Patch/Configuration Management, Vulnerability Management

Experts: Be aware of new Microsoft exploits despite patch-less Patch Tuesday


Network administrators shouldn't schedule a nap for the time they usually patch Microsoft operating systems today.

Despite Microsoft’s announcement last Thursday that it won’t supply new patches for only the second time in 18 months, most IT professionals will likely spend today - usually one of the most hectic of the month - catching up on other security activities, experts said today.

Russ Cooper, senior information security analyst at Cybertrust, told today that system administrators should update web browsers to Internet Explorer 7 or check inbound and outbound access controls, among other activities.

Don Leatham, director of solutions and strategy at PatchLink, told today that the patch-less Patch Tuesday could be a "blessing in disguise" for IT professionals because they can now concentrate on other areas.

"The No. 1 thing we’re urging is not to get complacent. Sometimes we get so focused on Microsoft operating system patches, this could give us a chance to take a look at other applications," he said, citing updates from Adobe. "There have also been a large number of patches in the past six months for Linux and Mac systems, and they’re usually in smaller numbers so they might be forgotten."

Leatham also urged administrators to audit daylight-saving time patches in the midst of isolated incidents concerning the fixes this week.

A Microsoft spokesperson said last week that the Redmond, Wash. company was working on fixes for several known flaws, but it needed more time to develop patches that passed its quality control process. Last month, Redmond released a dozen patches to the public.

Experts weren’t convinced the break would have an effect on the "exploit Wednesday" trend – attackers releasing exploits for Microsoft vulnerabilities in the 24 hours after the patches are released.

"If you look back, there were times when there have only been one or two patches that came out on a Patch Tuesday. Sometimes those people who have exploit code are ready to dump it into the web on Wednesday, but whether they’ll wait to do it because there’s no patch, I don’t know – I don’t think so," said Leatham. "Maybe it might embolden someone who thinks they have zero-day exploit code."

Cooper said the likelihood of attacks increases around Patch Tuesday because that’s when most PC users apply Microsoft’s malicious software removal tool.

"If (exploit Wednesday) does happen, and it’s dubious whether it does or doesn’t happen, then it happens because this is the day that most people are using the malicious software removal tool, so they’re trying to get those newly cleaned systems infected," he said.

Amol Sarwate, director of Qualys’ vulnerability research lab, told today that there are zero-day flaws in Office, and he advised IT professionals to keep their eyes open for new exploits.

"We have seen a lot of exploits popping up on either Mondays or Wednesdays, so Microsoft doesn’t have enough time to create a patch. When they said on Thursday that they wouldn’t release new patches, I expected some exploits being disclosed, but there weren’t any," he said. "What I would do is, as a system administrator, just keep my eyes open for new exploits."

Some security experts warned last week that system administrators shouldn’t get too cozy as the reprieve could mean that Microsoft will release a hefty load of patches next month.

Cooper, however, disagreed with that assessment, saying, "No, that’s not necessarily the case at all."

Click here to email Online Editor Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.