An estimated 85 percent of all recent targeted cyber attacks could have been prevented if the PCs involved had been up to date with current security patches. So why aren't companies -- and individuals -- keeping their computers patched? And what can we, and software manufacturers, do about it?
Those are the questions addressed by a new 27-page white paper from HP, "The hidden dangers of inadequate patching." HP security analyst Dustin Childs and the HP Security Research team present compelling evidence of a phenomenon we've been documenting almost daily for the past five years: Patches cause problems and software vendors exacerbate those problems with their practices.
The report starts with a straightforward observation: "In the 2015 Cyber Risk Report, HP Security Research (HPSR) noted that the top nine vulnerabilities detected in the wild were all over three years old."
Why do companies (and individuals) leave their computers unpatched for three years or longer? Why don't customers trust vendors to patch their systems without introducing complications? Childs' analysis lists six factors:
- Patches break things
- Patches introduce security problems
- Patches don't work as promised
- Patches include undocumented or unwanted bonus "features"
- At times, patches are pushed silently to users
"These situations… combine to compromise the trust users have in their vendors. Once that trust is eroded, it is difficult to regain. When customers do not trust the vendor to offer appropriate support, they will be less inclined to apply patches… we examine the industry-wide problems with patching and how inadequate servicing approaches hurt everyone."
The report goes into an extensive, and exhaustively documented, analysis of what's gone wrong with patching, and how enterprises in particular have difficulty coping with the onslaught of patches. Microsoft's December 2014 patching debacle gets particular scrutiny -- as well it should.
It all builds to a key, if rhetorical, question:
We have failed as an industry to ask one simple yet crucial question: why is it this hard? In a perfect world, patches would be easy to install through a trustworthy automatic updating system. Patches should contain fixes for the security problem and nothing else. While vendors cannot account for internally developed applications or one-off configurations, generally speaking, patches should not break things. Vendors should be transparent and open about what is being fixed. In other words, in a perfect world, software vendors take full accountability for patching the software they released, and they should make it easier on the end user to correct the bugs found after the software is released. However, we don't live in that world. We live in a world where the burden of patching rests on the enterprise instead of the vendor. Therefore, enterprises must be aware of the dangers and pitfalls of having an inadequate patching strategy.
The report goes on to emphasize that this isn't only a "today" issue. Bad patches have implications in the cloud, as well -- and Microsoft isn't the only rotten apple.
If a service provider is the same vendor that cannot publish patches without introducing problems to the public, can they be trusted to do it privately? Conversely, can customers trust a cloud service provider who has no history of issuing patches and no history of disclosing information on what patches they have installed?
From there, the report gives specific examples of "lack of transparency." It's sobering.
The report ends with a Patching Manifesto, a "demand for transparency":
Software vendors must earn back the trust of users -- their direct customers -- to help restore faith in automatic updates. One key strategy to accomplish this must be the open and transparent communication of patches and their impact. Customers must be told when patches are available, what the patches do, and what side effects the patches may have. When problems arise, vendors should be clear about what is happening and offer workarounds to those affected. In short, vendors need to approach the communications surrounding security patches as a matter of customer protections, not press relations.
I sure hope somebody at Microsoft reads this report. It'd be even better if those involved understand it and take action. With Windows 10 looming on the immediate horizon, there is no better time to make changes.