The Meaning of Out-of-band Patches and Their Microsoft History

Microsoft is planning to release an out-of-band patch for a zero-day vulnerability at noon CST today.

We can set our calendars to every second Tuesday of the month (known as Patch Tuesday) for new Microsoft security bulletins.  Microsoft Patch Tuesday has become a ritual for the IT security industry.  Today is a stark reminder that you must always be vigilant and informative on the happenings in the security industry.  At any time, a vendor may release a patch out-of-band to address a zero-day vulnerability.

When is an out-of-band patch warranted?

Only a software vendor can make the decision on when a patch for a vulnerability should be released out-of-band from its normal release cycle.  Typically, a vendor will release a patch out-of-band when there are active exploits against the vulnerability, the vulnerability details have been released publicly, and the software affected could present a major attack outbreak.  With today’s release, all three of these criteria have been met.

Out-of-band patch releases are risky for the software vendor

When a patch is deemed necessary to be released out-of-band, the software vendor creating the patch is taking on risk.  In my post yesterday, I talked about the risk that IT administrators may take when implementing workarounds.  With software vendors, the risk of incorrect patch creation and testing is greatly increased.  The patch may fix the vulnerability, but there is always the possibility that a software patch will break normal functionality of a program.   For example: a patch fixes a vulnerability but the program now crashes when printing or saving.

Pay attention to all patches after applying, especially out-of-band patches

There is a chance with any patch that functionality could be broken.  With out-of-band patches, pay attention to the product patched to ensure other functionality is not broken.  If you find some functionality is broken, do not simply remove the patch.  Contact the software vendor and to determine if restoring the functionality but re-introducing the vulnerability is work the risk.

Out-of-band patch releases, not as common as we think

Since January 2010, Microsoft has released 269 security bulletins.  Only six of these bulletins (including today’s release) have been release out-of-band.  In fact, the last out-of-band patch release from Microsoft came nine months ago.

Year

Total Bulletins

Out-of-Band

% Out-of-band

2010

106

4

~4%

2011

100

1

~1%

2012

63*

1

~2%

(Note: 2012 includes today’s security bulletin release)

 

Security advisories do not mean out-of-band

Yesterday, I talked about zero-day vulnerabilities and security advisories.  Microsoft quite often will release security advisories throughout any given month.  The majority of these security advisories (pertaining to zero-day vulnerabilities) are fixed during a scheduled Patch Tuesday.  Below, you can see all of the security advisories Microsoft has released and the date they have released a patch to fix the vulnerability.  As you can see, active exploits happen quite often and do not warrant an out-of-band patch.

Advisory   Release Date

Advisory   #

Vulnerable   MS Product

Fixed   In

Fixed   Date

Out-of-band

Days   Between Advisory/Release

1/14/2010

979352

Internet   Explorer

MS10-002

1/21/2010

Yes

7

11/13/2009

977544

OS –   SMB

MS10-020

4/13/2010

No

150

1/20/2010

979682

OS –   Kernel

MS10-015

2/9/2010

No

19

2/3/2010

980088

Internet   Explorer

MS10-035

6/8/2010

No

125

2/9/2010

977377

OS –   SChannel

MS10-049

8/10/2010

No

181

3/1/2010

981169

OS –   VBscript

MS10-022

4/13/2010

No

42

3/9/2010

981374

Internet   Explorer

MS10-018

3/30/2010

Yes

21

4/29/2010

983438

Sharepoint

MS10-039

6/8/2010

No

39

5/18/2010

2028859

OS –   Canonical Display Driver

MS10-043

7/13/2010

No

55

6/10/2010

2219475

OS –   Help

MS10-042

7/13/2010

No

33

7/16/2010

2286198

OS –   Windows Shell

MS10-046

8/2/2010

Yes

16

9/17/2010

2416728

.NET   Framework

MS10-070

9/27/2010

Yes

10

11/3/2010

2458511

Internet   Explorer

MS10-090

12/14/2010

No

41

12/22/2010

2488013

Internet   Explorer

MS11-003

2/8/2011

No

46

1/4/2011

2490606

OS –   Windows Shell Graphics

MS11-006

2/8/2011

No

34

1/28/2011

2501696

OS –   MHTML

MS11-026

4/12/2011

No

74

9/26/2011

2588513

OS –   SSL/TLS

MS12-006

1/10/2012

No

104

11/3/2011

2639658

OS –   Kernel-Mode Drivers

MS11-087

12/13/2011

No

40

12/28/2011

2659883

.NET   Framework

MS11-100

12/29/2011

Yes

1

6/12/2012

2719615

MS   XML Core Services

MS12-043

7/11/2012

No

29

7/24/2012

273711

Exchange   Server

MS12-058

8/15/2012

No

21

9/17/2012

2757760

Internet   Explorer

MS12-063

9/21/2012

Yes

4

(Note:  Not all security advisories from Microsoft have a security bulletin associated.  Some security advisories have workarounds, information only or non-security patches associated.  These security advisories are not included in this list.)

Today’s scheduled security bulletin affects an Internet browser, so this should be high on your priority list for patch deployment today or this weekend.  With any out-of-band release, you should deploy the patch as soon as possible to prevent any attackers from taking advantage of the vulnerability on your network.

– Jason Miller