Microsoft Critical Security Updates on Path to Triple (August 2019)

Why are there 3x the number of “Critical” security updates since 2016?

Data from Microsoft Security Guide visualized using PyGal
Copyright Platte River Networks. All rights reserved.

In recent years we’ve noticed a significant rise not only of updates but of those specific type labeled “critical.” So we looked into the matter and found that our feelings were “way more than valid.”

Only three and a half years ago in April 2016 Microsoft released about 150 of these severe patches per month. Sounds like a lot, but Microsoft is a big company right? Well the Security Tuesday in August 2019 released over 700 security patches. That was a big standout month to be sure, but not too much higher than the 500 or so we have come to expect in 2019. Is this the new normal? And if so, what does this disturbing trend mean for the countless small and mid-sized businesses relying on IT security and stability to function?

Why are critical security updates increasing so quickly?

Which scenario would you fear more?

  1. You live nestled in a peaceful, orderly and clean community where a policeman is dedicated to patrolling the two block radius.
  2. The neighborhood is grungy and crime-filled, but there are no police present.
  3. The neighborhood is dirty, and you have actually seen burglaries happen right in front of you, but you also see police on every corner.

Scenario three is closest to the current state of the cyberworld. The last few years have seen a dramatic rise in cybercrimes but an even more dramatic rise in total damages from crimes. Businesses and consumers have embraced the cloud, which is good and necessary to provide competitive services. But that also means there is more value on the table for hackers to steal.

This has led to the creation of hacker organizations that operate like normal businesses. They employ talented coders to bend their thoughts toward nefarious ends, conducting dramatic heists.

“Critical” Microsoft Security Updates Protect against Current and Future Hacks

“Analysis by researchers at Recorded Future of exploit kits, phishing attacks and trojan malware campaigns deployed during 2018 found that flaws in Microsoft products were the most consistently targeted during the course of the year, accounting for eight of the top ten vulnerabilities. That figure is up from seven during the previous year. Patches are available for all the flaws on the list – but not all users get around to applying them, leaving themselves vulnerable.”

— ZDNet. “These are the top ten security vulnerabilities most exploited by hackers” (March, 2019)

We are looking at a highly mobile battleground. Hacker organizations are constantly targeting Microsoft products, which are by far the most commonly used worldwide. What are they looking for?

In small part, they are looking for new vulnerabilities to exploit. Though to be fair they rarely find a vulnerability before Microsoft does. “Zero-Day” vulnerabilities are vulnerabilities the hacking communities do manage to exploit before Microsoft can patch them. They make quite a stir when they do happen, but exploits of older versions are far more common, WannaCry being one of the most damaging of this type.

Strangely enough, hackers are the most avid readers of Microsoft Security Updates. Each update package is basically a list of attack trajectories they can use to pick off IT assets that have not been updated yet.

Think about it like this. “Zero-Day” exploits are like theoretical research, possibly leading to that once-in-an-age atom bomb but also requiring an incredible amount of resources and sheer luck to reach. Whereas most “humdrum” exploits start from the discoveries that Microsoft makes. They just have to weaponize the vulnerability and deploy against older software versions before they are updated.

Microsoft “Critical” updates are countermeasures against potential hacks. 99% of the time they are proactive but absolutely necessary to keep users defended in the long term.

In case you are angry at Microsoft for publishing their updates….

Remember that all of the software vendors whose products work with Microsoft software need to understand whether the update will impact their software. Then they can update their software so it keeps working after the patch.

That’s all to say there isn’t any way around the current release schedule, but there is something businesses can do to protect themselves.

What Can Businesses Do to Protect Their Data?

In light of the recent explosion in hacking attacks and defenses, updates are becoming increasingly valuable.

It usually takes more than a month for the hacking community to weaponize vulnerabilities. For instance, the WannaCry vulnerability was leaked a few months before the attack. But would you stake your business security on a probable time-to-weaponize?

The best defense is clear: Keep systems updated monthly or bimonthly. This lifts your business out of the low-hanging fruit category and makes a breach extremely unlikely.

Of course, we know it can be difficult for businesses to keep up the pace, especially when running custom software, also reliant on Microsoft products. It can easily become a full-time job just to ensure an update won’t break something.

That’s why we recommend our Intuition Managed Services Platform.  Intuition ensures our customers have all their critical security updates managed, monitored, applied, tested, confirmed and maintained by our Intuition platform and our trusted staff of qualified engineers and technicians.  For more information please email sales@platteriver.com today.