Microsoft, Analysts Team Up to Improve Patch Management

Ever wonder how it was that the Conficker worm spread so rapidly even though there was a patch available for the Microsoft vulnerability it exploited?

As it turns out, the patch management process is not as straightforward or simple as outsiders might imagine. With that in mind, Microsoft is teaming up with security consulting company Securosis to create metrics that can be used to assess the efficiency of an organization’s patching process. In an effort called Project Quant, the duo will give organizations a model with which to calculate the total cost of patch management.

“Most of the medium to larger businesses that I have worked with have at least some sort of a good patch management process in there, particularly for their desktop patches,” said Rich Mogull, founder of Securosis. “But home users, small businesses [and] all these other organizations definitely are a lot worse.”

Even the big guys don’t get it perfect, however.

“A lot of the server stuff is handled separately from desktops, so these patches go out way slower because they are worried about when can they take the server down, those kind of things,” Mogull said. “[Also] there’s a lot of times a misperception that, ‘Oh, we’re behind the firewall so we’re safe.'”

The consequences of being unpatched can be dire. In its Intelligence Report for the second half of 2008, Microsoft found that 91.3 percent of attacks against Microsoft Office exploited a single vulnerability that was patched more than two years ago (CVE-2006-2492).

In an e-mail, Qualys CTO Wolfgang Kandek told eWEEK that in general the company sees Microsoft patches being applied quickly in the beginning, reaching about 50 percent after 30 days. At that point, the patching slows down.

“I do not know why so many machines remain unpatched, but people are definitely aware of the state these machines are in through our reporting tools,” Kandek said. “It is possible that these are machines that have just entered an organization and are temporarily unmanaged, i.e. do not have automatic patching enabled. Another explanation would be that patching and potentially impacting on the functioning of the machine poses a greater problem than the risk of exploitation.”

Project Quant will encompass the patching process as a whole and will not just deal with Microsoft fixes. Ultimately, Project Quant will deliver a written report and a spreadsheet-based model. It is slated to be finished around June, according to the Securosis blog.