Microsoft is revamping its decade-old Patch Tuesday process for updating older Windows operating systems.
Instead of releasing individual security patches for these systems -- Windows 7, Windows 8, Windows Server 2008 and Windows Server 2012 -- Microsoft will begin bundling patches into a single update known as a “rollup.”
The change is designed to simplify the patching process for those operating systems, making it more likely that IT teams will fix security holes in these systems. This should head off a number of potential problems with selective patching of computers, including sync and dependency errors and lower update quality, increased testing complexity and scan times, and difficulties finding and applying the right patches.
In a blog post, Microsoft’s Nathan Mercer said the rollup model will provide a more consistent patching process while simplifying the experience because all supported versions of Windows will follow a similar update model. “The new rollup model gives you fewer updates to manage, greater predictability, and higher quality updates,” Mercer said.
Not everyone is convinced that the revised patching process is going to make life easier for IT folks. Chris Goettle, product manager at security firm Shavlik, argued in a blog post that the new process could cause application capability issues and greater risks associated with exceptions.
“Companies will have to do more rigorous application compatibility testing to ensure things … don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction,” Goettle wrote.
Microsoft is hoping that the change to the Patch Tuesday process will address the problem of older Windows operating systems going unpatched in the enterprise.
Windows’ dubious distinction
According to the latest Vulnerability Update report from Flexera Software’s Secunia Research arm, four versions of Windows are among the top 20 most vulnerable enterprise software products, making Microsoft the vendor with the most vulnerabilities in its enterprise software.
The four Microsoft products landing in the top 20 most vulnerable enterprise software are Windows 10, Windows Server 2012, Windows 8, and Windows RT.
Overall, there were 2,686 vulnerabilities in Secunia’s top 20. To compile the top 20 list, Secunia examined more than 50,000 enterprise software products recorded in Flexera’s Vulnerability Database.
“The bad news is that the overall rate of vulnerabilities remains high, and specifically with respect to operating systems — underscoring the need for users to be diligent about patching their operating systems,” noted Kasper Lindgaard, director of Secunia research at Flexera Software.
While Microsoft was the top offender in terms of vendors, a hospital information system made by Philips had the most vulnerabilities of any enterprise software examined in the report. Secunia found 272 vulnerabilities in that system alone.
The product with the second highest number of vulnerabilities was the Xerox FreeFlow Print Server, which scored 213 vulnerabilities, according to the report.
Other vendors whose products made the top 20 most vulnerable enterprise software were Adobe, Oracle, Apple, Google, IBM, F5, HP, and Forcepoint.
Adobe Reader, Acrobat, and Flash Player made the top 20 list, as did Apple’s Macintosh OS X and mobile iOS operating system, a slew of IBM products such as SmartCloud Provisioning, Oracle’s E-Business Suite and Solaris 11, F5’s BIG-IQ and BIG-IP line of products, and Google Chrome.
Oracle is not prophetic about security
Oracle’s enterprise software products have also seen their share of vulnerabilities.
In its most recent quarterly critical patch update, which was issued in July, Oracle plugged a staggering 276 vulnerabilities across its product line, including 159 vulnerabilities that could be exploited remotely by an attacker.
And in September, security researcher Dawid Galunski identified a critical vulnerability in Oracle’s MySQL that could enable an attacker to exploit a vulnerable MySQL database, execute arbitrary code, and compromise the server on which the database was running.
Galunski informed Oracle about the vulnerability in July, but after hearing nothing from the company for 40 days he decided to disclose what he found to give users a heads-up about the security flaw before the software vendor’s next critical patch update in October.
In addition, Java software has been a security thorn in Oracle’s side for years, ever since the enterprise software giant acquired Java developer Sun Microsystems in 2010. In fact, Secunia last year named Java the biggest security risk to U.S. computers, as reported by CSO magazine.
Secunia, which issued the report before being acquired by Flexera, said in the report that Java software was installed on close to two-thirds of computers and had more than 100 vulnerabilities, but was not updated regularly by close to half of its users.
Feds don’t like Oracle’s Java jive
The poor security performance of Java software has gotten Oracle in trouble with the feds. In December, the Federal Trade Commission announced that it had reached a settlement with Oracle over FTC charges that it deceived customers about the security benefits provided by updates to its Java Platform Standard Edition, which is installed on more than 850 million PCs.
While the FTC did not fine Oracle, the company was ordered to give users the ability to easily uninstall insecure, older versions of Java. According to the FTC, Oracle failed to inform customers during the security update process for Java that the update removed only the most recent version of the software, not earlier versions that might be vulnerable to malware and phishing attacks.
Based on documents the FTC obtained, Oracle was aware of the update problem as early as 2011. One Oracle document stated the "Java update mechanism is not aggressive enough or simply not working," and acknowledged that hackers were targeting prior insecure versions of Java software.
The FTC alleged that Oracle’s failure to disclose the limitation of the Java security constituted a deceptive practice in violation of federal law.
Unfortunately, software security is not getting any better in the enterprise. According to its Vulnerability Update report, Secunia is not seeing a reduction in enterprise software vulnerabilities from previous reports. In fact, the previous report found 1,768 total vulnerabilities in the top 20 products. If anything, the problem of poor patching practices is only getting worse, something Microsoft hopes to reverse with its revised Patch Tuesday process.
Photo credit: Darla