Patch first, ask questions later

You'll never have a perfectly patched environment, so play the odds -- patch software hit most by successful exploits first

Page 2 of 2

Why so many XML Core Services are unpatched

Nonetheless, should you be worried about all the unpatched Microsoft XML Core Services?

For now, not so much -- few successful exploits target XML Core Services, which exist to enable developers to call on services rather than write everything from scratch. It's good to be aware of the vulnerability, and you should keep your eye on it, in case XML Core Services make it into the top 10 list of exploited vectors. Meanwhile, the risk remains more theoretical than real.

But, you may ask, why are so many instances of Microsoft XML Core Services unpatched in the first place? Why doesn't Microsoft patch it like it does all its other programs?

Good question, especially in light of the fact it only takes one mechanism to update most Microsoft programs -- which is one reason why other Microsoft software ranks among the most patched software on PCs. Secunia offers one answer on a related blog post, which explains that many unpatched XML Core Services components have reached "end of life": no vendor updates or patches software past its end-of-life date, at least not without an expensive support contract.

But a larger reason stems from the way Microsoft XML Core Services are distributed. They're most often installed by third-party vendors as part of their software. Microsoft didn't put it on your system, so Microsoft can't simply replace it without the risk of breaking something. Meanwhile, the software developer either wants you to upgrade to a new version where the vulnerability has been fixed or simply hasn't considered the risk that an unpatched version of XML Core Services might pose.

As with any software program, you can always check the vendor's website for the most recent patch. Go to Microsoft's Download Center and search for XML Core Services. Be careful to back up your system (or at least the impacted application and system directories) before applying any updates, since you never know when an update may fail.

More obviously, if you don't need the program that's relying on the unpatched components, uninstall it. This advice applies to any unpatched program.

But remember the most important lesson: It's far more important to patch 100 percent of the most exploited programs in your environment than it is to try and patch every program in your environment. You won't be surprised to learn organizations that commit to patching all software all the time almost always fail -- and frequently leave holes in the wrong places.

First things first: When you finish patching the 10 most successfully exploited programs, then worry about the stuff that makes up the other 1 percent -- if you have the time to get to it.

This story, "Patch first, ask questions later," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.