II. Risk of Patch Management in Universities
by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */
Applying patches to software applications and hardware firmware may introduce additional risks to universities' IT environment because patches themselves are programs and may have their own set of vulnerabilities. Improper handling of patching process could also result in system crashes or damage hardware devices. Universities should consider the risks when implementing their patch management exercises:
1. Invalidated Patches
The source of each patch must be validated by examining the acquiring source and patch signature to ascertain only authenticated patches are applied to universities information systems. It has been reported that some scammers sent fake Microsoft security patch e-mails with malicious contents.
In addition, some complex patches require domain expertise to review certain pre/post-requisites and dependency metadata before the actual installation. Fail to do so may cause severe consequences, such as data corruption, unpredictable system behaviours or even service outage.
2. Inadequate Testing
Many universities' information systems are correlated and have interfaces among them to exchange data. Applying patches to one system in the production environment without sufficient testing performed may introduce adverse impact on the other applications, such as incompatible data formats, communication protocol or interface logic.
3. Downtime and Interruption
With the increase in program complexity, patches are released more rapidly and require longer time spent on installation onto the target information systems. Patching tasks, if not planned carefully, could lead to frequent interruption to universities' operations and prolonged service downtime due to large sizes of patches (e.g. service packs, software packages).
4. Vulnerabilities in Patch Management System / Tool
If a patch management system is used to enforce automated patching mechanism, the security vulnerabilities of its own might have impact on the other universities' information systems. A virus infected or breached patch management system will be a central distribution point that broadcast viruses and malware.
In addition, a patch management system protected with weak access controls creates additional channel for hackers to gain unauthorised access to universities' IT environment or launch attacks on the critical information systems.
5. Lack of Fallback Procedures
Sometimes the vendor may publish a patch that has flaws in it and results in various issues related to patched systems. If universities do not have the corresponding fallback procedures in place, the negative effect imposed by that problematic patch cannot be immediately reversed until the vendor issues another patch to fix the mistake.
6. Incorrect Identification and Installation
Detection and deployment of security patches is a critical part of the patch management process. Some sophisticated applications have functions embedded to detect applicable security patches and provide necessary guidelines on the patch installation procedures. Using alternative means to identify and install patches is dangerous since the accuracy and reliability will not be guaranteed by the vendors.
Related Article
Security patch results in blue screen of death, stops Windows from booting
One of the updates from February 2010's giant Patch Tuesday is wreaking havoc on some users Windows PCs by giving them the Blue
Screen of Death (BSOD), according to a thread on Microsoft Answers, the company's support forum.
See the article: http://arstechnica.com/microsoft/news/2010/02/security-patch-results-in-bsod-stops-windows-from-booting.ars