A while ago I wrote an article on the subject of patch management, the thesis of which was that most vulnerabilities can be avoided by having a mature patch management system in place. Vulnerabilities are going to happen, and the best response is to make sure that when they are found, your business’s machines are patched as quickly as possible.
According a recent study from Secunia ApS, around 80 percent of vulnerabilities are patched within 24 hours of being discovered. The problem is not with patches being unavailable, but with businesses not implementing decent patching strategies. Being on the ball with patching can significantly reduce a business’s exposure.
The study from Secunia revealed another interesting bit of information: the single most substantial cause of vulnerabilities is Java. That probably won’t come as a surprise to anyone in the IT sector, but what is chastening is that although Java is found on 65 percent of machines, and there were 119 new vulnerabilities observed in Java in one year, more than half of machines are not running the most recent patched version.
The point is not that Java is an essentially faulty piece of software — although many would make that argument — but that users of Java are failing to take notice of the potential vulnerabilities it contains and update in a reasonable timeframe. For some businesses, Java is essential, although I expect that it will become less so as legacy software is replaced by modern alternatives. In many cases, the vulnerabilities could be largely mitigated by not allowing Java to run in the browser, but for those businesses for which Java is unavoidable, implementing a process of patch management is essential.
On average, PCs had 76 different programs installed that originated from 27 vendors. That’s far too many for businesses to rely on an ad-hoc patching strategy. Without a clear process in place, a business’s machines will almost certainly be vulnerable. 73 percent of machines were running Adobe Flash Player 15: a program that is no longer actively maintained and that has the potential to be riddled with vulnerabilities — on the modern web, there is really no excuse to run such horrendously out-of-date software.
The survey also showed that while some first-party software from Microsoft was unpatched, the majority was patched on a reasonable schedule. That makes sense because Microsoft makes it easy for businesses. Patch Tuesday’s are a well known and respected tradition — everyone in IT knows when the OS and applications updates will come, and largely they apply them.
But where businesses have to manage the routine themselves, they don’t do so well. In an age where information security and data privacy is so crucially important to the continued success of businesses, patch management is a serious issue, and businesses should be doing all they can to maintain up-to-date and secure systems.