Another good lesson in watching for patch criticality occurred this week. On Tuesday Microsoft released their load of 17 bulletins covering 64 separate issues and we were all left with the task of attempting to prioritize. At the best of times this isn't an easy task and while it would be really nice if we simply state 'patch them all now', the reality is that there are a finite number of staff and resources available to run through QA of these patches so being able to offer some form of prioritization will realistically ensure that the most important patches are rolled out as soon as practical.
I have become a big fan of the additional guidance the Microsoft provides in terms of the exploitability index and additional technical detail. Likewise the folks at SANS provide a free resource at the Internet Storm Center. All these resources make our job of prioritizing a little easier but it's important to keep in mind a couple additional details. While the existence of an exploit in the wild is important, an exploit that requires a user to be tricked into opening a file or visiting a malicious site lessens the potential impact. On the other end of the spectrum, the potential for a vulnerability to be weaponized to become next big internet worm needs to be kept in mind despite assurances in advisories that suggest normal port filtering will prevent access to services such as SMB.
Strict formulas are good to get a general sense of priorities but it's important to conduct a triage and take into consideration existing safeguards to lower these initial ratings and potential for a vulnerability that has no known exploit to be quickly turned into a serious threat to large portions of your infrastructure.
Today, MS11-020 was updated to a Patch Now criticality from SANS based upon notifications from Microsoft. For some who take the publicly available recommendations as gospel this could mean reprioritizing staff to put an extra rush on get MS11-020 out the door, for others who did a bit of homework and read through the technical details prior to making a determination, little has changed.
I'll be keeping my fingers crossed on MS11-020 and watching out for a couple additional patches from this last batch.
No comments:
Post a Comment