Last week Adobe release a set of patches fixing 78 vulnerabilities. At the same time, Microsoft released patches for 71 vulnerabilities – three-quarters of which Microsoft rated as CRITICAL.
Two vendors, one month, 149 bugs patched.
Think about the amount of software that is out there. If every other product is as reliable as Microsoft’s and Adobe’s software, that means that there should be millions of patches released every month.
Of course, some vendors (Oracle for example) don’t release patches every month. Oracle releases their patches quarterly and typically there are one- to two-hundred bugs fixed in each Oracle patch release.
Other vendors don’t release patches at all. For example, if you have an old iPhone or Android phone – more than say two or three releases of the software old – the vendors don’t issue patches for them. Many people continue to use old phones oblivious to the fact that the software is no longer being patched.
In the case of this month’s Microsoft patch fest, while some of the patches affect Windows, many of them affect Internet Explorer (30 of them) and Microsoft’s new browser Edge (15 bugs). The fact that IE or Edge is installed on your computer is enough to likely make the computer vulnerable.
The challenge for users and businesses alike is that they must know each piece of software installed on each computer – desktop, laptop, server, phone, tablet, router, firewall – you name it. Then they have to figure out how to check for new patches.
After you find out that there are new patches, you have to decide whether to install the patches now or wait. Why wait? In this month’s Microsoft patch fest are some patches that affect Microsoft Outlook. Some users are reporting that Outlook has stopped working after they installed the patches. Why not wait? Because as soon as the patches are released, hackers start examining those patches to see what has been fixed – so that they can attack users who have not yet installed those patches. In many organizations, some patches never get installed.
If you are able to find out that there are patches and that you want to install them, you have to figure out HOW to install them. Sometimes that is not easy.
When was the last time you patched your internet gateway (modem or router?
If you have a WiFi access point, when was the last time you patched that device?
Do you even know HOW to do that?
You get the idea.
I don’t have a great answer, but even though it has downsides, I recommend that most users let programs check for patches and install them automatically.
The problem is, for example, if you don’t use a program but it is installed on your computer, that program can’t check for patches. Some programs install a small task that runs in the background that only checks for new patches and warns you. Not all programs do this, If the program is installed but not patched, the bugs are often still a valid attack vector. Not always, but usually.
Some programs don’t automatically check for updates and others do not check for patches even when you first start them.
What this means is that the onus is on users. Many users install software because it seems cool. Then they don’t like it. But they don’t uninstall it. That software is highly unlikely to be patched.
I wish I had a better answer, but I don’t. Until software makers get their collective acts together, caveat emptor. The ball is in your court.
Information for this post came from Krebs On Security.