Companies want more help from their suppliers when
dealing with so called "zero-day" security attacks.
The closing window between when a security vulnerability is
found and when it is exploited by remote attackers is the number
one challenge to effective patch management.
PatchLink, which provides security patch and vulnerability
management solutions, conducted a global survey of 300 senior IT
managers, and found that the increasing speed in the appearance of
security exploits was their major security headache.
The survey found that over half of respondents wanted software
suppliers to take a more flexible approach to releasing patches for
zero-day exploits, and maintain a monthly patch release date for
unexploited vulnerabilities.
Three-quarters of respondents said patch cycles, such as
Microsoft’s monthly Patch Tuesday on the second Tuesday of the
month, helped with planning, but more immediate threats had to be
tackled sooner.
Microsoft is currently tackling three bugs in its Internet
Explorer browser, with an exploit for one of them circulating on
the internet for past week. The next Patch Tuesday is on 11 April
but users are hoping the company issues a fix before then.
Two companies have so far issued unofficial patches for the IE
exploit, and 45% of survey respondents said they would consider
such fixes, despite suppliers warning that these patches can
potentially cause problems to users’ systems.
With the zero-day Microsoft WMF exploit, which occurred this
January, 13% of companies used an unofficial patch, the survey
found.
“With the average time between vulnerability discovery and the
release of exploit code at less than one week, enterprises need
fast, coordinated patch processes,” said Andrew Jaquith, an analyst
at Yankee Group.