Menlo Technical has clients with complex networks that require constant updating. While some companies can build a trust between their IT provider and the real needs of the business, others do not always trust anyone.
Security in Information Technology offers more challenges due to the number of devices people have and the age of some of these machines in business and at home. Mobile devices, older servers, desktops, network devices and peripherals all need to be tracked and monitored.
While Microsoft has offered assured monthly updates to their operating systems (monthly Windows Updates for Windows Server, Windows XP Pro, Windows 7, etc.) the rate and number of these threats are growing at a much faster rate than when monthly updates were employed. The ‘once a month’ model Microsoft originally employed in the mid 2000’s is no longer a safe option. Today these updates happen on more than just the operating system and often have ‘out of band’ adjustments. This means there can often be patches released that are too important to wait until the next update cycle.
These patches at Microsoft are a mix of :
1) Customer reported problems that have been fixed based on severity and potential impact on the installed user base
2) Consensus of infections that are discovered in the wild, through Microsoft’s testing honey pot farm
3) Reports Microsoft gets from people who have discovered these infections (often called White Hat Hackers) who try to motivate these security changes before they are discovered in the ‘wild ‘.
Most times these security holes are sought out by the hackers who have bad intentions and in turn are integrated rapidly into SPAM and other means of infection to try and gain control of personal computers, networks and potentially intellectual property.
Recently Apple has started to offer updates that fix security holes discovered or reported to them. Unlike the Microsoft environment, where security holes are not only discovered and used against Windows users before the fixes are released into security patches (also referred to as zero day exploits), Apple repairs issues before they are found in the wild.
As mentioned in the InfoWorld article on the recent Apple Safari updates:
Of the 83 vulnerabilities, Apple tacitly classified 72 as critical.
Although Apple does not formally rate vulnerabilities using a threat scale like Microsoft, the phrase “may lead to … arbitrary code execution” in its security advisories describes the type of bugs that attackers could theoretically use to compromise a Mac and plant malware on the machine.
None of the vulnerabilities have been used in actual attacks, however.
Monday’s update easily beat Safari 5’s former record of 62 patches , set in March 2011. Apple issued other large collections for its browser last year, including a 58-patch upgrade in July and one of 43 in October.
Seventy-two of the 83 flaws were patched in WebKit, the open-source browser engine that powers both Safari and Google’s Chrome. Apple tagged them all as memory corruption bugs that could be triggered simply by visiting a malicious site.
More than half of the WebKit vulnerabilities were reported by Chrome’s security team or by independent researchers who submit bugs to Google’s bounty program.
The same WebKit vulnerabilities had been patched previously by Apple, both in the iOS mobile operating system with last Wednesday’s upgrade to version 5.1, and in iTunes 10.6, another update last week.
iTunes relies on WebKit to render its online store.
Because of Google’s persistence in rooting out vulnerabilities in WebKit, it was no surprise that many of the bugs Apple patched in Safari on Monday had been addressed by Google in Chrome months earlier.
It is important that both environments (Apple and Microsoft) are updated monthly and watched for the few times that Microsoft, Adobe and Apple offer patches between monthly updates.