What is your e-mail address?
My e-mail address is:

Do you have a password?
Forgot your password? Click here
close


    Survey: Microsoft patches ignored

    • By Jabulani Leffall
    • Jun 24, 2008


    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    The results of an online test conducted by U.K. anti-virus firm Sophos found that
    more often than not, PC users don't install Microsoft's monthly
    patches.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    The results, released on Monday, were gathered from 40 days' worth
    of data from a sample group of 580 PCs in corporate environments,
    80 percent of which failed one or more basic security tests.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    Moreover, 63 percent were found lacking at least one Microsoft
    patch on the OS level, the Office and application levels, or the
    browser and media player component levels.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    Bill Emerick, Sophos' vice president of product management, said in
    a prepared statement, "Machines that fail such a test represent
    'low-hanging fruit' for cybercriminals and [are] a real danger to
    their corporate networks."



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    But according to Randy Abrams, director of technical education for
    IT consultancy ESET, these reports can sometimes be like "two blind
    men, touching different parts of an elephant. [They] may get the
    same results, but it doesn't cover the whole body."



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    "I think we have to remember that the sample sets and control
    groups in tests like these need to be taken into consideration,"
    said Abrams, himself a former Microsoft security pro. "That said,
    we don't need a survey to tell us that people are lax about
    patching their systems. I think the evidence of that is that there
    are far fewer zero-day or new patches than there are those that are
    responding to a direct set of vulnerabilities."



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    There are several reasons for IT pros and even individual users to
    delay, or altogether skip, patching their systems -- one being the
    fact that not every patch may apply to them.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    Many enterprises also hold off patching to evaluate the cost, or to
    avoid either re-patching
    or seeing their particularly tailored systems blockthe patches.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    There's also some lingering resistanceto Automatic Updates for Microsoft patches, Abrams explained.
    "In these cases, the systems sometimes reboot...while you're away
    to automatically install the patches," he said. "I think this was a
    case with a good intention and bad implementation on Microsoft's
    part."



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    New Bluetooth Patch Fixes XP Security
    Hole



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    Microsoft announced last week that it was reissuing a "critical"
    patch relating to Bluetooth wireless technology that was released
    last week as part of its June update cycle. The patch addresses how
    Bluetooth interoperates with Windows components and
    applications.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    Microsoft originally released the patch on June10, saying that it resolved "a privately reported vulnerability
    in the Bluetooth stack in Windows." The vulnerability could allow a
    hacker carte blanche over an enterprise system, with edit, delete,
    change and write capabilities.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    The amended critical patch
    is designed to plug security holes when running various versions of
    Windows, especially XP Service Packs 2 and 3, according to
    Christopher Budd, security response communications lead for
    Microsoft.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    "Customers who in particular [are] running Windows XP SP2 or SP3
    should download and deploy these new security updates," Budd stated
    in an e-mail to Redmondmag.com. "Customers running other versions
    of Windows who have already applied the original security updates
    do not need to take action."



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    Budd added that the updated versions of the affected security
    updates will be made available through the usual distribution
    channels, which include Windows Update and Windows Server Update
    Services.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    IT security pros, including Tyler Reguly, security engineer with
    San Francisco-based network security firm nCircle, said that this
    critical patch is an important one because it doesn't require user
    participation and is a vector many hackers find increasingly easy
    to use.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    "Microsoft definitely wants to get it right," Reguly said. "I find
    this interesting simply because we're seeing a vulnerability in a
    wireless protocol that is quite popular. People travelling with
    laptops are probably the most likely to have Bluetooth enabled.
    It's important to keep in mind the limited range of Bluetooth,
    which is what, in my opinion, somewhat limits the severity of the
    vulnerability."



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    For its part Microsoft is still investigating what may have gone
    wrong with a few downloads of this particular patch over the past
    two weeks.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    Writing on Microsoft's MSRC blog, Budd explained
    that his division launched the investigation after it "learned that
    the security updates for Windows XP SP2 and SP3 might not have been
    fully protecting against the issues discussed in that
    bulletin."



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    So far, it appears that Redmond's engineers have indentified "two
    separate human issues involved," according to Budd. "When we're
    done with our investigation, we'll take steps to better prevent it
    in the future."



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    The Bluetooth reissue was one of a few patch reissues released in
    the first six months of this year. The reissue with the highest
    profile came in March, when an Excel cellcalculation bug caused some versions of its popular spreadsheet
    app to apply incorrect math formulas in individual rows and columns
    on the program's document interface.



    "punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
    This article originally was published June 23 at RedmondMag.com, a Web site affiliated with GCN.com. RedmondMag.com and GCN.com are owned by 1105 Media Inc.

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Your Name:(optional)
    Your Email:(optional)
    Your Location:(optional)
    Comment:
    Please type the letters/numbers you see above

    GCN eNewsletters

    eSeminar