Think 'Patch Tuesday' is just for Microsoft? Think again!

Think 'Patch Tuesday' is just for Microsoft? Think again!

Summary: If you think Patch Tuesday is just for Microsoft, think again. From Cisco to Apple to Mozilla to Aruba Wireless switches to Avaya VoIP systems, the industry is littered with critical flaws. Take a look at this bug list for February and see if you where you need to get to work on patching.

SHARE:
TOPICS: Cisco
44

Multiple Cisco vulnerabilities affecting IPS functionality in routers, PIX/ASA/FWSM firewalls, Switches.  Multiple Cisco vulnerabilities affecting SIP/FTP/HTTP inspection in PIX/ASA products.  While the patches are available, most Cisco devices are rarely if ever patched.  For example, here is a long list of issues within the last three months that many people are unaware of.  The common assumption for too many people is that network devices are plumbing and that you don't really have to think about them.  This list should scare you enough to patch every Cisco device on your network to the latest stable software release.  You should get in to a permanent monthly "patch Tuesday" frame of mind for your Cisco equipment.

Cisco Firewall Services Module SIP DoS and ACL Corruption
Cisco IOS IPS Security Bypass and Denial of Service
Cisco IOS SIP Packet Handling Reload Denial of Service
Cisco IOS VTP Denial of Service Vulnerability
Cisco IOS Multiple Vulnerabilities
Cisco Products SSL/TLS and SSH Validation Security Issue
Cisco IOS DLSw Denial Of Service Vulnerability
Cisco Multiple Products JTapi Gateway Denial Of Service
Cisco Secure ACS Multiple Vulnerabilities
Cisco Clean Access Predictable Snapshots Filename
Cisco Clean Access Unchangeable Secret Security Issue
Cisco Secure Desktop Multiple Vulnerabilities
Cisco Products OpenSSL Vulnerabilities
Cisco Products OpenSSL Vulnerabilities
Cisco Security Agent LDAP Authentication Bypass

Microsoft had a relatively large batch of patches for the month of February to clear out a backlog of zero-day Microsoft Office exploits (Office 2007 exempt).  The first Vista remote exploit is ironically in the software that's suppose to be scanning for Malware.

If you're running Trend Micro, you have two critical flaws to worry about so far this month.  There's a critical flaw in an ActiveX component from today and a critical UPX parsing flaw from last week.

Apple patches multiple critical vulnerabilities.  Many of these issues were zero-day exploits released during the MoAB (Month of Apple Bugs).

Firefox had a moderately critical flaw from today for this month though it isn't nearly as bad as the nine highly critical flaws last month.

There was a critical zero-day exploit for the Solaris Telnet Daemon for those who are unfortunately still using Telnet.  Sun did a great job and released an emergency patch within a day though I wish the patch would simply delete the Telnet Daemon

uTorrent (a superb BitTorrent Client) suffered its first security vulnerability when opening .Torrent files and it's a critical issue.  The stable version of 1.6.1 which has been patched for this vulnerability is available for download on the uTorrent website.

Aruba which makes Wireless Switch controllers and light weight access points suffered its first two critical vulnerabilities it its controller.  Patches are available on Aruba's support site.

Avaya VoIP products had two critical vulnerabilities this month.  There were several other less critical to moderately critical vulnerabilities in Avaya products this months and flaws of every severity level in every previous month.  Get use to the idea of doing a monthly "patch Tuesday" for Avaya products if you don't want your phone system to go down or worse, get hacked.

So what's the moral of the story?  The hardware and software industry needs to start doing some serious code auditing and patch Tuesday isn't just for Microsoft.

Topic: Cisco

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • Patch Tuesday' is just for Microsoft

    That is a gauaranteed regular event for Microsoft, the others generally patch when required and a lot less frequently.
    Trying to justify and lay a smoke screen over "Patch Tuesday" as a "normal" event doesn't work.
    All systems have problems, Microsoft just has a lot more than everyone else put together and on a prescribed day - its Microsoft's "time of the month" whereas other systems have a headache now and again.
    deaf_e_kate
    • For Apple, Cisco, Avaya, Mozilla, it IS regular

      Haven't you noticed, Apple often has a dozen or more flaws a month on average. Firefox averages about half a dozen a month. Cisco is pretty regular. Oracle holds back for three months and releases a few dozen patches per quarter though they've had quarters with more than 100 flaws. So either you're just giving me a kneejerk response because you haven't actually looked at the track records. Microsoft has relatively few bugs for the amount of software they have in the market yet Apple manages to beat them in flaw count with even less software.
      georgeou
      • Let see if it lasts for the non-MS systems

        "in 2006, IE was unsafe 78% (284/365) of the time - 27% (98/365) had known criminal use - compared to Firefox's 2% (9/365). This is an improvement for IE; in 2004, it was unsafe 98% of the time, and 54% of the time there was known active exploitation of them. But Firefox is improving too; in 2004 it was unsafe 15% of the time (with 0% known exploitation), and half of that time only affected Macintosh users." this quote is from David Wheeler's blog

        Patch Tuesday has been going on for a few years in some form or another when they finally decided to take their head of out the sand and consider putting their users (to some degree) before their ivory tower status. Once they can patch a flaw as quickly as they do when it affects RIAA/MPAA DRM, then they would have finally got it.
        Once the others are in the boat with monthly traunches of bug fixes for a few years then you can repost your blog and it'll be true and I'll agree with you. But for now I'll still say you are trying to bury Microsofts record.
        deaf_e_kate
        • Firefox patched faster, but they had a LOT more bugs

          Firefox patched faster, but they had a LOT more bugs. The stats are also deceptive in how they're counted. For example, we're only talking about number of days a zero-day exploit has been published before a patch has been offered and not the actual number of days that flaws existed. It gives the perception that Mozilla patches everything in a day which is nonsense. The vast majority of patches for Firefox were bundled and batched in to a rough one month patch cycle. That's why you'd see Firefox patches with 12 exploits covered in them.

