Almost every organization has a methodology in place for patching Microsoft applications. And as every savvy IT security professional knows, patches close vulnerabilities, which is critical to keeping data and business processes safe. It’s the same old security story: lock one door and the thief will find another – and now we’ve got the whole vulnerability/patch war extending beyond Microsoft to applications from other vendors like Adobe and Apple.
The Best Offense is a Good Defense
Monitoring and patching software vulnerabilities within your organization is a highly effective security measure. Complex new threats and viruses emerge daily. The Flame virus discovered in 2012, Duqu virus (2011), and Stuxnet (2010) are particularly high-profile examples of recent viruses that occurred as part of an ongoing cyberwarfare campaign. While these attacks targeted and were mostly contained in specific countries, copycat virus writers will look to use these vulnerabilities in more widespread attacks in the future.
In addition,hacktivist organizations like Anonymous are targeting software vulnerabilities, many of which already have patches available, to carry out their attacks. With these attacks, Anonymous has proven to the world that patch management is still a challenge for most companies.
The faulty yet surprisingly common mentality that dictates, “As long as I do not use a Microsoft product, I do not have to be concerned about vulnerabilities being attacked on my system” is even less valid security today than ever before. The Apple OS X Flashback Trojan, which was discovered in April 2012, is one recent example that showed that patching is not limited to just Microsoft products. The Flashback Trojan affected hundreds of thousands of computers running Apple’s operating system. In addition, malware developers still continue to target non-Microsoft products such as Adobe, Apple and Google as many administrators still have not gotten a handle on third party (non-Microsoft) patching.
Web Browsers Among the Most Vulnerable Applications
As a result of this shift, it isn’t about just patching Microsoft applications anymore, but nearly every application in your network—especially Apple Safari, Mozilla Firefox, Google Chrome, Adobe Flash Player, and Adobe Reader, which contributed the most to the number of known vulnerabilities and patches in 2011. For a more detailed breakdown of vulnerabilities and patches, take a look at the following whitepaper: The Importance of Patching Non-Microsoft Applications.
Of particular interest is that web browsers are the most targeted applications. This comes as no surprise given that just about every device is running a web browser, and web browsers run code from unknown (or hacked and known) sites every day. Apple Safari, Mozilla Firefox, Microsoft Internet Explorer, and Google Chrome hold the top four spots on the list of most vulnerable applications. Every device – virtual and physical – under management must regularly patch these highly vulnerable applications, or run the risk of exposing sensitive data to hackers via these vulnerabilities.
Keep Up to Date on the Latest Patch Vulnerability Data
The National Vulnerability Database (NVD) is the U.S. government’s repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. It’s a great source for information about the latest vulnerabilities and patches for all applications. You can read all the announcements, list vulnerabilities, and search by application. For example, as of July 30, 2012, NVD contains 51,715 CVE vulnerabilities and they’re publishing them at a rate of 17 vulnerabilities per day.
17 vulnerabilities per day? Go on vacation and you’ll miss 85 vulnerabilities and, hopefully for hackers, patches. That doesn’t sound good. It’s thus no surprise that having a reliable patch management system in place has become an absolute requirement for effectively running IT shops in organizations small and large (and everything in between).
Learn more about how VMware Go Pro can help you with patch management – register for a free trial today!
And be sure to follow @VMwareGo on Twitter to stay up to date on our latest product news.
Finally, be sure to check out VMware Go’s sessions at VMworld this year: