Keeping Tabs On Patches
Let’s face it; we all have to deal with patches. Everyone from an IT systems administrator to your grandma has to face the challenges of patches. Whether you have a home computer that you use to browse the web, a phone that you occasionally check email from, or 10,000 enterprise desktops spread across three continents, you're dealing with patches. Regardless of your situation, you need to be able to answer two basic questions:
- Which patches are missing?
- Which patches have been successfully installed?
If you only have one computer in the house, it probably annoys you to some degree when it’s time to apply patches, indicating that you are in fact missing patches. This answers the first question above, but the operating systems themselves have few measures for success. There are many situations that cause patches to fail, or leave vulnerable software behind after an update, that can easily be missed by the average user. Your so-called "smart-phone" is even worse. Since most users do not connect their phones to their computers, or the carrier is blocking operating system updates, you may never be able to answer the first question (I guess that's one reason why RIM maintains a prominent presence in the enterprise, as they answer both questions very well with respect to Blackberry users in your environment). Never knowing that you even require patches to be installed is a big problem, as well as knowing if they even applied successfully.
A Much Larger Problem
Enterprises with 10,000 or more desktops exacerbate the problem of patch tracking. With so many devices that require patches, things are bound to go wrong! Lately I've been using dashboards in Tenable's SecurityCenter, and thanks to Tenable CEO/CTO Ron Gula, I have some interesting SecurityCenter 4.2 "dashboards" to help me track patches. Here's just one example:
Click for larger image
In the graph above, the blue line at the top represents the vulnerabilities detected on a given number of hosts (the user configures which hosts’ vulnerabilities are represented in this line, so it could be all of your Windows servers if you like). The bottom line represents a count of the new software installed on the host. It’s an interesting representation of vulnerabilities and software for a few reasons:
- As you add software patches, the count of new software installed will rise. This should cause a decrease in vulnerabilities.
- Sometimes as you add software, the number of vulnerabilities will increase as new software may contain vulnerabilities
- What we hope for over time is to use this as a measure of success for our patch management program. The total number of vulnerabilities should be on a continual decrease. Towards the end of the graph, we can see that the number of vulnerabilities is on a downward trend, which means that patches have been installed successfully and fewer patches are missing.
SecurityCenter 4.2 users can download the dashboard shown above, which is called "Tracking Patch Deployments"
To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:
- MS11-037 - Nessus Plugin ID 55117 (Credentialed Check)
- MS11-038 - Nessus Plugin ID 55118 (Credentialed Check)
- MS11-039 - Nessus Plugin ID 55119 (Credentialed Check)
- MS11-040 - Nessus Plugin ID 55120 (Credentialed Check)
- MS11-041 - Nessus Plugin ID 55121 (Credentialed Check)
- MS11-042 - Nessus Plugin ID 55122 (Credentialed Check)
- MS11-043 - Nessus Plugin ID 55123 (Credentialed Check)
- MS11-044 - Nessus Plugin ID 55124 (Credentialed Check)
- MS11-045 - Nessus Plugin ID 55125 (Credentialed Check)
- MS11-046 - Nessus Plugin ID 55126 (Credentialed Check)
- MS11-047 - Nessus Plugin ID 55127 (Credentialed Check)
- MS11-048 - Nessus Plugin ID 55128 (Credentialed Check)
- MS11-049 - Nessus Plugin ID 55129 (Credentialed Check)
- MS11-050 - Nessus Plugin ID 55130 (Credentialed Check)
- MS11-051 - Nessus Plugin ID 55131 (Credentialed Check)
- Microsoft Security Bulletin Summary for June 2011
- OSVDB Microsoft Bulletins - Complete Reference
- Autorun-Related Malware Declines and the June 2011 Security Bulletin Release (Microsoft Security Response Center Blog)