          You can't use those stats on IE7 versus FF2 at all. So far there have been zero zero-day critical flaws for either browser as far. However, Firefox has had 9 critical exploits already in the month of January, IE7 so far has only had 1 critical exploit for it and they were both patched equally fast. So by that "safe" definition, they're both safe from openly published zero-day exploits as a general threat, but they both had flaws. However, FF2 has a LOT MORE flaws and the quality of the audits are nowhere near as good as IE7.
          georgeou
          • Firefox doesn't cost $200+

            Considering what we pay for Windows and the profit margins that MS enjoys for it we should certainly be expecting superior software from them.

            I will admit one thing though, IE 7 on Mac OS X is definitely exploit proof (or was that execution proof). :-D
            Robert Crocker
          • True issue

            The real issue isn't the number of flaws that need patching, the issue is that MS will
            NOT violate it's Patch Tuesday rule for ANY flaw, even if a patch is available, exploits
            are in the wild and systems are being compromised.

            Wait, let me amend that. There is one thing they will break their Tuesday cycle for:
            any flaw that breaks an MS DRM is patched within hours.
            frgough
          • And I've criticized them for this over and over again

            "The real issue isn't the number of flaws that need patching, the issue is that MS will NOT violate it's Patch Tuesday rule for ANY flaw, even if a patch is available, exploits are in the wild and systems are being compromised."

            I've slammed Microsoft for this over and over again. IE6 did have fewer flaws than Firefox but they would wait a full month every time to patch it with WMF being the only exception to that rule. However, it's fair to say that IE7 hasn't really needed any patching except for the critical VML flaw but that was patched before it was found in the open.
            georgeou
          • I've also point out the DRM patches

            "Wait, let me amend that. There is one thing they will break their Tuesday cycle for: any flaw that breaks an MS DRM is patched within hours."

            I have pointed this out before in my blog about that Windows Media DRM cracker. It wasn't "hours", but it was within two days or so which is about 10 times faster than their typical emergency zero-day flaws.
            georgeou
          • and IE6 and iE5 and ie4

            are they suddenly out of the stats? Add all of them together then compare with Firefox.
            Personally i prefer opera.
            deaf_e_kate
          • Firefox bundles minor patches

            When a critical vulnerability is found in Firefox, an update will be released as soon as a patch is developed. There's no waiting for the next scheduled release. They may average one security update a month, but some have come out in as little as a week after the last update.
            Greenknight_z
          • How did 9 firefox 2 remote code execution exploits get bundled in to one?

            Interesting theory, but how did 9 firefox 2 remote code execution exploits get bundled in to one? Did all 9 magically line up together?
            georgeou
      • I See you got your Check, from MS!

        For post complete and utter nonsense. I just reinstalled windows xp sp2 for a
        friend, there were 97 patches that were over 5 GB in total. It's impossible to count
        the individual flaws patched, as MS advisories could cover from 1 to 100 per
        advisory. Those are only for MS products. Apple on the other hand releases
        patches for 3rd party software in their advisories. Apple's "patches" include Java
        fixes, apache fixes, etc. So you can try and skew the numbers anyway you want.
        But until you put up proof, you're only spreading lies. Just like you did when your
        boyfriend Maynor, did his con job with the so called wifi hole. You still haven't
        provided the so called "super duper top secret info" that you claimed you had in
        August of 06. So keep on cashing those MS checks and spreading your lies. People
        are catching on to you.
        Rick_K
        • 5GB? Who's the liar?

          "For post complete and utter nonsense. I just reinstalled windows xp sp2 for a friend, there were 97 patches that were over 5 GB in total"

          A fully patched Windows XP SP2 system volume induding the old SP uninstall files is around 1.5 GB. What are you smoking?
          georgeou
          • L A W L

            Apple hash!
            xxn1927
      • Nice!

        R e a d t h i s ! Don't just say 'Apple is better than Microsoft' ... research! George rules!
        xxn1927
    • in logic

      Ou is engaged in what is known as a Tu Quoque fallacy: two wrongs make a right. In
      plain language, he is trying to argue that because other companies have software
      flaws, Microsoft's software flaws are not an issue.
      frgough
      • So what do you call it when...

        Apple switches hard drives in 2 Macs that are in for repair, won't do anything about it, and the Mac zealots say "Yeah but Dell does the same thing!!!"? Just curious.
        NonZealot
        • ????

          [i]Apple switches hard drives in 2 Macs that are in for repair, won't do anything about
          it, and the Mac zealots say "Yeah but Dell does the same thing!!!"? Just curious.[/i]

          Are they warranty? If not why doesn't the end users just switch them out? It's about
          the same for both systems. The only difference is the fee MS will charge when WGA
          flags you as a "pirate". By the way, how is that $200 point upgrade from MS running?
          Rick_K
        • The same thing

          That's also a Tu Quoque fallacy.

          However, the fallacy you just used is a Red Herring (look it up).
          frgough
      • What the hell are you talking about?

        "Ou is engaged in what is known as a Tu Quoque fallacy: two wrongs make a right. In plain language, he is trying to argue that because other companies have software flaws, Microsoft's software flaws are not an issue."

        You're either very ignorant or you really like to troll.
        http://blogs.zdnet.com/Ou/index.php?p=135
        georgeou