The last Patch Tuesday for 2010 was a heavy one—17 bulletins covered 40 vulnerabilities, two of which were rated “critical.” Full details are available from Microsoft but this entry serves as an excellent reminder for the message.
The Stuxnet attack brought a lot of attention to zero-day vulnerabilities. It shook the confidence of IT security administrators and pressured security professionals to come up with solutions. However, as Trend Micro CTO Raimund Genes points out in his latest video blog, zero-day vulnerabilities are over-hyped due to the following reasons:
- First, the four separate zero-day vulnerabilities used by Stuxnet were very expensive. A cybercriminal, motivated by profit, will not normally use so many vulnerabilities in one attack.
- Second, unpatched systems already offer a large victim base that allows attackers to pursue their attacks.
- Third, sending out malicious links from which users can download malware is a much simpler exploit vector and there are always people who will fall for that.
Trend Micro CTO Raimund Genes urges people to focus more on known vulnerabilities that are actively being exploited in the wild.
Raimund’s talk emphasized the importance of patching. For large companies that have patching policies and systems, full testing of patches is always required prior to application. This delays protection (sometimes, it could be weeks after the patch is released), which means that mission-critical servers can be exposed to exploits.
This process should also consider third-party applications that have become a common attack vector for hackers. While in the past, Adobe’s Acrobat/Reader and Flash Player programs were the biggest third-party targets, recent developments point to the increasing use of Java vulnerabilities.
IT security administrators can adopt in-depth defense tactics to protect themselves. They should:
- Deploy a vulnerability scanner that scans systems for unpatched, vulnerable applications. Follow up on identified problems and address them on a timely basis.
- Deploy endpoint protection (such as antivirus software) on each and every system and make regular scanning mandatory.
- Employ an intrusion prevention system (IPS) that can provide “virtual patches” until such time when system administrators can complete their testing and can roll out patches. The next release of our Deep Security product will team up with OfficeScan to provide even better protection, as Deep Security will now be able to deal with both exploit and malware attacks.
- Understand what’s on the company intranet. System administrators should carefully manage the OS and applications installed on servers and end-user computers. Make sure these don’t pose additional risks by keeping software up-to-date. If applicable, use a centralized download server and prevent users from directly installing (zipped and/or compressed) executable files from external sources.
Certain challenges may exist despite a sound patching process, however, such as:
- Virtual machines (VMs) are often challenging for vulnerability and malware scans because sometimes these are stored offline (i.e., not running) for long periods of time. However, these VMs have to be running before they can be patched. Choosing an IPS product with VM capability will help here.
- In the long run, application security on hand held devices such as iPods, iPhones, and BlackBerrys should also be considered.
Most exploits in the wild target known vulnerabilities and not newly discovered zero-day vulnerabilities. We have seen customers who have vulnerable applications that haven’t been updated for almost 10 years. Next time, when you hear about an exploit, ask yourself, “Have I patched all of my systems lately?”