I. Background of Patch Management

by JUCC ISTF
SHARE THIS
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
 
 
A software patch is an additional piece of program codes or executable designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities / bugs and improving the usability / performance of patched objects.
 
Patch management is a strategic and planned process to determine what patches should be applied to which systems at a specified time.
 
Software vendors or programmers publish and apply patches typically in four different approaches:
 

1. Binary Executable Patch

Patches for proprietary software can be published as binary executables as the source codes are withheld by their vendors. This type of patches are usually packaged as executable files (e.g. EXE files in Windows platform, BIN files in Unix platform), which modify or replace the specified files of the software programs when users execute the patches.

Binary executable patches are usually applied via the following approaches:

Manual download of patch packages that include an executable component to add, modify or delete relevant program codes and other data like sounds, graphics and videos to the software programs; and

An embedded update function of the software program, which automatically downloads patch packages from the web servers designated by the vendors. The update function can be triggered by users or according to pre-defined schedule.

As a typical example, Windows operating system provides both manual download and automated update function to their customers. Users can individually download specified patch files from Microsoft's website and apply to their Windows systems. Or they can simply schedule the "Windows Update" function to identify, download and install various patches on a regular basis.

2. Source Code Patch

Patches can also be circulated in the form of source code modifications and consist of textual differences between two source code files. These types of patches commonly come out of open source projects or shareware, and are published via authors' websites or open source application directory such as sourceforge and codeplex. In this case, authors expect users to compile the new or changed source codes themselves in order to achieve the purpose of functional upgrade or problem fixing.

3. Service Pack

Bulky patches or patches that significantly change a program may be distributed as "service packs" or "software packages". For example, Microsoft Windows NT and its successors (including Windows 2000, Windows XP, and later versions) have issued several service packs.

In several Unix-like systems, particularly Linux, updates between releases are delivered as new software packages. These updates are in the same format as the original installation so they can be used either to update an existing package in-place (effectively patching) or be used directly for new installations.  

4. Firmware Patch

Firmware patches are used to update the internal control over the hardware devices and consists of bare binary data and a special program that replaces the previous version with the new version provided.

A motherboard BIOS update is an example of a common firmware patch. Installation of firmware patch must be handled with care as any unexpected error or interruption during the update, such as a power outage, may render the hardware unusable.  

Related Article

Have You Patched Your System Lately?

Most exploits in the wild target known vulnerabilities in software applications and can be mitigated by applying corresponding patches. However, there are customers who have vulnerable applications that have not been updated for almost 10 years.

See the article: http://blog.trendmicro.com/trendlabs-security-intelligence/have-you-patched-your-system-lately/ 

 
Key Benefits Achieved through Patch Management
 
Increase Security  
Known vulnerabilities of applications and systems lead to significant threats to the information security of universities' IT environment. With effective patch management policy and procedures, universities are able to apply security patches in a timely fashion that highly reduces the risk of having security breaches and damages like data theft, data loss, reputations issues or even legal penalties.

Improve Productivity and Performance

Many software applications or hardware contain bugs that may affect the execution efficiency or cause unexpected errors during normal usage. By implementing a patch management framework, universities can proactively search and apply patches that fix those bugs and thus help their employees and students get rid of errors and lead to productivity boost.

The installation of patches can effectively reduce the service downtime caused by program errors or congested networks because of malware activities. If automated patching system is used, the productivity gain of IT department can be easily measured as it significantly saves the time and headaches required for manual patching of information systems.

Compliance

There are more and more laws and regulations that imposing requirement on organisations to have their information systems adequately patched for security concerns. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires security patches to be installed within one month to three months depending on the criticality of the system/device.

See the article:

Related Article
 
Adobe fixes 15 flaws in Reader, Acrobat
 
In April 2010, Adobe Systems Inc. resolved a cross-site scripting (XSS) vulnerability and a number of memory corruption and buffer overflow flaws in its PDF applications Tuesday, as part of its quarterly patching cycle. The latest update was issued using Adobe's new updater program, designed to speed up patch deployments.