Despite all the hype about the cutting edge techniques hackers are using to steal companies’ data now, many attackers still have a lot of luck exploiting vulnerabilities that received patches from vendors months or even years ago.
For example, a researcher at security firm Sophos recently published a paper explaining a common set of attacks using malicious Rich Text Format files to exploit a stack buffer overflow vulnerability in Microsoft Office.
Though Microsoft released a patch for the vulnerability in November 2010, that didn’t stop hackers from exploiting it — in fact, Sophos has seen a steady stream of those exploits over the past 14 months. The reason: Many businesses and individuals have yet to install the patch.
That’s not the only attack out there exploiting vulnerabilities that in theory should no longer be open. A recent study published by M86 Security Labs (download the PDF here) found that the web exploit observed most often in the second half of 2011 targeted an Internet Explorer 6 vulnerability that received a patch in 2006.
The vulnerabilities targeted by the 15 most common web exploits had all been patched in 2010 at the latest, and two had even been patched as early as 2002 and 2004.
The bottom line: Those attacks are worthwhile for hackers because many machines still don’t have those critical patches installed. For individuals, the reason may be a lack of knowledge about how to apply patches or a failure to understand why doing so is important. But for businesses, lax patch management practices are often to blame.
Here are three steps IT departments can take to develop and implement an effective patch management plan:
- Assess — The first step is knowing what items need to patched. That means developing a list of all software and hardware resources used in the organization, and identifying which of those are legacy applications that no longer receive updates. At this point, IT should make sure all items are fully updated.
- Identify new patches — Having a complete list will help IT departments identity what new patches apply to their systems. Most vendors send out alerts when patches are available, and there is also information available from third parties, such as Secunia’s security advisories and the SANS @Risk Newsletter. Once applicable patches are identified, IT can prioritize them based on severity.
- Deploy and notify users — The patches should then be installed in order of priority. In the case of applications on users’ local machines, notify users what they should do to install the patch (unless IT staffers will do it themselves). Often, users ignore update notices simply because they don’t know whether or not they’re supposed to allow the update to install.