The 5 essential patches of 2009
If you don't patch any other security bugs this year, patch these
Computerworld - Fact: Everyone who patches is safer. Fact: Not everyone patches.
The gap between the two facts is too deep for even security experts to explain, although they try, with theories running from the conspiratorial -- pirates hate to patch, they say, because they're afraid vendors, Microsoft mostly, will spy them out -- to the prosaic ... that people are, by nature, just lazy.
So rather than recite 2009's patch history -- dismal as it was, with Microsoft, for instance, setting a record in October for the most updates and most flaws fixed in a single month -- Computerworld thought it would be more useful to more users to simply spell out the year's five most important patches.
It wasn't our idea, really. We cribbed it from Qualys' chief technology officer, Wolfgang Kandek, who just last month dug into his company's data to come to an amazing conclusion: People running Microsoft Office could protect themselves against 71% of all attacks targeting the suite by applying just one patch, and a three-year-old patch at that.
With that kind of compensation for a single patch, one has to wonder what big-bang-for-the-buck patches were released in 2009. To find out, Computerworld polled a panel of patch and vulnerability experts to find the five security fixes everyone should deploy from the last 12 months.
If you roll out any updates from 2009, these are the ones.
Microsoft's ATL fixes, July and later. Last July, Microsoft rushed out a pair of updates to preempt a presentation at Black Hat that was to reveal a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure for fixing bugs. That same day, Microsoft also admitted that an extraneous "&" character in its Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software, was the root of the bug.
"[MS09-035] was one of a handful released to address a flaw in the Active Template Library used to build ActiveX controls," said HD Moore, the creator of Metasploit and chief security officer for security company Rapid7. "A bug in the private version of this library used by Microsoft resulted in a complete negation of all ActiveX security up to the point it was patched. We are still seeing patches come out, months later, as even more controls are identified as containing the buggy code."
MS09-035 is a developers-only patch, aimed at third-party programmers who use Microsoft's popular Visual Studio to craft their own software. Developers needed to apply this patch to Visual Studio, then recompile their code to produce vulnerability-free programs.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts