Inadequate patching leaving businesses vulnerable

Vendors are often releasing patches months after vulnerabilities are discovered, leaving businesses open to attack, experts have warned.

Inadequate patching leaving businesses vulnerable
Inadequate patching leaving businesses vulnerable

Vendors are often releasing patches months after vulnerabilities are discovered, leaving businesses open to attack, experts have warned.

This risk is exacerbated further by firms who do not immediately implement patches once they have been released, security analysts told SCMagazineUK.com.

"A fast patch to a zero day malware attack is what everyone wants - but they also want it fully tested," Clive Longbottom, analyst at Quocirca, said. "These two things are incompatible, and organisations have to decide whether to take the quick fix and hope it doesn't introduce other problems, or wait longer for a proven fix."

"Quocirca finds that even where a patch is available, most organisations will wait for weeks or even months to implement it, carrying out their own tests against it first," he added.

Firms should apply security patches at least once a month, but this is often not the case, according to Jason Hart, consultant at security and risk management consultancy NH Solutions UK. "Cost is a large contributing factor particularly when the patch is in relation to a system being provided as part of a supply contract," he told SCMagazineUK.com, adding: "Suppliers are not prepared to accept the risk of what goes wrong to a live system in order to carry out the necessary testing."

The warnings come after it emerged that subscribers of two major vulnerability programmes had access to at least 58 exploitable flaws during any given day in Microsoft, Apple, Oracle, or Adobe products. Over the last three years, security consultancy NSS Labs, found that an average of 151 days passed from the time when the programs purchased a vulnerability from a researcher and the affected vendor released a patch.

Exploits will probably always remain part of the security equation due to the complexities of modern software, Webroot threat researcher Roy Tobin told SCMagazineUK.com.  "We still see a large number of companies ignoring software releases and updates, which means that even if a fix is released, the organisation would not have received it," he said. "Companies must be always alert to new threats and approach with caution any third-party software, regardless of where it comes from."

Monitoring networks and following best practice will help to mitigate risks, security vendors advise. Andrew Mason, co-founder and technical director of RandomStorm said: “The NSS Labs findings demonstrate the need for continuous monitoring of networks and devices to identify and remediate vulnerabilities as quickly as possible. The lag between exploits being identified and sold to the highest bidders and vendors releasing patches, calls for constant vigilance."

According to Gavin Millard, EMEA technical director at Tripwire: “It is often difficult for vendors to quickly patch a vulnerability, especially with the required burden of having to test all aspects of the code affected by the fix. With this in mind, it is critical that good foundational security best practices are followed and a layered approach to protecting these applications are used. Security architects should always assume a zero day vulnerability exists on critical applications and design controls with this in mind."

Sign up to our newsletters