Patches? We Don't Need No Stinkin' Patches: Survey
Published: June 25, 2008
by Alex Woodie
People aren't applying Windows patches from Microsoft, according to a new survey released yesterday by anti-malware software vendor Sophos. The study found that 63 percent of corporate PCs surveyed were missing at least one patch that addressed vulnerabilities in Windows, Office, Internet Explorer, Windows Media Player, or Macromedia Flash, providing "low-hanging fruit" for cybercriminals to exploit, Sophos says. But others say there's no way to keep up with all the patches, and that they don't always protect you, anyway.
As part of its Endpoint Assessment Test, Sophos ran its online scanning tool against 583 PCs located around the world for 40 days. The test looked for security vulnerabilities, including missing Microsoft security patches, disabled client firewalls, or missing endpoint security software updates.
The results, which can be viewed here, are slightly disturbing. Sophos found that 81 percent of the PCs failed one or more of the tests, more than 60 percent were missing Microsoft or Adobe Macromedia patches, 51 percent had disabled client firewalls, and 15 percent had out-of-date or disabled endpoint security software, such as antivirus or anti-malware software.
Only 37 percent of machines analyzed by Sophos were fully patched, and only 47 percent had a firewall enabled. "Ultimately, machines that fail such a test represent 'low hanging fruit' for cybercriminals and a real danger to their corporate networks," said Bill Emerick, Sophos vice president of product management for network access control products.
Considering that the number of reported security vulnerabilities across operating systems and applications has decreased over the last 12 months, could it be that people have just become complacent about applying patches? Doubtful, says Roger Thompson, chief technology officer of Exploit Prevention Labs, which develops intrusion detection systems.
"Microsoft does a great job of testing their patches, but they can't test against everything," he says. Microsoft often publishes 10 patches every month, and the workload of testing each of these patches against mission critical applications can be overwhelming. "Corporations are trying to be choosey about which patches they deploy," he says. "On a monthly basis it's a war of attrition."
While users struggle to keep up with their patches, the Internet continues to become a more dangerous place. Here are some sobering security statistics:
- Phishing Web sites are exploding across the Web, according to Symantec's latest Internet Security Threat Report. During the last six months of 2007, the number of phishing Web sites jumped 650 percent, from 13,400 phishing Web sites to 88,000 phishing Web sites.
- Trojan Horse attacks were up 300 percent during the second half of 2007, according to Microsoft's Security Intelligence Report, released in April
- The widespread availability of easy-to-use malware toolkits in 2007 lowered the bar to entry to become a cybercriminal, according to the annual report on the state of information security by IBM's Internet Security Systems (ISS) division
- Parasitic crimeware, which is software designed to steal information using the traditional techniques pioneered by virus writers, is expected to grow by 20 percent this year, according to McAfee's Avert Labs' annual top 10 list of security predictions
If there was any good news coming out of Sophos report, it's that up-to-date anti-malware was installed on 85 percent of the surveyed systems, which can help protect users against the threats listed above.
The Web, from which security firms extract 20,000 to 30,000 new malware samples per day, is the real problem, Thompson says. "Firewalls keep out most things, but they don't keep out Web traffic," he says. "When you start a Web browser session, it becomes an instant tunnel through the firewall, the code gets back to the desktop, and that's how people get nailed. Whether they use my product [called LinkScanner] or somebody else's, they need something that filters the Web traffic, the HTTP stream."
It's probably worth noting that the best protection from network-based threats--or any information security threats, for that matter--will always be to have multiple layers of security, providing overlapping redundancy in the most critical areas. That means users should do their best to install patches from Microsoft and other vendors, they should turn on their firewall, and--within a reasonable amount of time that should be spent on testing--they should install Microsoft's patches.
Symantec Combats Phishing with New Services Offering
Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report
Surf's Up for Web-Based Organized Crime, IBM X-Force Says
Bleak Outlook for Information Security, According to Researchers
In Search Of a More Secure Internet
Security Attacks and Breaches on the Rise
MPack Hacker Tool Claims 10,000 Compromised Web Sites
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot