Developing a patch management policy for third-party applications

Enterprises may push the latest critical Windows patches once a month, but here's a dirty little secret: Most organizations don't bother patching their third-party applications. The diversity of client-side software -- including everything from Acrobat Reader to iTunes -- complicates matters, but security professionals shouldn't lose hope. Effective patch management for third-party products is possible, and contributor Ed Skoudis has the tools to do it.

Do you think you've got your enterprise patching problems solved because you push critical Windows patches once a month and within a day or so of their release?

Listen to Ed's tip

Download Ed's patch management advice to your PC or favorite MP3 player. 

Good for you, but what about all of those third-party applications running on your Windows machines? I'm talking about tools like Acrobat Reader, QuickTime, iTunes, Flash Player, Real Player, Java Runtime Environment, Firefox and the rest of the software zoo likely installed on every single desktop and laptop in your company. The sad truth is that most organizations don't bother patching these apps at all, and the many unpatched flaws they contain often leave systems wide open to attack.

When performing penetration tests, our consulting team always tries to incorporate client-side exploitation. During the process, we have customers use one of their own stock laptops to access our lab sites. From there, we serve up exploits for common Microsoft client software, including IE, Word and PowerPoint, as well as third-party applications.

Likewise, we then check the patch status of the various programs on the laptop, as well as run Microsoft's free Baseline Security Analyzer (MBSA), which checks patches on Microsoft's own software. Even for those clients who claim to patch their Windows machines diligently every month, we usually find that between one and five critical Microsoft patches are not installed.

While the Microsoft-related issues are serious enough, we always find vulnerable, outdated versions of third-party programs, through which we can almost always gain access. Acrobat Reader is the most commonly unpatched application. Regardless of the applications in question, users can't be counted on to manually activate update functionalities; they will invariably skip critical updates. Furthermore, some third-party apps only offer patch notifications when the program is actually activated. If a user doesn't run the program for months, it'll be months behind. And, many programs never check their own patch versions, running blissfully out-of-date forever.

In the past three years, the majority of released exploits have focused on compromising client-side applications. Attackers regularly use these exploits to spread bots, install spyware and steal enterprise secrets. If your security organization says that patching all client-side programs is simply too difficult, it has ceded significant territory in the internal network to the bad guys.

How to begin patching third-party applications
First, double-check the efficacy of your patching process for Microsoft software, especially Windows and Office. MBSA does a good job checking locally for such patches, so grab one of your organization's sample, standard-build laptops and verify that all critical patches are installed.

To get a comprehensive review of which Microsoft software is installed and how well it is patched, run MBSA locally on the sample laptop. In a Microsoft Knowledge Base article, the software giant sorts out those products whose patch levels must be checked with a local computer scan, rather than a remote one . The list includes some versions of Outlook, PowerPoint, Project, and Visio, all of which are important enterprise applications. If MBSA shows that Microsoft software patches are missing, troubleshoot the reasons why patches haven't made it to the laptop and check other systems as well.

Next, review the status of third-party products on the box. Shavlik Technologies provides a great list of Microsoft and third-party applications commonly included on enterprise systems. Check the version number of each of these by hand, or use a third-party management tool such as the commercial Shavlik NetChk Protect, which is available as a free trial.

For more patch management information:

See how attackers used Windows Update to push malware.

Michael Cobb explains whether every flaw in a vulnerability scanner report should be addressed.

Vulnerability researchers recently suggested that enterprises should take more responsibility for the testing of applications. 

Three patch management strategies
Once you have determined the patch status of your sample laptop's applications, there are then three options for addressing a vulnerability. One is to try to rely on existing Microsoft infrastructure to deploy patches for both Microsoft and third-party apps. Group Policy can be used to deploy patches for non-Microsoft products, but such an approach is limited because it can only push patches that are bundled up in .MSI, .MST and .MSP format.

A second method is to try to write your own script. You could push .EXE patches to machines across a domain, running them automatically as a start-up/logon script or using the Microsoft Sysinternals PsExec command to run a program remotely. The downside of this approach, however, is that it is labor-intensive and requires tweaking to make sure everything gets installed correctly.

A third approach is more expensive, but it is far simpler than the two methods above: Use a commercial product that allows for deploying third-party patches, and as a bonus, possibly Microsoft's own patches. Microsoft's Systems Management Server (SMS) 2003 can patch both Microsoft and non-Microsoft products. Using the built-in SMS Inventory Tool for Custom Updates (ITCU), it's possible to determine the patch level for various applications on managed systems. Then, with the SMS Custom Updates Publishing Tool (CUPT), you can create packages to push via SMS. If your organization already relies on SMS, start using ITCU and CUPT to handle third-party applications.

Besides SMS, a variety of other patching products are available. Shavlik's NetChk Protect, for example, can not only check which patches are installed, but can also manage and apply patches for a variety of applications. The inventory of patches that the Shavlik product can handle is constantly updated as well. Other patching tools that I've used in the enterprise effectively include those from BigFix, PatchLink and Symantec's Veritas Patch Manager.

Regardless of your chosen product, make sure that you embark on a program that thoroughly patches your client machines from all sides. Remember, attackers don't discriminate; they will use whatever application flaws they can find to victimize your organization.

About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing