Patch Management Crucial to Defend Against Cyber-Attacks: Report

While Windows vulnerabilities receive wide attention, Norman security experts suggest checks for a range of operating systems.

Patch Tuesday, which most recently occurred yesterday, is the periodic security event where Microsoft issues bulletins to fix known security flaws in Windows-related software and applications, such as Office and Internet Explorer.

Over the past six months, security solutions and forensics malware specialist Norman has discovered and reported several Windows kernel vulnerabilities that potentially could be leveraged by attackers to fully compromise a system and leave users open to serious cyber-attacks. The company said kernel security research is vital because kernel vulnerabilities affecting core operating system components are very hard to detect and defend against.

While Windows vulnerabilities receive wide attention, Norman security experts also warned that IT administrators in enterprises, government and small to midsize businesses (SMBs) should focus on patch management involving all major operating systems, including Microsoft Windows, Linux, Mac OS, Sun Solaris and HP. In addition, rapid, accurate and secure patch management should be used for the popular applications from Microsoft, Adobe and Apple.

The company's report noted unpatched operating systems and applications often result in expensive losses and damage. "Nearly two-dozen software vulnerabilities are discovered each day, so IT departments need to make patching a top priority," the company report said.

On Tuesday Microsoft released 17 security bulletins, including nine that are rated "Critical" and eight rated "Important." Fifteen of the bulletins address vulnerabilities that allow attackers to remotely execute code. All totaled, the bulletins will address 64 vulnerabilities spanning Windows, Office, Internet Explorer, Visual Studio, .NET Framework and the Graphics Device Interface (GDI+).

Affected operating systems include Windows XP, Windows XP Professional x64 Edition, Windows Server 2003, Windows Server 2003 x64 Edition, Windows Vista (32-bit and 64-bit), Windows Server 2008 and Windows 7.

There are updates for Internet Explorer 6 through 8. Despite Microsoft's attempts to sunset IE6, it appears IE6 bugs in Windows XP and Windows Server 2003 have been addressed. The patches cover commonly used Office applications, including Microsoft Excel 2002 through 2010, Microsoft PowerPoint 2002 through 2010, and Microsoft Office 2004 for Mac through 2011.

"IT departments should make patch and remediation a priority," said Audun Lodemel, vice president of marketing for Norman. "Remember to look into all your OS platform and applications vulnerabilities, not just focus on Microsoft issues around Patch Tuesday."