By: Jason Miller, Manager, Research and Development at VMware
For a free 30 day trial of VMware Go Pro, click here.
Microsoft is planning to release an out-of-band patch for a zero-day vulnerability at noon CST today.
We can set our calendars to every second Tuesday of the month (known as Patch Tuesday) for new Microsoft security bulletins. Microsoft Patch Tuesday has become a ritual for the IT security industry. Today is a stark reminder that you must always be vigilant and informative on the happenings in the security industry. At any time, a vendor may release a patch out-of-band to address a zero-day vulnerability.
When is an out-of-band patch warranted?
Only a software vendor can make the decision on when a patch for a vulnerability should be released out-of-band from its normal release cycle. Typically, a vendor will release a patch out-of-band when there are active exploits against the vulnerability, the vulnerability details have been released publicly, and the software affected could present a major attack outbreak. With today’s release, all three of these criteria have been met.
Out-of-band patch releases are risky for the software vendor
When a patch is deemed necessary to be released out of band, the software vendor creating the patch is taking on risk. In my previous post, I talked about the risk that IT administrators may take when implementing workarounds. With software vendors, the risk of incorrect patch creation and testing is greatly increased. The patch may fix the vulnerability, but there is always the possibility that a software patch will break normal functionality of a program. For example: a patch fixes a vulnerability but the program now crashes when printing or saving.
Pay attention to all patches after applying, especially out-of-band patches
There is a chance with any patch that functionality could be broken. With out-of-band patches, pay attention to the product patched to ensure other functionality is not broken. If you find some functionality is broken, do not simply remove the patch. Contact the software vendor and to determine if restoring the functionality but re-introducing the vulnerability is work the risk.
Out-of-band patch releases, not as common as we think
Since January 2010, Microsoft has released 269 security bulletins. Only six of these bulletins (including today’s release) have been release out-of-band. In fact, the last out-of-band patch release from Microsoft came nine months ago.
|
Year |
Total Bulletins |
Out-of-Band |
% Out-of-band |
|
2010 |
106 |
4 |
~4% |
|
2011 |
100 |
1 |
~1% |
|
2012 |
63* |
1 |
~2% |
(Note: 2012 includes today’s security bulletin release)
Security advisories do not mean out-of-band
Previously, I talked about zero-day vulnerabilities and security advisories. Microsoft quite often will release security advisories throughout any given month. The majority of these security advisories (pertaining to zero-day vulnerabilities) are fixed during a scheduled Patch Tuesday. Below, you can see all of the security advisories Microsoft has released and the date they have released a patch to fix the vulnerability. As you can see, active exploits happen quite often and do not warrant an out-of-band patch.
|
Advisory Release Date |
Advisory # |
Vulnerable MS Product |
Fixed In |
Fixed Date |
Out-of-band |
Days Between Advisory/Release |
|
1/14/2010 |
979352 |
Internet Explorer |
MS10-002 |
1/21/2010 |
Yes |
7 |
|
11/13/2009 |
977544 |
OS – SMB |
MS10-020 |
4/13/2010 |
No |
150 |
|
1/20/2010 |
979682 |
OS – Kernel |
MS10-015 |
2/9/2010 |
No |
19 |
|
2/3/2010 |
980088 |
Internet Explorer |
MS10-035 |
6/8/2010 |
No |
125 |
|
2/9/2010 |
977377 |
OS – SChannel |
MS10-049 |
8/10/2010 |
No |
181 |
|
3/1/2010 |
981169 |
OS – VBscript |
MS10-022 |
4/13/2010 |
No |
42 |
|
3/9/2010 |
981374 |
Internet Explorer |
MS10-018 |
3/30/2010 |
Yes |
21 |
|
4/29/2010 |
983438 |
Sharepoint |
MS10-039 |
6/8/2010 |
No |
39 |
|
5/18/2010 |
2028859 |
OS – Canonical Display Driver |
MS10-043 |
7/13/2010 |
No |
55 |
|
6/10/2010 |
2219475 |
OS – Help |
MS10-042 |
7/13/2010 |
No |
33 |
|
7/16/2010 |
2286198 |
OS – Windows Shell |
MS10-046 |
8/2/2010 |
Yes |
16 |
|
9/17/2010 |
2416728 |
.NET Framework |
MS10-070 |
9/27/2010 |
Yes |
10 |
|
11/3/2010 |
2458511 |
Internet Explorer |
MS10-090 |
12/14/2010 |
No |
41 |
|
12/22/2010 |
2488013 |
Internet Explorer |
MS11-003 |
2/8/2011 |
No |
46 |
|
1/4/2011 |
2490606 |
OS – Windows Shell Graphics |
MS11-006 |
2/8/2011 |
No |
34 |
|
1/28/2011 |
2501696 |
OS – MHTML |
MS11-026 |
4/12/2011 |
No |
74 |
|
9/26/2011 |
2588513 |
OS – SSL/TLS |
MS12-006 |
1/10/2012 |
No |
104 |
|
11/3/2011 |
2639658 |
OS – Kernel-Mode Drivers |
MS11-087 |
12/13/2011 |
No |
40 |
|
12/28/2011 |
2659883 |
.NET Framework |
MS11-100 |
12/29/2011 |
Yes |
1 |
|
6/12/2012 |
2719615 |
MS XML Core Services |
MS12-043 |
7/11/2012 |
No |
29 |
|
7/24/2012 |
273711 |
Exchange Server |
MS12-058 |
8/15/2012 |
No |
21 |
|
9/17/2012 |
2757760 |
Internet Explorer |
MS12-063 |
9/21/2012 |
Yes |
4 |
(Note: Not all security advisories from Microsoft have a bulletin associated. Some security advisories have workarounds, information only or non-security patches associated. These security advisories are not included in this list.)
Today’s scheduled security bulletin affects an Internet browser, so this should be high on your priority list for patch deployment today or this weekend. With any out-of-band release, you should deploy the patch as soon as possible to prevent any attackers from taking advantage of the vulnerability on your network.
To learn more about VMware Go Pro, please visit go.vmware.com.
You can also access a free 30 day trial of VMware Go Pro here.
