For many people, they have their Windows desktops and laptops set to automatically install Microsoft’s monthly updates. For businesses, that is not usually the case. They need to make sure that the updates don’t break things and often, as a result, it takes a while for businesses to get the updates installed.
In addition, for many businesses, they have employees who are not directly connected to the company network, so it becomes difficult to force the patches to install.
But, whether you are a consumer or a business, here is why getting the patches installed quickly is important.
First, as soon as the patches are released, the hackers look at those patches and reverse engineer them to see how hard it is for them to exploit unpatched systems.
The hackers also start working on the easiest, least intrusive way to detect if the patches have not been installed, so they can easily catalog of the systems that they control, which can be hacked with the newly learned vulnerability.
Let’s look at June’s patches –
- MS16-063 – Internet Explorer: The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer with the same rights as the user. If the user is a local or network admin, jackpot.
- MS16-068 – Microsoft Edge: The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge with the same rights as the user. If the user is a local or network admin, jackpot.
- MS16-069 – JScript and VBScript: The vulnerabilities could allow remote code execution if a user visits a specially crafted website with the same rights as the user. If the user is logged on with administrative rights, an attacker could take control of an affected system, install programs; view, change, or delete data; or create new accounts with full user rights.
- MS16-070 – Microsoft Office: The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker could run arbitrary code as the current user. If the user was an admin, then the damage could be worse.
- MS16-071 – DNS: The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.
This only accounts for 5 of the 16 patches that they released this month – the ones that allow an attacker to take over a computer remotely and execute arbitrary code.
Two tips on dealing with this:
A. Make sure that you are aggressive at patching quickly. The window between the patch being released and the patch being exploited in the wild is pretty short.
B. Do not allow users to run as local or network administrators unless they need to AT THAT MOMENT. Best practices say to create a separate administrative userid and only use it to perform administrative functions. To discourage users from using, make sure that the administrative user cannot access email or the Internet if at all possible. This dramatically reduces the potential for someone to fall for a phishing attack.