Get Off the Vulnerability Patching Merry-Go-Round
Microsoft has designated the second Tuesday of each month Patch Tuesday for some time now. Patch Tuesday gives patch management a sense of predictability as opposed to the old system of just releasing critical updates randomly as they come up. The pre-defined patch release schedule is helpful, but it doesn’t change the fact that users are on a perpetual merry-go-round of patching.
For May, Microsoft released seven new security bulletins that fix a total of 23 separate vulnerabilities. One in particular--MS12-034--patches 10 different vulnerabilities spanning a broad range of Microsoft software. Adobe also joined the fray with security updates for Shockwave, Illustrator, Photoshop, and Flash.
Last month Microsoft released six security bulletins, and the month before that it was another six security bulletins. In five months Microsoft has already issued 35 security bulletins in 2012, and it often feels like a new Patch Tuesday rolls along before the dust has even settled from applying the patches from the last one.
There are two things you can do to manage the patch update cycle, and protect your PC against the constant threat of exploits attacking new, unpatched vulnerabilities. First, you should turn on automatic updates wherever possible. There’s no reason to take on the burden of staying informed about emerging updates and installing them yourself.
Windows and Mac OS X both have tools in place to check online for new updates, and apply them automatically. Many third-party applications also include features to enable automatic updates. Take advantage of the tools available to free yourself from the patch cycle.
On the other side of patch management, though, is the fact that new flaws are constantly being discovered, and that until or unless the vendor develops a patch and releases it on the pre-determined schedule, you’re vulnerable. You need peace of mind that you can safely use your PC in between Patch Tuesdays as well.
You need to have some sort of security software on the PC. Most security tools use heuristic technology to detect and identify suspicious behavior and block it. Heuristics is a bit of a guessing game, and it’s not as accurate as detecting known threats that have already been identified, but there are certain things that malicious software tries to do that no legitimate software would, and those behaviors are red flags the security software can use to protect your PC.
The patch management merry-go-round won’t be stopping any time soon. There’s no perfect software--especially when you’re talking about something like an operating system built on millions of lines of code. Imperfect software means there will always be a new vulnerability out there, and a steady stream of patches to fix them.
I guarantee, though, that you’ll enjoy the ride more--and possibly even forget you’re on the merry-go-round--if you protect your system with security software, and enable automatic updates to let your software keep itself patched.