Do you automatically and promptly apply security patches to your servers?
If not, you should.
Most bug fixes and security patches address obscure problems that are hard to trigger and have limited impact. Every once in a while, however, something big comes along. Usually, there is an inverse correlation between problem severity and press coverage. Do you remember “heartbleed”? Not a serious problem in most cases.
Today we see a serious security bug. MS15-034 — this is a remote code execution attack against IIS on all Windows platforms. Scary stuff.
If you haven’t applied the hotfix for this bug yet — stop reading and do that now. It’s that serious.
The philosophical take-aways from this are:
- Microsoft should know better than to embed bits of the web server in the OS kernel. Nobody else does that, and for good reason. Microsoft moved bits of IIS into the kernel for performance reasons, and this is precisely the reason why it’s a bad idea.
- All organizations should apply security patches automatically and promptly. If you had to wait to read this blog to apply this patch, you’re moving more slowly than your adversaries, with predictable consequences.
- It’s a safe bet that all software has bugs, and that some of those bugs have security consequences. Build defense in depth, build heterogeneous defenses and try to compensate using well thought out business processes (such as frequent and automated password changes).