Be ready for Patch Tuesday, but also be ready to patch on other days

If you work in an IT team, you may have highlighted the Patch Tuesday days on your calendar when Microsoft release updates. Being ready to test and roll them out will give your CTO a good feeling that actions are being taken to address security concerns. The August Patch Tuesday arrived with 4 critical updates. Adobe also released a Flash update on the same day that addressed 5 Priority 1 issues.

Does this mean that Adobe had more issues than Microsoft? And what about issues from other software providers? I used two sources to check on vulnerabilities; the Secunia Vulnerability Review 2015 and a review of operating systems and applications in 2014 from data in the National Vulnerability Database (NVD).

  • There were 7,038 vulnerabilities in 2014 (4,794 in 2013). 24% rated as high severity, a lower percentage than 2013, but the number of high-security vulnerabilities has increased (NVD)
  • 23.1% of vulnerabilities were in Microsoft products, 76.9% in products from other software providers (Secunia)
  • There was a decrease of vulnerabilities in Windows OS
    • Windows 8 went from 156 in 2013 to 105 in 2014 (Secunia)
    • Windows 7 went from 102 in 2013 to 33 in 2014 (Secunia)
    • Apple OS X had 147 vulnerabilities in 2014 (NVD)
  • Chrome had more vulnerabilities than the other top browsers, although Firefox had more unpatched vulnerabilities (Secunia)
    • Chrome – 504 vulnerabilities, 24% unpatched
    • IE – 249 vulnerabilities, 13% unpatched
    • Firefox – 171 vulnerabilities, 35% unpatched
    • Safari – 92 vulnerabilities, 26% unpatched
    • Opera – 19 vulnerabilities, 37% unpatched

Focusing on patching Microsoft applications and operating systems isn’t the sole answer. You certainly need to be ready for Patch Tuesday, but also monitor when other patches are available and apply them. One way of monitoring for patches is subscribing to alerts on the US Cert site.