By Eliot Beer
Application patches are now a fact of life for any IT user, but with so many out there, enterprises may struggle to stay on top. NME looks at the issues, as reports of record vulnerability numbers come to light.
|~|patchwork200.jpg|~||~|Microsoft last month broke with tradition by releasing an Internet Explorer (IE) patch outside of its so-called Patch Tuesday package. This is not unprecedented – the vendor has come out of its update cycle before for particularly critical flaws, which certainly seemed to qualify this time; hackers were already exploiting the vector markup language (VML) vulnerability in question.
Keeping software updated is always a challenge, but the current focus on web browser flaws, coupled with the often-frightening speed at which details of a zero-day flaw can spread around the internet, can potentially cause problems for large organisations.
And while IE is still host to the vast majority of serious flaws which are actually exploited, other browsers are now coming under closer scrutiny. Symantec’s half-yearly Internet Threat Security Report, released last month for the first half of the year; it showed the vulnerability situation across all browsers – and other software – had reached new heights.
“Symantec documented 2,249 new vulnerabilities in the first half of 2006. This is an increase of 18% over the 1,912 vulnerabilities that were documented in the second half of 2005. It is also a 20% increase over the 1,874 vulnerabilities that were reported in the first half of 2005. Symantec documented a higher volume of vulnerabilities in this reporting period than in any other previous six-month period,” the report stated.
Luckily for enterprise users, 69% of these vulnerabilities belonged to web applications, more commonly used by home users than businesses. The widespread flaws within these applications do demonstrate that the much-vaunted Web 2.0 movement is still very much in its infancy.
On the browser side, the report painted a very muddled picture of the overall security situation. Mozilla’s Firefox browser and its variants, which are widely seen as being more secure than Microsoft’s IE, had the highest number of vulnerabilities of any browser, at 47 for the first half of the year – Internet Explorer had 38, with Apple’s Safari on 12 and Opera on seven.
On the flip side, Microsoft had the longest time-to-patch at nine days, compared to just one for Mozilla. While speed of patching is important, it can cause problems for enterprises – the average time-to-patch for enterprise software overall was 28 days.
Security analysts have been divided on Microsoft’s policy of releasing its patches just once a month – potentially it is clearly a risk to have identified, exploitable vulnerabilities sitting unattended for up to a month. But for enterprises, having a predictable, controlled patch delivery system may prevent more chaos than it causes.||**||