on them, the hope is to make them increasingly harder for hackers around the world to take advantage of in years to come. So far, that approach seems to be working. But be careful about installing anything willy-nilly.

 

~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there!" ~

 


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work@home, and cybersecurity. I work extensively with business and professional associations to provide small business technology education programs.

 

Contact me if you would like me to speak to your association