Another Day Another Patch

Here we go again. A really bad vulnerability in Microsoft products allows an attacker to gain complete control of a machine over the network, and every wannabe pundit tweets or posts “Patch Now!”

Yes CVE-2017-11937 is a really bad one. It uses a vulnerability in Microsoft’s own anti-malware product, the Malware Protection Engine, to bypass everything.

So are the eager cyber experts right? Should you patch now? Certainly, your desktops should be patched. At most, each user will be down for a couple of hours as you patch or re-image their machines. No big deal. But what about all those servers?

I too once issued frantic warnings to “Patch Now!” I was at Gartner and a new vulnerability in Solaris came out. In my green enthusiasm I issued a special alert that went to every Gartner client. I started to get calls. The content of those calls where like this:

“You idiot. We have 2,000 servers. We have to schedule down time in off hours for each one. Then we have to install the patch and test each and every production application to make sure something did not break. It takes months to patch that many servers. Before we are done there will be new vulnerabilities and if we followed your advice we would have to start over.”

I learned my lesson. Patching is hard to do.

Over the years, data centers learned how to roll out network defenses against things that attack particular vulnerabilities. Vendors called this “digital inoculation.” Now they could address vulnerabilities quickly and relatively painlessly. They still had to test the signatures in their IPS systems and deal with false positives, but they could buy time and save on patching until the next upgrade cycle.

The move to virtual machines (VMs) and (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Richard Stiennon. Read the original post at: Cylance Blog