Race to Patch Known Cybersecurity Vulnerabilities
More than a month since Microsoft rolled out its April 30, 2018 update on Windows 10, the company said nearly 250 million or one-third of the nearly 700 million computers using Windows 10 have applied this update.
This Microsoft data shows that nearly 450 million or two-thirds of machines using Windows 10 as their operating system (OS) haven’t applied the April 2018 patch.
Prevalence of Delayed Patching
A patch is a piece of code that’s inserted (or patched) into an existing software program. It’s meant to improve performance, usability or to fix known cybersecurity vulnerabilities.
It’s a known fact that many organizations don’t patch immediately. Researchers at Renditionrevealed that more than a month after Microsoft released its March 2017 update, over 148,000 machines hadn’t applied this particular update. Microsoft’s March 2017 update, in particular, fixes the cybersecurity vulnerabilities which were leaked by the group of hackers who called themselves Shadow Brokers a month after Microsoft’s March 2017 update.
The cybersecurity vulnerabilities leaked by Shadow Brokers are believed to be used by the U.S. National Security Agency (NSA). The malicious software (malware) WannaCry infected and locked the files of hundreds of thousands of computers in May 2017 by exploiting the cybersecurity vulnerability called “EternalBlue” – a cybersecurity vulnerability fixed by Microsoft in its March 2017 update.
Delayed patching isn’t limited to proprietary software like Microsoft operating systems. Users of open-sourced software are delaying patching as well. Out of the 14,700 cybersecurity vulnerabilities listed by the National Vulnerability Database (NVD), 4,800 were open-sourced cybersecurity vulnerabilities.
According to Black Duck, many software applications now contain more open source code (57%) than proprietary code (43%). Seventy-eight percent of open-sourced codebases examined Black Duck contained at least one cybersecurity vulnerability, with an average 64 vulnerabilities per codebase.
Apache Struts is one example of an open-sourced software. This software is used by many organizations to create web applications. In March 2017, the U.S. Computer Emergency Readiness Team (US-CERT)sent out an alert of the need to patch a security vulnerability in Apache Struts version 2. The said security vulnerability allows an attacker to take control of a computer system containing this vulnerability, regardless of the geographical location of this affected system. In the same month, Struts 2 users were encouraged to switch to newer versions Struts 2.3.32or Struts 22.214.171.124as these updates fix the security vulnerability in Struts 2.
In September 2017, Equifax, one of the world’s largest credit reporting agencies, revealed that information of over 148 million U.S. consumers, nearly 700,000 U.K. residents and more than 19,000 Canadian customers had been compromised.
Data of millions of Equifax’s customers were compromised as a result of the company’s failure to patch the known security vulnerability in Apache Struts version 2 used by the company in its online disputes portal web application. Equifax data breach was detected as early as July 2017.
“We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework,” Apache Struts Project Management Committeesaid in a statement. “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”
Why It’s Important to Patch As Soon as Possible?
Once patches or security updates of cybersecurity vulnerabilities are released, attackers are quick to scan the internet for computer systems that fail to apply the needed patch. Attackers simply automate the process of scanning the internet in looking for unpatched computer systems.
According to Rendition researchers, many organizations don’t patch for 30 to 60 days or more. In trying to find out how many organizations haven’t patched the EternalBlue vulnerability via Microsoft’s March 2017 update, Rendition researchers in late April 2017 and the first few days of May 2017 scanned the internet using a “special ping” to make contact with DoublePulsar malware – another spying tool leaked by Shadow Brokers and believed to be used by the NSA.
“When the DoublePulsar malware is present, the ping command returns a special response,” Rendition researchers said. “Using this response, we can conclusively determine which machines have been compromised.”
While Rendition researchers used their automated process for research purposes, attackers could’ve similarly used an automated process to scan the internet looking for unpatched computers vulnerable to EternalBlue, leading the attackers to launch the WannaCry attack in the 2ndweek of May 2017.
In a similar manner, attackers using the early version of SamSam ransomware simply used an automated process in scanning the internet looking for vulnerable computers. One of the earliest versions of SamSam ransomware victimized unpatched servers running Red Hat’s JBoss enterprise products. SamSam attackers used Jexboss, an open-sourced software that scans the internet in looking for unpatched servers running Red Hat’s JBoss enterprise products.
Many cyberattacks are the results of the failure of many organizations to patch software components that are known to be vulnerable for months or even years. Cyberattack is a race between attackers trying to exploit unpatched computer systems and organizations and individuals trying to timely roll out patches.
Patching is one of cybersecurity’s best practices. It’s important to establish a process for your organization to quickly roll out a patch or security update once it’s available. It’s essential to roll out critical and important patches in terms of hours or a few days, not weeks, months or years.
Contact us today if your organization needs assistance in rolling out critical patches like updating your organization’s server operating system. At GenX, our security experts will help you minimize the risk of a data breach.