The Occupy Patch Management Movement – Why ignore the 78% in favor of the 22%?

Let’s face it – Microsoft may get a bad rap sometimes. Many Mac and *NIX aficionados will quickly assert that their system of choice is much more secure than any particular flavor of Windows. The more ignorant may even assert that their system of choice is impermeable to security threats. These are the guys that elicit a face plant into the desk from every security professional who reads one of their blog responses. Don’t get me wrong – I am an avid Linux user and (aside from gently ribbing my brothers in arms who iEverything) believe that there are pros and cons for them all. These are different debates  for a different day.

As a general observation, most organizations that I encounter do a fairly good job in managing patches for Microsoft operating systems and applications. Smaller organizations may rely on Windows Update while larger organizations may have a more robust patch management system, such as WSUS, for managing Microsoft updates. In both cases, there is little reliance upon the end-user to interact with the update process. This is generally not the case with patching of third party applications, which tend to have a much higher rate of missing patches.

The purpose of this article is not to pat Microsoft on the back or downplay the risk of unpatched vulnerabilities on Microsoft systems, but rather to highlight the fact that MS KB vulnerabilities represent only a small percentage of the threat landscape and ignoring the others is akin to locking the Windows © and leaving the back door wide open (pun obviously intended – credit Stefan Frei, research analyst director at security research firm Secunia for his initial quote).

Secunia recently released their yearly vulnerability report for 2011 (download it here) analyzing vulnerability trends across various operating systems and software vendors. One of the most telling statistics identified in the report confirms a fact that we as penetration testers have known for some time now – that there is a gaping hole in security as it relates to patching of third party applications. In some cases, these vulnerabilities are cross-platform and can affect Mac and *NIX systems as well, so long as the exploit payload is designed to handle these operating systems.

Secunia reports that Microsoft patching mechanisms (be it Windows Update or WSUS) only address 22% of the vulnerabilities associated with their top 50 software portfolio (comprised of the top 50 most common operating systems and applications), leaving the remaining 78% of vulnerabilities being patched by an additional 11 patch distribution mechanisms. Unfortunately for the network administrator, these patch distribution mechanisms are much more difficult to centrally manage. The result? The most common portion of the vulnerability landscape, being third party applications, is also the portion that is most likely to remain unpatched.

Consider the following real-world example: in a recent vulnerability scan I performed on a small network containing 38 Windows servers and workstations, only 2 machines on the network were detected as missing Microsoft patches (excluding 2 recently issued patches that had not been tested and approved for deployment in the patch management system), while 13 were detected with out of date versions of Adobe Acrobat, 14 with out of date versions of Java, and 5 with out of date versions of Flash. I grant you that this is obviously a small business; however this sort of distribution is consistent with those I see in many organizations of varying sizes and complexities.

Attackers are very aware of the disconnect between vulnerabilities and patching as it relates to third party applications. Many common exploit kits that are used for mass exploitation focus on these third party applications because the attackers know all too well that their success rate will likely be higher attacking them. The Contagio Malware Dump Blog maintains a nice spreadsheet matrix of common malware exploit kits and the various vulnerabilities each exploits here. Review of the summary shows a vast number of exploits associated with Adobe, Java, Flash, and other third party applications – much more so than Microsoft vulnerabilities. Consistent with the Secunia report, sorting the vulnerabilities by CVE date also shows an increasing percentage of non-Microsoft vulnerabilities in recent years.

So, now that we are convinced of the threat that the unpatched 78% poses, what can be done about it?

  1. Remove unnecessary applications – The smaller your footprint, the less you have to patch so, if you don’t need it, uninstall it! I have read no less than 5 articles in the last month that advocated completely removing Java. Granted, this is easier said than done as most organizations rely heavily on some of the most common culprits. An assessment of your software environment may identify selected instances where these applications may not be necessary. In the case of Adobe, there are alternative PDF readers that can be used that are less commonly attacked (although vulnerabilities are periodically identified in these products just like their more popular counterpart so the same patch management problems apply). If your workstations are not built from scratch (you use OEM installs), then you will be even more likely to find old and unnecessary applications that can be removed. Start by performing an inventory scan of your entire network and then work through the list of applications.
  2. End-user education – If the patch distribution mechanism employed requires end-user intervention, then we need to make sure that our end-users are installing the patches. Inform your employees to take the extra 10 seconds to install that Java update instead of clicking “Remind me later” for the next 6 months.
  3. Know when new threats emerge – Monitor the exploit landscape and security blogs for new vulnerabilities affecting applications on your network. http://www.exploit-db.com/ is a great resource for obtaining up to date exploits as they are released, and has an RSS feed that you can subscribe to. http://www.securityfocus.com/ also maintains a comprehensive database of vulnerabilities and has a mailing list option. When a new vulnerability is detected and you must rely on your end users to install it, let them know about it.
  4. Monitor your network for missing patches – You don’t have to wait for your periodic independent vulnerability assessment or penetration test to provide you with a list of vulnerabilities. Self monitoring provides much more timely information and will likely result in much cleaner pentest reports in the future. A number of vulnerability scanners, including Nessus ($1,200 per year per scanner – free home feed is not licensed for use in a corporate setting) and Nexpose (free community edition for up to 32 IP addresses) will detect missing patches and can be configured to perform scheduled scans on a regular basis. From the open source community, OpenVAS is a popular alternative to commercial offerings.
  5. Centrally deploy common applications – Many of the most commonly exploited third party applications, including Adobe, Flash, and Java can be deployed (via .msi) and updated (via .msi reinstall or .msp patch) using Group Policy. This method requires a good deal of manual labor on the part of the network administrator as the GPO will have to be updated and re-deployed each time a patch is issued. GPO deployments of these applications can also be problematic and should not be relied upon without some form of regular vulnerability scanning to make sure that the updates are being deployed properly.
  6. Implement a patch management solution that will deploy third-party patches – Although I have been unable to find a free centralized patch management solution that will handle non-Microsoft patches, there are a number of commercial offerings that will do the job. GFI Languard Network Security Scanner (from $7.50 to $32 per IP depending upon volume discount) is a popular vulnerability scanner that also provides for remote remediation and deployment of patches. Shavlik is another common patch management platform that comes in a variety of flavors.