Patch madness! 273 vulnerabilities from four vendors in one week
Patching: the unlocked door
When it comes to patches this week, Apple heads up the most patched charts with 54 vulnerabilities getting fixed across OS X and 50 issues in iOS, with some crossover between the two.
In fact, just about everything Apple has gets a patch and that includes Safari, tvOS, watchOS and Xcode. The vulnerabilities include remote code execution in the OS X kernel and Safari WebKit engine, privilege elevation attacks in watchOS and memory corruption issues in the Xcode integrated development environment.
Adobe is next up, with a total of 79 CVEs although none of these are said to be in the wild and exploited right now. Needless to say, Flash gets the most attention by way of patches for a dozen memory corruption vulnerabilities amongst other things.
An hour later, Microsoft joined the patch party with 71 security fixes. Of the eight vulnerabilities rated as critical, two were said to be under attack in the wild: a memory corruption vulnerability (CVE-2015-6124) in Office and a kernel memory privilege elevation vulnerability (CVE-2015-6175) in Windows itself. The numbers are made up largely by cumulative updates, not least for Internet Explorer and Microsoft Edge with 45 patches between them.
Not to be outdone, Google threw a relatively minimal 19 fixes into the patch mix with an over-the-air update for Google Nexus devices. These included five critical updates, and one for a privilege elevation bug in Stagefright which was rated high. The Android kernel didn't escape patching attention, with CVE-2015-06619 allowing a malicious Android app to execute code at root.
Here's the thing: however you do the math, over 200 patches from just four vendors in a single week is, frankly, a staggering amount. Especially when those four vendors are likely to have devices and software across many of the same organisations.
The question is, should they also be of concern? Why are there so many vulnerabilities coming to light right now, and how can organisations safely implement the resulting patches without putting themselves at risk while doing so?
Indeed, does this level of patching mean we are becoming more, or less, secure?
Let's start by looking at why so many, and why now? "One of the reasons may be the approaching Christmas holidays," Ilia Kolochenko, CEO of High-Tech Bridge told SCMagazineUK.com. "Developers and security teams may already be aware of some vulnerabilities, but patches are being released just now to meet the holiday deadline."
Or maybe, because software will always have them, we should expect to see lots of vulnerabilities.
"If anything, this should not be seen as ‘incredible,' even if the numbers are in the hundreds collectively," says Jeremiah Grossman, the founder of WhiteHat Security. "It's also probably safe to assume there are hundreds if not thousands more vulnerabilities that remain undiscovered in the very same software."
How you perceive the numbers depends somewhat on the glass half full or half empty argument. "The optimist would hope that the number of updates and patches indicate that all known vulnerabilities are now patched and each vendors' software is completely up to date and locked down tight," suggests Oscar Marquez, CTO at iSheriff. "In this case 273 fixes is better than say 200, because the optimist feels so much more safe now with more things fixed."
On the flipside, the pessimist feels that 273 patches is an indication that we can't keep up with the problems in our own software infrastructure and we're all doomed. Next time it will be 300 patches and so forth, until we can no longer keep up. "The truth is somewhere in between," Marquez told us. "Not all patches address a flaw that can be exploited by hackers to infiltrate your system – some just fix a font."
Also, one patch can do six things or six patches can do one thing, so the actual number is soft. "Is the number good or bad – who knows?" Marquez said.
OK, so what about the practical problems of patch management and implementation? "The number of patches can be a challenge to implement within an enterprise," Paul Fletcher, cyber-security evangelist at Alert Logic, conceded. "Organisations that don't have a patch management program will struggle to implement these patches."
Some, such as the head of solution architecture at Vodat International, Kevin Burns, would argue they will struggle anyway. "Given the ever-increasing numbers of vulnerabilities found and addressed combined with the ever-increasing complexity of the environments which need to be maintained,it is becoming a full-time job to prioritise what needs to be tested, let alone testing and releasing into their estates,” he said.
The very topic of patching raises painful questions about how we manage our systems. After all, even when it is known a patch is required it takes no little time or expense to roll them out. "In some cases, this very real cost is held against the hypothetical cost of a breach," warned Fraser Kyne, principal systems engineer at Bromium. "And this can force companies into drastic decisions where compromises have to be made."
No wonder Kyne went on to describe patching as being Lemsip for a cold, dealing with symptoms rather than the root of the problem.
Wolfgang Kandek, CTO at Qualys, agreed. "The challenge I see coming up is how we stop simply adding to what we have in place," Kandek told us, "and instead go back to first principles and make IT secure by design."
Which brings us nicely to the big question: are all these patches making us more or less secure? Tod Beardsley, security research manager at Rapid7, is in no doubt that the more vulnerabilities patched implies more robust and secure operating systems. "This week's outsized numbers are partly coincidental, and partly show that Microsoft, Apple, Adobe, and Chrome all have robust bug-hunting programmes," Beardsley insisted. "Chrome and Adobe products are patched fairly continuously, Windows is patched monthly, and Apple is patched only a few times a year. Naturally, these four schedules will occasionally align."
When they do, it just serves to remind us that "all these vendors are demonstrating that they are taking vulnerability remediation seriously, and have mature security programmes designed to find and fix the bugs they ship," Beardsley concluded.
WhiteHat Security founder Jeremiah Grossman agreed, telling SCMagazineUK.com that "it's extremely encouraging to see large software vendors taking such proactive steps to improving the security of their software" and reminding us that it wasn't so long ago when this wasn't the case.
"Perhaps more importantly," Grossman wrapped up, "we should realise one sobering fact: we're all just one zero-day away from compromise..."