Patch Management for Home Users

For system administrators, patch management is a routine activity. But for most home users, patch management is a uncharted waters. Knowing when to patch products and how often patches need to be applied are some of the questions that most home users never think about. Knowing what to patch and when can make a difference in the security of your home computer or network.

First things first, let's clarify some terms. The following definitions come from a post of Allen Householder in CERT Blog.

Zero Day Exploit (a.k.a 0-day)

There are many definitions of zero-day exploit available. These definitions are not merely diverse wordings that map onto the same concepts; they refer to distinct (albeit related) concepts.

"A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. There are zero days between the time the vulnerability is discovered and the first attack." — SearchSecurity

By the way, nothing in this definition talks about patch availability. We'll come back to that in a moment.

"A zero day exploit attack occurs on the same day a weakness is discovered in software. At that point, it's exploited before a fix becomes available from its creator." — Kaspersky

Stating it explicitly: if the following events occur (a) a vulnerability is announced by a vendor, (b) a patch is provided along with the announcement, and (c) it is exploited on the same day (whatever you decide that means, just be consistent), definition 1 says it's a zero-day exploit while definition 2 says it isn't.

 "An attack on a software flaw that occurs before the software's developers have had time to develop a patch for the flaw is often known as a zero-day exploit. The term "zero-day" denotes that developers have had zero days to fix the vulnerability.  It can also refer to attacks that occur on the same day (day zero) a vulnerability is disclosed. In fact, some zero-day exploits are the first indication that the associated vulnerability exists at all."  — Tom's Guide

Here we find that the definition hinges on the existence of a patch. A strict interpretation of this definition would permit someone to apply the zero-day exploit label even if the vulnerability is known to the vendor and the public long before the first attack. The vulnerability may have been known to the vendor for months, and a patch is in development but not does not yet exist. Thus definition 3 directly conflicts with both definitions 1 and 2 above. Definition 1 says nothing of patches. Definition 2 talks about patch availability, not existence.

"Zero-day attacks...software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it." — FireEye

Granted, this definition is for a zero-day attack, but since it mentions exploitation, I think we are justified to include it here. FireEye adds hardware to our growing list of definitions. Further, they discriminate based on the state of knowledge of the general information security community, with the implication that if that community is unaware of the vulnerability, there must not be a patch available. From context, this general information security community appears to be larger than the affected vendor(s) yet smaller than the public. So while it shares some degree of overlap with the other definitions discussed above, it remains distinct in its referents.

There is no generally accepted formal definition for "0Day (also known as zero-day) vulnerability." The term has been used to refer to flaws in software that no one knows about except the attacker. Sometimes the term is used to mean a vulnerability for which no patch is yet available.

Shortly after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were released to the public, along with about 400GB of company emails and other data.

Hacking Team has long been a source of controversy because the company sells surveillance tools to law enforcement and intelligence agencies around the world—among them repressive regimes that use the tools to spy on human rights activists and political dissidents.

But the hack of last week highlights another serious issue around Hacking Team and companies like it that stockpile or store zero-day exploits, including software vendors who run bug bounty programs: they can be rich targets for hackers who might want to steal the zero-days to use them for nefarious purposes or sell them. This places an added onus on companies to protect their repositories to prevent the zero-days from getting into the hands of unintended parties.

Automating Patch Management

Enable auto update of your software. Apply patches any time a program asks (needs) to be updated. Although these updates don't always mean it is for security reasons, a security patch may be issued along with the update. Microsoft Windows offers automatic windows updates and in their newest release, of Windows 10, it will not be an option to install them or not. So updating windows is easier than ever when users choose this option.

Problems with Patches

The main risk with patching software is breaking other programs. This is usually only the case with updates from larger programs that other programs hang on. Such as operating systems, anti virus software, etc. Applications that other software does not rely on are usually immune from this. During automated patch management, this may happen and you don't realize it has happened. The problem can be combated with manual patches, but knowing when and what to patch may be a hassle for home users.

When to Patch?

The short answer is: As soon as a stable pach or fix is released by the vendor. It is a good practice to check for patches to your software products about once per month. If you use your computer on a daily basis, or the computer stays online constantly, such as with high speed connections, you may need to opt for a stricter schedule on patches. Such as weekly or bi weekly. Of course, using automated patch management software can eliminate this need for such time consuming tasks.

As mentioned, automating patch management can save much time and energy. Check with your software vendor for information on when patches are usually available. And also check if the program offers automatic updates to its software. This mundane task can be handled with little user intervention and may be possible to run at times when the computer is idle or late at night when it is not in use and doesn't restrict your browsing bandwidth.

Act proactively in order to minimize exposure to known vulnerabilities and zero day attacks.

Information Security League, through our partnership with Heimdal Security, offers you a 70% discount to the Heimdal Pro. Just use infosecleague34 as voucher code in their site when you order the product.