October 15, 2009, 2:07 PM — Tuesday's massive patch release from Microsoft and Adobe hit many IT security practitioners like a punch in the gut.
Microsoft unloaded a record 13 security updates to seal 34 security holes in every version of Windows, including the not-yet-for-sale Windows 7, as well as in Internet Explorer (IE), SQL Server and Office. [See the full breakdown in Microsoft Delivers Massive Patch Tuesday, Fixes 34 Flaws]
Adobe, meanwhile, delivered a security update to fix 29 vulnerabilities in its widely-used .pdf viewing and editing programs. [The full breakdown on that patch load is in Adobe Mimics Microsoft, Issues Mega Patch Update]
The sheer volume left some researchers to declare the day " an administrative nightmare."
In past interviews, IT security practitioners have told CSOonline that too much is often made of Patch Tuesday, that the horror scenarios painted by some security vendors cut against their own, fairly orderly deployment procedures. But this month, some admit they are a bit more concerned than usual.
"Heavy patch months cause 'regulated' patches," said Fresno, Calif.-based network security contractor Susan Bradley. "This in turn causes Windows XP to not properly notify folks that use the 'notify me' function." This month, she said, more people will probably get caught with that download patch bug.
Rick Lawhorn, a Richmond, Va.-based IT security practitioner, isn't worried as much about the particular vulnerabilities patched as he is about the size of the update. "Microsoft architecture, in my opinion, does not lend itself to large updates well," he said. "Updates should be small and manageable so Microsoft can work out the dependencies first. The trade-off is a higher frequency of patches, but the reward is smaller more controllable changes."
The information security director of a large restaurant chain, who requested anonymity because of the sensitive nature of the subject, said, "In our environment this is a challenging week due to the large number of remote systems that we must update. Patching is becoming a non-stop process for most organizations I believe, including ours. Patch Tuesday is just part of the releases for the month and with more and more applications and out-of-cycle releases we are driving hard towards better compensating controls like whitelisting and always seeking to reduce our threat footprint."
To help IT shops meet the challenge, we've compiled this package of content on vulnerability management best practices, along with columns analyzing whether security vendors need a different approach to the patch rollout process:
Building a Successful Anti-malware StrategyCSO blogger Steven Fox and Andrew D. Hayter, anti-malcode program manager for ICSA Labs, discuss the keys to an ironclad security program. Patch management is one of the major themes here.
Does Patch Management Need Patching?A look at why the bad guys have an easy target in those who don't deploy long-available patches.
June's Patching InfernoCore Security Co-founder/CSO blogger Ivan Arce's post on the hell that was Microsoft's June 2009 security update should serve as a reminder that this month's update isn't terribly different from the challenges you've successfully handled before.
How SCAP Brought Sanity to Vulnerability ManagementOrbitz CISO Ed Bellis explains how the proliferation of vulnerability assessment products and services has created chaos, and how SCAP may be the answer.
How to Handle Security Patches With SanityGuest columnist and network administrator Ed Ziots offers his recipe for a sane and solid patch management program.
Podcast: Enterprises Getting Patch Management WrongCSO Senior Editor Bill Brenner and Threatpost's Ryan Naraine talk patch management.
7 Ways Security Pros DON'T Practice What They PreachIT security pros spend oodles of time trying to hammer best practices into the heads of fellow employees. But in an informal poll conducted by CSOonline, many admitted they don't always follow their own advice. That includes deploying security patches in a timely manner.
The Seven Deadly Sins of Network SecurityCompanies that suffer serious network security breaches have almost always committed one (or all) of 7 deadly sins. Is your company guilty of Number 5: Lax Patching Procedures?
A Few Good Information Security MetricsInformation security metrics don't have to rely on heavy-duty math to be effective. They also don't have to be dumbed down. See Metric 2: Patch Latency on page 3.
