Yesterday was Patch Tuesday. Microsoft had 14 bulletins, 5 of which they deemed critical, covering 59 vulnerabilities.
Oracle released patches covering 193 vulnerabilities, including 25 Java patches, one of which is already being exploited in the wild. 44 of these vulnerabilities came from third party components. Of the 25 Java vulnerabilities fixed, 23 of them can be exploited remotely without authentication.
One of the Microsoft patches, MS15-077, fixes a zero day in the Windows Adobe Type Manager Font Driver, for which there was a proof of concept disclosed in the Hacking Team data dump. This is a very speedy response time for Microsoft. The bug affects Windows Server 2003, 2008 and 2012, all desktop OSs since Windows Vista and Windows RT. It would allow hackers to install programs, view, change or delete data and create new accounts – in other words, do pretty much anything the hacker might ever want to do.
Microsoft released 28 patches for Internet Explorer, 20 of which are critical and one of which, CVE-201-2045, fixes another zero day flaw exposed in the Hacking Team dump.
Adobe released patches for two more zero day exploits that were exposed by the Hacking Team data dump and which I wrote about the other day. Those were the ones that caused Mozilla to completely block Flash inside Firefox.
Given all this data, let’s ponder a few things:
- Thank you Hacking Team for getting hacked – there are a number of things that got cleaned up as a result
- Vendors – Microsoft and Adobe in this case – can move VERY quickly when their tush is on fire because someone released exploits of their systems with “easy to follow instructions” on how to use them
- Third party – i.e. the software supply chain – affected 44 of the patches that Oracle released. Software supply chain is a killer.
- But the most important issue here is that this week a couple of vendors released patches covering almost 300 bugs. How on earth is a user or company supposed to absorb that many patches, figure out where the affected systems live, test the patches to make sure they don’t break anything and get them deployed to the users in a timely fashion?
- And, don’t forget, this is just three vendors of maybe hundreds that are used by any one organization.
Software governance, part of the overall corporate governance, risk and compliance (GRC) activity, is a challenge for companies, both big and small. Big companies are challenged because they have so many devices scattered to the winds. Small companies are challenged because they don’t have the resources and expertise to analyze and deploy the patches.
And, as more and more things contain software – you may remember that the Maytag repairman (actually Whirlpool) had to patch my dishwasher last week in order to complete an unrelated service call, this is not likely to get any better any time soon.
In fact, the bigger question is this – if we found and patched 300 bugs this week, how many more are out there unpatched and exploited – either accidentally or on purpose?