Vulnerabilities and Patches

I am often involved in various discussions and hear frequent concerns about vulnerabilities on an organization’s computers.  This is a regular discussion topic at some of the meetings I attend, and I am frequently asked about the differences between patches and vulnerabilities.

What are they? Why are there so many?  If we are always deploying patches, why does this number seem to not be improving? If my computer is only missing one patch, why does it still have 76 vulnerabilities?!

In order to answer these questions, it is important to first understand the difference between a patch and a vulnerability. The short story is that a patch typically addresses one or more vulnerabilities. The vulnerability is the “hole,” and the patch is the “fix.” 

But a vulnerability is not necessarily remediated by applying a patch.  A patch is one or more vulnerability remediation items all rolled up into a single package that can be deployed by your centralized patch management system or manually installed.  A vulnerability is a description of a single “weakness” that presents a specific flaw in operating systems, software products, or configuration items.  While deploying a single patch fixes many vulnerabilities on a single computer, a vulnerability is usually remediated by applying a single patch or adjusting a configuration setting to a computer. 

More Specific Definitions: 

• Patch: This is typically a software update for the operating system or for a software product installed on a computer.  In a given month, we will typically see various patches for the Windows Operating System, the Internet Explorer Web Browser, and products such as Microsoft Office, FireFox, Chrome, or Adobe Acrobat.  A patch is an update that remediates one vulnerability or several. Patches are rated by their severity in terms of how much risk they present to the computing environment, and how quickly they should be applied.  Patches are normally rated as Critical, Important, Moderate, or Recommended.  Security patches usually fall into the Critical, Moderate, or Important ratings, while patches that fix a non-security “bug” or add additional functionality are usually “Recommended,” but are only applied if a particular problem exists.

• Vulnerability: A vulnerability is a much more granular way to describe a single weakness in operating systems, software, or configurations.  Where a patch is an update that addresses several vulnerabilities, a vulnerability, in contrast, is a single security weakness.  Vulnerabilities are identified by what is known as a “CVE,” which stands for Common Vulnerabilities and Exploits.  These are numbers assigned to vulnerability items, or potential vulnerability items, in software components, such as operating systems or productivity products.  A vulnerability may be mitigated by applying a patch.  A vulnerability might also be mitigated by adjusting a configuration setting, such as turning off Bluetooth or applying a setting to the Windows Firewall on a computer.  Vulnerabilities are rated by the severity of the weakness that they address, and are rated using a scoring system, known as the CVSS (Common Vulnerability Scoring System).  A CVSS score of less than 4 means that the vulnerability severity is Low.  A CVSS score of 4 – 6.9 means that the vulnerability severity is rated as Medium.  And a CVSS score of 7 – 10 means that the vulnerability severity is rated as High.

Vulnerabilities versus Patches Example:  

Let’s look at a recent patch released by Adobe – the Adobe Acrobat 11.0.16 update. When the Adobe Acrobat 11.0.16 update was released, it provided remediation for 76 different vulnerability CVE items that were rated as HIGH in the CVSS scoring system.  After deploying this patch to the 9,000 computers that needed the update, and then performing an analysis of the residual vulnerabilities a few days after the deployments started, we found that 7,500 computers received the patch, but 1,500 computers were still unpatched for this specific patch.  In patching terms, we are showing 83% patched for Adobe Acrobat 11.0.16, which is pretty good progress after only a few days.  In a vulnerability report on this same day, however, we would show as having over 120,000 High CVSS vulnerabilities.  This ONE MISSING PATCH on those 1,500 computers (17% of the total number of computers needing the patch) accounts for 114,000 vulnerability line items of the approximately 120,000 on the report.  That single patch accounted for approximately 95% of the total of the CVSS high vulnerability items on the report that day.  So even though the patch deployment effectiveness was progressing well to that point, the number of total HIGH vulnerabilities remaining on our computers was still very large.

 What You Can Do: 

There are a variety of things to keep in mind in the vulnerability and patching arena.  First of all, patch management is a moving target at best.  Try not to get too wrapped around the axle on raw numbers.  But here are some things you can do to help those numbers and to help make your analysis more meaningful:

• If you are using a centralized patch management system, such as Lumension, Tivoli, or SCCM/WSUS, ensure that your centralized patch management agents are installed and running properly.

• Some organizations have a large number of people who telework or work in the field and therefore connect infrequently - Ensure that your end users connect their computers to your network or VPN regularly to get patches and report their patch status. Not only is it important to connect regularly in order to receive scheduled patches, but it is important that they stay connected long enough to receive patches that are rather large in some cases. This is also necessary in order for the agents to regularly and accurately feed information up to the patch management system servers. This, in turn, helps to make sure that the data pulled for reports is the most current and the most accurate.
  
  
• Ensure that only needed products are installed on your computers. As was seen in the example above, Adobe Acrobat accounted for the majority of the vulnerabilities on our computers. But when I perform software usage analysis, I often see that many instances of Adobe Acrobat are not even used by the users on whose computers this is installed. If the product is not needed, then don’t install it.

Patching and vulnerability management are vital processes in any organization’s overall cyber-security program. Ensuring that all security software is installed and running is vital to this process. Make sure that computers are receiving their patch updates, and unnecessary software and services are not running on computers.  Performing regular patching is important, but so is doing meaningful follow-up analysis.  Find out where your holes are, find out what the "plugs" are for those holes, prioritize the weaknesses, and get 'am fixed!