Patch…and Verify

tldr: If you use Microsoft Outlook for your E-mail client, whether for home, school, or work, please make sure you have applied all of the latest patches. Want to know more about why? Read on.

Almost all computer software contains bugs. Many bugs are, at least from a security perspective, benign, such as using a wrong mathematical formula or marking words as spelled improperly when they aren’t. However, some bugs create significant security problems. Take, for example, the bug described in the article below. In this case, an attacker can send malicious E-mails to a user and, because of a flaw that was discovered in Microsoft Outlook in 2017, the attacker can gain control over the victim’s machine and use that as a launching point for future attacks.

Like many companies, Microsoft responded quickly to the news that Outlook had a bug that made it vulnerable to attack and issued a “patch”, or updated version of Outlook, that addressed the security issue. Now here’s the rub: despite being available for nearly two years, many organizations and individuals have not applied the patch. In fact, things are so bad that the US Cyber Command, the group in the Department of Defense that is responsible for securing the US cyberspace, has issued a warning that reminds everyone to apply the patch or update to a newer version of the software.

If the patch has existed for nearly two years, why are there still so many vulnerable computers? Well, one reason is a lack of awareness. Many organizations and individuals simply aren’t aware that the patches are even available (despite notices in the software). Another reason is that some are afraid that the patch will break something else (“if it ain’t broke, don’t fix it”). Regardless of the reason, though, the fact is that the vulnerabilities fixed in most patches are real and being actively exploited by criminals and nation-state actors all the time and good patch management is the only effective way to address the risks.

Of course, it is important not only to ensure that patches are regularly run, but also to ensure that they were effectively applied. Sometimes patches fail, such as when the file or application being updated is in use, and it is important to review the patching logs or notices after the patching process completes so you can be sure the patch was properly installed. In some cases, additional assistance may be needed. For example, we recently identified and solved a problem at a client where one machine had been regularly trying to apply a patch for the past 18 months.

Organizations and individuals should get in the habit of allowing automatic updates to their computers, including the operating system and any software that runs on it. If there are logical reasons not to allow automatic updates, then regular (e.g., weekly or at most monthly) review and application of existing patches is critical to ensuring good cybersecurity.

Good patch management is also a key part of a defensible cybersecurityTM program. Contact Fathom Cyber and subscribe to our newsletter to learn more about defensible cybersecurity.

To our security community friends: we didn’t pick the image in the picture, so please don’t blame us for the cliché and blatantly incorrect use of the “hoodie hacker”.