Decades ago, patching was, to lean into a corny joke, a bit patchy.
In the late 90s, the Microsoft operating system (OS) Windows 98 had a supportive piece of software that would find security patches for the OS so that users could then download those patches and deploy them to their computers. That software was simply called Windows Update.
But Windows Update had two big problems. One, it had to be installed by a user—if a user was unaware of Windows Update, then they were also likely unaware of the patches that should be deployed to Windows. Two, Windows Update did not scale well because corporations that were running hundreds of instances of Windows had to install every update and they had to uninstall any patches issued by Microsoft that may have broken existing functionality.
That time-sink proved to be a real obstacle for systems administrators because, back in the late 90s, patches weren't scheduled. They came when they were needed, and that could be whenever Microsoft learned about a vulnerability that needed to be addressed. Without a schedule, companies were left to react to patches, rather than plan for them.
So, from the late 90s to the early 2000s, Microsoft standardized its patching process. Patches would be released on the second Tuesday of each month. In 2003, Microsoft formalized this process with Patch Tuesday.
Around the same time, the United States National Infrastructure Advisory Council began researching a way to communicate the severity of discovered software vulnerabilities. What they came up with in 2005 was the Common Vulnerability Scoring System, or CVSS. CVSS, which is still used today, is a formula that people rely on to assign a score from 1 to 10, 10 being the highest, to determine the severity of a vulnerability.
Patch Tuesday and CVSS are good examples of what happens when people come together to fix a problem with patching.
But as we discuss in today's episode of the Lock and Code podcast with host David Ruiz, patches—both in effectiveness and education—are backsliding. Companies are becoming more tight-lipped about what their patches do, leaving businesses in the dark about what a patch addresses and whether it is actually critical to their own systems.
Our guest Dustin Childs, head of threat awareness for Trend Micro Zero Day Initiative (ZDI), explains the consequences of such an ecosystem.
"If you're not getting the right information about a vulnerability or a group of vulnerabilities, you might spend your resources elsewhere and that vulnerability that you didn't think was important becomes very important to you, or you're spending all of your time and, and energy on."
Tune in today.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
Fighting censorship online, or, encryption’s latest surprise use-case, with Mallory Knodel
What is AI ”good” at (and what the heck is it, actually), with Josh Saxe
A private moment, caught by a Roomba, ended up on Facebook. Eileen Guo explains how
Fighting tech’s gender gap with TracketPacer
Why does technology no longer excite?
Chasing cryptocurrency through cyberspace, with Brian Carter
Threat hunting: How MDR secures your business
How student surveillance fails everyone
A gym heist in London goes cyber
Teen talk: What it’s like to grow up online, and the role of parents
Calling in the ransomware negotiator, with Kurtis Minder
The MSP playbook on deciphering tech promises and shaping security culture
Playing Doom on a John Deere tractor with Sick Codes
Donut breach: Lessons from pen-tester Mike Miller
Have we lost the fight for data privacy?
Roe v. Wade: How the cops can use your data
When good-faith hacking gets people arrested, with Harley Geiger
Securing the software supply chain, with Kim Lewandowski
Tor’s (security) role in the future of the Internet, with Alec Muffett
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
Black Wolf Feed (Chapo Premium Feed Bootleg)
Bannon`s War Room