View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Hardware
January 15, 2020

Patch Tuesday? It’s Woe Wednesday for IT Teams: Here’s What’s On the Agenda

"Software rots over time"

By CBR Staff Writer

Patch Tuesday? How very yesterday.

For IT teams it’s Woe Wednesday as they try to convince upstairs that systems need a reboot. (“Yes, we did that last month too. No, these are fresh vulnerabilities).

Among their tasks on the table today: prioritising which patches to install. As ever, there’s no shortage, including some high priority, alarming new bugs.

Read this: NSA Warns Over Critical Microsoft Cryptography Bug

Microsoft has released updates for Windows, Internet Explorer, Office, .Net, and a variety of developer tools. These resolve 49 distinct CVEs.

A critical patch update from Oracle meanwhile contains a hefty 334 new security patches across over 100 different products and versions.

(Look out for holes in Oracle’s Web Logic server, including a handful with a CVSS score of a critical 9.8: e.g. CVE-2020-2551 and CVE-2020-2546. There are 30 vulnerabilities that are remotely exploitable without authentication — i.e., may be exploited over a network without requiring user credentials — in Oracle Fusion Middleware alone).

Adobe’s January Patch Tuesday security update contains five critical patches for Illustrator CC and four non-critical vulnerabilities for Experience Manager. Intel has pushed out six security advisories including one with a high CVSS score of 8.2 in its VTune Amplifier for Windows that may allow escalation of privilege.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

With the patches including the last batch for the now-unsupported Windows 7 and Server 8, IT teams will also be needing to consider their next steps to keep those systems secure. As IT asset management specialist Ivanti notes: “If you are continuing to run these systems in your environment, you should make sure you are prepared for February and beyond. If you are engaging with Microsoft to continue support, [ask]:

  • Do you have your ESU agreement in place?
  • Have you configured all systems that are continuing support with your ESU key?
  • Have you applied the latest Service Stack Update to these systems? (Microsoft just released an updated SSU for these platforms with the January release.)
  • Have you applied the SHA2 Cert update

The company adds: “If you are not purchasing an ESU you will want to consider mitigation options:

  • Get systems up to January 2020 patch levels.
  • Virtualise workloads and reduce access to these systems
  • Remove direct internet access from these systems.
  • Segregate these systems into a network segment, separate from other systems.
  •  Lock down application control policies to prevent running anything other than the critical applications that rely on the legacy OS, etc.

Read this: Software Patch Management: Tips, Tricks and Stern Warnings

Jonathan Knudsen, senior security strategist at Synopsys, notes: “Software rots over time [as] vulnerabilities that were already in the software and its component building blocks are discovered over time… People often say ‘if it ain’t broke, don’t fix it.’

“Unfortunately, this attitude is disastrous in software security, where the expression should be ‘if it ain’t broke, it will be soon… if you don’t update, attackers are able to exploit these vulnerabilities to steal information or take control of your systems.”

He adds: “Unfortunately, updating software sometimes causes things to stop working. Many organizations are reluctant to update as soon as patches are available because of the risk of losing functionality.  Each organization must find the line that balances the risk of breakage against the risk of attackers exploiting a vulnerability.”

It’s a delicate balance to strike. Marco Rottigni, CTSO, EMEA at Qualys emphasises that early visibility is key to getting the balance right. He said in an emailed comment: “Getting your priorities right depends very much on the specific IT set-up you have, their dependencies and how quickly you can implement those necessary changes.

” To sustain [software hygiene] efforts, it is crucial that organisations maximise their observability about what to fix, where it is deployed and when to plan it.

“This requires deep visibility, the ability to monitor specific situations and to gain answers about difficult simple questions such as ‘Where is this service running? Where is this software component active?’ or ‘Where is this application installed?’ with a velocity that many organizations don’t currently have.”

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU