Feeds

Unofficial zero-day patches gain corporate support

Deliver us from evil

Securing Web Applications Made Simple and Scalable

Organisations are deploying unofficial patches in the absence of officially sanctioned security fixes from vendors, a new survey suggests.

Around one in eight (13 per cent) customers quizzed by security vendor PatchLink deployed an unofficial third party patch when the zero-day Microsoft WMF (windows Meta File) exploit was discovered in January.

Three quarters of the 300 IT managers and network administrators worldwide questioned believe that patch cycles, like Microsoft's patch Tuesday, have improved their overall security patch and vulnerability processes. Forty-two per cent quantified the improvement as reducing the time they spent on patching, while 18 per cent reckon they've been able to reduce the number of employees they assign to patching thanks to greater certainty in the timing of patch releases.

However, many respondents in the survey want vendors to issue out-of-sequence security fixes in response to hacker attacks against unpatched flaws, rather than sticking to any pre-defined schedule. More than 50 percent of IT administrators want vendors to take a more flexible approach to releasing patches for zero-day exploits and maintain a monthly patch release date for unexploited vulnerabilities.

0-day third-party patches gaining favour

Zero-day exploits, which have been with us for years, have increased in profile over recent months. January's WMF exploit has been followed by an unpatched Internet Explorer security flaw, an official fix for which is not expected until 11 April (next Patch Tuesday, which falls on the second Tuesday each month).

The issue is far from confined to Microsoft, but the firm's software remains a high-profile target. This, together with the chance of some favourable publicity, encourages independent developers to release unofficial security fixes in response in unfixed Windows or IE flaws that become the subject of malicious hacking attacks.

PatchLink's survey reveals the release and deployment of third-party patches is becoming more accepted, even though many IT professionals still express reservations about this approach. According to the survey, 45 per cent of global respondents would consider using a third party patch, while the majority, 55 per cent, would not. In the UK, 69 per cent of respondents rejected third party patches as a sensible response to zero day threats.

Strategy boutique

With an ever increasing number of web-based applications and browser vulnerabilities, IT professionals are under increased pressure to deploy patches on tight deadlines. In the case of critical patches, 14 per cent of organisations surveyed plan to execute the patch roll out to all work stations within two hours, while 39 per cent of organisations ensure the patches are applied within eight hours. Two-thirds of organisations quizzed have set up an internal deadline for non-critical patch deployment - ranging from two days to two months.

The survey also identified strategies IT professionals find most helpful for mitigating the risk posed by unpatched vulnerabilities. Around 44 per cent of IT professionals find an established process to identify critical systems impacting all business applications most helpful, while 27 per cent said prioritising risk by asset classification was useful, and 22 per cent found that grouping patches by device helped them ward off zero day threats. ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.