One Patch Tuesday to Rule Them All

On the second Tuesday of each month, many IT leaders rejoice—or maybe cringe, depending on their view—as software patches are released for Microsoft products. They call this day Patch Tuesday, and although it started with Microsoft, it hasn’t ended there. Vendors across the industry, from Oracle to Adobe, SAP to Siemens, have jumped on the bandwagon to provide their software updates in accordance with this monthly event. Rather than randomly dole out patches throughout the month or denote specific days for specific vendors, many have followed Microsoft’s lead and let Patch Tuesday be the day for more and more updates.

One day to patch all the vulnerabilities. 

This past Patch Tuesday, January 14, was one such day where many top vendors disclosed possible exploits, including Oracle, Adobe and several others. An average month’s Microsoft Patch Tuesday publishes about 40 new Secunia advisories and rejection notices, but this month’s Patch Day was closer to 90, largely thanks to Oracle. Still, this number could’ve been much higher as our Secunia researchers described the amount pushed by Microsoft as relatively low. With overlaps occurring again April 14 and July 14, perhaps we’ll again feel the worst-case scenario where top vendor releases happen the same day. 

This coordination is both a blessing and a curse. On one hand, you can get patches for most of your major vendors on a single day and line them up for update. On the other hand, not all patches are plug-and-play and in many cases can take up serious resources IT organizations don’t have available. This makes it nearly impossible to prioritize. Add to that patching of a critical vulnerability, which could potentially impact other applications, and the workload becomes even more complex. 

Regardless, vulnerabilities need remediation and exploits need patching. Which vulnerabilities need to be patched in what order and which have the greatest effect on an organization requires more intelligence for successful prioritization 

This was especially true with this past Patch Tuesday where Microsoft released an advisory that addressed a Windows cryptoAPI spoofing vulnerability that gained significant media traction. With this type of vulnerability exploited, an attacker can, for example, use a spoofed code-signing certificate to sign a malicious executable, making it appear the file came from a trusted, legitimate source. The digital signature would appear as trusted and the typical user would have no easy way of knowing the file was malicious just looking at it. Such a vulnerability rates lower in criticality than a typical, direct-code execution vulnerability. Secunia Research accounts for that by rating the vulnerability “Moderately Critical” in a similar way to Microsoft, who rates its severity “Important.” As we’ve learned many times in the past however, high degree of media attention does not necessarily equal a high degree of criticality. In these cases, insights from the Secunia Research team through Secunia advisories and rejection notices offer the information needed to better prioritize and focus on important patches. 

If your organization isn’t equipped for this type of load, or able to prioritize effectively, a day like this past Patch Tuesday can not only overwhelm the team or teams in charge of security updates for various vendors, it can put you at serious risk for an exploit with devastating consequences to your business. As a result, Flexera’s research has seen increasing pressure to find better approaches to mitigation. 

It’s time to start prioritizing intelligently. Understand the vulnerability landscape and devise strategies to secure your environments with Flexera’s Annual Vulnerability Review Report