Although the importance of a robust patching process may seem obvious, many organisations are still plagued by security issues related to legacy, out of date, unmanaged, and unsupported systems and software. We know it is important to apply all security updates in a timely manner to ensure that hosts are not affected by known vulnerabilities.
Security patches are a good source of information for malicious actors. Exploits and malicious software can be created by reverse engineering security patches after release. Exploit code is often distributed and widely available online and there are a number of tools that make exploiting these issues somewhat trivial.
For example, when Microsoft took the unusual step of releasing patches in May 2019 for operating systems it no longer supports (including XP and server 2003), this implied that something serious was afoot. The patches fixed CVE-2019-0708, which highlighted a remote code execution flaw in RDP and was later dubbed "BlueKeep". A mad scramble by security researchers then ensued to analyse the patch and produce a working POC exploit. Although "BlueKeep" was notoriously hard to exploit, within weeks researchers including SophosLabs were publicly declaring the existence of reliable exploit code.
Additionally, and arguably more importantly, older vulnerabilities are still heavily targeted, which is why a methodical patching approach that emphasises consistency and coverage is more important than expedient patching. For example, it only takes a single host to be missing MS17-010 for an attacker to gain a foothold on your domain from which to launch more attacks against other users and services.
What to do
Centralised Update Systems
Use a centralised update system to maintain and track updates across your estate. As well as Operating System updates, it is important not to neglect Third Party client and server software such as Java, Firefox, Chrome, Apache, Tomcat, JBoss, and the plethora of Adobe products. Hardware and software asset management is vital to achieving this and there are many tools available, including Windows Server Update Services (WSUS), Red Hat Satellite, and Microsoft Endpoint Configuration Manager (previously SCCM).
Legacy software and systems that are no longer supported and end-of-life, need to be decommissioned, upgraded, or replaced. Lack of support implies that no new security patches will be released by the vendor and so the product becomes increasingly at risk with the passage of time and is likely to contain security vulnerabilities as a result.
Make sure that any prerequisite registry keys, Group Policy Objects, or configuration changes required by the patch are deployed. Many Microsoft patches require these in addition to installation in order to fix the vulnerability or enable mitigations. Also ensure machines are rebooted regularly to fully apply patches that require this step.
Audit the estate (or a sample of it) at regular intervals to ensure that any patching policy implemented is being successfully deployed. Potential tools for this include:
- Windows Update Agent API - a set of COM interfaces that enable system administrators and programmers to access Windows Update and Windows Server Update Services (WSUS). Scripts and programs can be written to examine which updates are currently available for a computer, and then you can install or uninstall updates.
- Nessus - a commercial vulnerability scanner that can perform authenticated scans of Windows and Linux hosts to enumerate missing patches as well as many other security vulnerabilities.