Survey: Microsoft patches ignored


"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
The results of an online test conducted by U.K. anti-virus firm Sophos found that
more often than not, PC users don't install Microsoft's monthly
patches.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
The results, released on Monday, were gathered from 40 days' worth
of data from a sample group of 580 PCs in corporate environments,
80 percent of which failed one or more basic security tests.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Moreover, 63 percent were found lacking at least one Microsoft
patch on the OS level, the Office and application levels, or the
browser and media player component levels.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Bill Emerick, Sophos' vice president of product management, said in
a prepared statement, "Machines that fail such a test represent
'low-hanging fruit' for cybercriminals and [are] a real danger to
their corporate networks."



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
But according to Randy Abrams, director of technical education for
IT consultancy ESET, these reports can sometimes be like "two blind
men, touching different parts of an elephant. [They] may get the
same results, but it doesn't cover the whole body."



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
"I think we have to remember that the sample sets and control
groups in tests like these need to be taken into consideration,"
said Abrams, himself a former Microsoft security pro. "That said,
we don't need a survey to tell us that people are lax about
patching their systems. I think the evidence of that is that there
are far fewer zero-day or new patches than there are those that are
responding to a direct set of vulnerabilities."



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
There are several reasons for IT pros and even individual users to
delay, or altogether skip, patching their systems -- one being the
fact that not every patch may apply to them.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Many enterprises also hold off patching to evaluate the cost, or to
avoid either re-patching
or seeing their particularly tailored systems blockthe patches.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
There's also some lingering resistanceto Automatic Updates for Microsoft patches, Abrams explained.
"In these cases, the systems sometimes reboot...while you're away
to automatically install the patches," he said. "I think this was a
case with a good intention and bad implementation on Microsoft's
part."



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
New Bluetooth Patch Fixes XP Security
Hole



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Microsoft announced last week that it was reissuing a "critical"
patch relating to Bluetooth wireless technology that was released
last week as part of its June update cycle. The patch addresses how
Bluetooth interoperates with Windows components and
applications.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Microsoft originally released the patch on June10, saying that it resolved "a privately reported vulnerability
in the Bluetooth stack in Windows." The vulnerability could allow a
hacker carte blanche over an enterprise system, with edit, delete,
change and write capabilities.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
The amended critical patch
is designed to plug security holes when running various versions of
Windows, especially XP Service Packs 2 and 3, according to
Christopher Budd, security response communications lead for
Microsoft.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
"Customers who in particular [are] running Windows XP SP2 or SP3
should download and deploy these new security updates," Budd stated
in an e-mail to Redmondmag.com. "Customers running other versions
of Windows who have already applied the original security updates
do not need to take action."



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Budd added that the updated versions of the affected security
updates will be made available through the usual distribution
channels, which include Windows Update and Windows Server Update
Services.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
IT security pros, including Tyler Reguly, security engineer with
San Francisco-based network security firm nCircle, said that this
critical patch is an important one because it doesn't require user
participation and is a vector many hackers find increasingly easy
to use.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
"Microsoft definitely wants to get it right," Reguly said. "I find
this interesting simply because we're seeing a vulnerability in a
wireless protocol that is quite popular. People travelling with
laptops are probably the most likely to have Bluetooth enabled.
It's important to keep in mind the limited range of Bluetooth,
which is what, in my opinion, somewhat limits the severity of the
vulnerability."



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
For its part Microsoft is still investigating what may have gone
wrong with a few downloads of this particular patch over the past
two weeks.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Writing on Microsoft's MSRC blog, Budd explained
that his division launched the investigation after it "learned that
the security updates for Windows XP SP2 and SP3 might not have been
fully protecting against the issues discussed in that
bulletin."



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
So far, it appears that Redmond's engineers have indentified "two
separate human issues involved," according to Budd. "When we're
done with our investigation, we'll take steps to better prevent it
in the future."



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
The Bluetooth reissue was one of a few patch reissues released in
the first six months of this year. The reissue with the highest
profile came in March, when an Excel cellcalculation bug caused some versions of its popular spreadsheet
app to apply incorrect math formulas in individual rows and columns
on the program's document interface.



"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
This article originally was published June 23 at RedmondMag.com, a Web site affiliated with GCN.com. RedmondMag.com and GCN.com are owned by 1105 Media Inc.

inside gcn

  • video editing (TarikVision/Shutterstock.com)

    The dangers of 'deep fakes'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group