Companies want more supplier help with zero day attacks

Companies want more help from their suppliers when dealing with so called "zero-day" security attacks.

Companies want more help from their suppliers when dealing with so called "zero-day" security attacks.

The closing window between when a security vulnerability is found and when it is exploited by remote attackers is the number one challenge to effective patch management.

PatchLink, which provides security patch and vulnerability management solutions, conducted a global survey of 300 senior IT managers, and found that the increasing speed in the appearance of security exploits was their major security headache.

The survey found that over half of respondents wanted software suppliers to take a more flexible approach to releasing patches for zero-day exploits, and maintain a monthly patch release date for unexploited vulnerabilities.

Three-quarters of respondents said patch cycles, such as Microsoft’s monthly Patch Tuesday on the second Tuesday of the month, helped with planning, but more immediate threats had to be tackled sooner.

Microsoft is currently tackling three bugs in its Internet Explorer browser, with an exploit for one of them circulating on the internet for past week. The next Patch Tuesday is on 11 April but users are hoping the company issues a fix before then.

Two companies have so far issued unofficial patches for the IE exploit, and 45% of survey respondents said they would consider such fixes, despite suppliers warning that these patches can potentially cause problems to users’ systems.

With the zero-day Microsoft WMF exploit, which occurred this January, 13% of companies used an unofficial patch, the survey found.

“With the average time between vulnerability discovery and the release of exploit code at less than one week, enterprises need fast, coordinated patch processes,” said Andrew Jaquith, an analyst at Yankee Group. 


Read more on Business applications