Among IT systems that cybercriminals successfully attack and compromise, the majority are running software containing exploitable vulnerabilities. And, while a plethora of defensive tools and technologies exist to help detect and stop cyber attacks, none of them solve the underlying weakness of vulnerable code that puts devices and systems at continual risk.
The problem is only getting worse. In 2021, the National Vulnerability Database added almost 22,000 new vulnerabilities — another record year. That makes patch management an increasingly important part of any security strategy, but it’s easier said than done.
According to Edgescan’s “2021 Vulnerability Statistics Report,” the average organization’s mean time to remediate a vulnerability once it’s identified — known as the security update gap — is 60.3 days. That gives an attacker 60 days to find and exploit systems hosting that vulnerability. Unfortunately, many organizations won’t have that long to remediate; once a security vulnerability in an internet-facing service is made public, malicious code to exploit it usually appears within 48 hours.
Regrettably, many vulnerabilities never get patched at all. In the Equifax breach, for example, attackers entered via a known, unpatched bug. Many of today’s malware and ransomware variants take advantage of CVEs that have been around for five years or more.
Why is patch management so difficult?
There are various reasons vulnerabilities get patched so slowly or not at all. First, users have to wait for a vendor to analyze and fix a flaw and then distribute a patched version of its software. And, while automatic and semiautomatic software updates from companies such as Microsoft, Apple, Adobe and Google help immensely in keeping many common software programs up to date, they often require system reboots, which may not be convenient or even viable for some businesses. Enterprises also have to rigorously test updates before they can roll them out to production systems, a complex, cumbersome process that can take weeks or months.
The other big reason patches never get applied is that individuals and enterprises alike prioritize productivity over security. Users often resist closing running programs to reboot and apply software updates, either because they don’t want to or they can’t, especially in the case of mission-critical business applications.
In Splunk’s “The State of Security 2022” report, 44% of organizations surveyed said they have suffered disruption of business processes due to breaches, and 44% have lost confidential data. Both figures are up sharply from the previous year. The cost and disruption of a security breach surely outweigh the cost and disruption of installing critical security patches. Nonetheless, most IT users continue to put productivity ahead of security, giving attackers a clear advantage and highlighting the need for a different approach to patching.
What is micropatching?
One possible way to decrease time to patch is micropatching — using a tiny piece of code to fix a single vulnerability, without requiring a system reboot. Similar to a hotfix or Microsoft Quick Fix Engineering update, a micropatch is applied to a hot, or live, system, without the need for any downtime or outages.
But, while a traditional hotfix update typically resolves a variety of issues and may even add new features, a micropatch fixes just one problem using the fewest possible lines of code, with the goal of minimizing side effects that could affect baseline functionality. This means the patch itself can be small, consisting of simple data about the following:
- the patch
- the vulnerable app
- the location for injecting the patch
- the patch code itself
Micropatches are currently available primarily from third-party providers, rather than original software vendors.
The primary benefits of micropatching include the following:
- Speed. A micropatch can be deployed in hours rather than weeks, as it takes much less time to test whether the patch will interfere with baseline functionality.
- Simplicity. The fact that micropatches can be quickly applied and removed either locally or remotely also simplifies production testing.
- Uptime. Micropatching doesn’t require downtime because it doesn’t replace or modify executable and running files. Rather, the fix is applied in memory, which can be done without having to restart the software or system, enabling users and critical systems to continue working undisturbed. This technique is called function hooking and has been around for some time. In the case of micropatching, function hooking is used to inject the patch code at a point in the running process so the software bypasses the vulnerable code.
Some proponents also claim that micropatching can secure legacy, end-of-life and unsupported products — such as Office 2010, Java Runtime Environment, Windows 7 and Server 2008 R2 — and make them safe to use, even though the original vendors no longer support them.
Overall, the speed, ease and unobtrusiveness of micropatching can help reduce the security update gap. This, in turn, makes it harder for hackers to use popular attack vectors, such as buffer overflows and dynamic link library injection.
Micropatching risks and limitations
Additionally, while micropatching enables vendors and developers to deliver bug fixes to users quickly and automatically, security teams need to be able to validate the trustworthiness of a patch before they can deploy it. Official, traditional vendor patches come from trusted and secure servers. But, without similarly trustworthy infrastructure in place, there is no way to be sure that a micropatch from a third-party provider doesn’t add malicious code or enable access to sensitive APIs and data.
Also, since many software vendors presently consider micropatching to be unsanctioned, out-of-band patching, it could break their licensing terms and conditions.
Micropatching as a service
Some companies are starting to specialize in providing micropatching as a service for certain OSes — monitoring for newly discovered or published vulnerabilities and publishing micropatches for them. The most notable and well-known example is 0patch from Acros Security, based in Slovenia.
Devices subscribed to such a service can download new micropatches as soon as they are available. A management dashboard shows all associated devices, and administrators can decide to automatically apply a patch across all of them or only to select groups, such as noncritical or test devices. Alternatively, they can also choose to wait and manually trigger installation after they’ve successfully tested the micropatch.
Future of micropatching
A strong patch management strategy dramatically increases an IT environment’s resilience to attack. Yet, security teams continually struggle to deploy patches across devices in a timely, safe and scalable manner. Plus, legacy applications with lost or poorly documented source code present additional problems, often resulting in aging yet mission-critical software remaining unpatched indefinitely.
Micropatching could greatly reduce the security update gap by making it possible to fix vulnerabilities with less risk and hassle before software companies have released their own official patches. It has some way to go before it becomes a mainstream option, but industry leaders are already taking micropatching seriously.
For example, the Defense Advanced Research Projects Agency has started the Assured Micropatching (AMP) program. Along with researchers from organizations such as the Center for Cybersecurity and Digital Forensics at Arizona State University, AMP aims to support rapid patching of legacy binaries in mission-critical systems.
If a trustworthy and reliable ecosystem develops for creating micropatches for all the main OSes and software products, then patch management may become a lot quicker and easier. That, in turn, would make life a lot harder for cybercriminals.