Like the old saying goes, “Close only counts in horseshoes and hand grenades.” I’ve developed a corollary this week, “The ‘number of flaws’ only matters to vulnerability assessment scanners and journalists.”
I’ve read many news stories this week talking about the record number of flaws/vulnerabilities that Microsoft fixed in the June ’09 Patch Tuesday release. For the record, I’m saying that none of this is relevant.
Let’s take MS09-019 as an example. MS09-019 is a cumulative update for Microsoft Internet Explorer. The Microsoft bulletin details eight individual flaws that were addressed by the patches referenced in the security bulletin. Each flaw can be exploited in the same manner — visit an evil website and the evil website can run code on your system. And the closely related ‘the evil code will run in the context of the currently logged on user’.
As a Systems Administrator, one thing is clear to me: if my users visit an evil website, their machine’s can be exploited. How do I rectify this? I can apply the suggested patch.
Do I care that there were eight different underlying flaws that would lead to the evil code execution? No.
Do I need to take eight different steps to protect myself from this vulnerability? No.
Can I patch my systems to protect them from only 7 of the 8 vulnerabilities? No.
What I do care about is the amount of effort required to protect my machines from this issue. That answer is ‘1’. 1 patch will protect me from these issues – whether there is only 1 listed flaw, or 17 listed flaws. One patch does the trick.
Microsoft issued ten security bulletins covering some much larger number of flaws (I won’t list that number here, because I can’t be bothered to count something that is irrelevant). As a Systems Administrator, I should look at my maximum effort as something up to ’10’. Some of the bulletins may be for products that don’t impact me; therefore, the number could be somewhat lower. Some months, Microsoft has released more than 10 bulletins. That tells me more work is required. Other months, Microsoft has only released one bulletin – therefore seemingly less effort required to fix my systems then when 10 bulletins appear.
If Microsoft only released one bulletin in a month, and that bulletin addressed 52 issues, does that mean it’s almost twice as much effort to remediate my systems vs. a month that had 10 bulletins but a purported lower number of vulnerabilities? No.
Could Microsoft manipulate the way that they call out the flaws in their bulletins? Sure. Does Microsoft list out all of the additional variants that they found internally when researching the externally reported flaw? No sir. This could hike the flaw numbers much higher. Could Microsoft combine like flaws into single reported flaws? Yes – though they’d need to appease the individuals who reported the items to them, so they each get their day in the sun.
And how about those VA scanners?
Each of the flaws discussed above gets a unique CVE number. Vulnerability Scanner vendors input definitions to their products by CVE number. When I scan my system that is missing just one patch (MS09-019) I get 8 ‘vulnerabilities’ flagged on my machine – one for each of the ‘flaws’ in the 09-019 bulletin. Doesn’t help me remediate my system. Makes it look like a lot of work to get these items remediated, when in reality, it just needs one patch.
All of the above is irrelevant. I care about the number of patches.
To that end, how many patches were released on the June 2009 patch day? Have any journalists mentioned this? Not that I’ve seen. The number of patches released is, at the end of the day, a better reflection of the amount of effort required to make your company secure.
I frequently hear people ask “how many patches did Microsoft release today?” and the answer is something along the lines of “10 today”. No, this is the number of security bulletins released. The number of patches is something else entirely.
For June 2009, Microsoft released 64 unique security bulletin-related patches. This includes English x86 and x64 (but not ia64.) 362 meg, if you care to know. (multi-national organizations need to multiply the number of patches by the number of languages they manage)
Worst case, I have a subset of up to 64 different patches to apply to each of my systems. The tough part is figuring out which ones go to which systems. Those companies that do patch management by hand are in a world of hurt – there’s no way to manage each of these by hand. But I digress…
Let’s start a new trend – let’s talk about the true numbers on patch day – those that reflect the actual level of effort – not those that allow journalists to go for sensationalist or help Mozilla justify themselves vs. Microsoft.
* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company.