Written By: Matthew Jones, CPA, CISA, OSCP, IS Audit Partner
Last Tuesday, Microsoft released MS14-045 to patch several local privilege escalation vulnerabilities associated with the Windows kernel. Unfortunately, soon after the release reports of the dreaded blue screen of death began to surface and were associated with the installation of the patch, most notably on 64 bit versions of the Windows 7 operating system. Microsoft has subsequently pulled the patch and a workaround has been published, however the fix to remove the patch requires manual deletion of system files and registry entries – a task that is not so simple on a network with dozens or hundreds of affected machines.
One of the more common exceptions that we see in our IT General Control Review engagements is that an institution does not have a patch management program that conforms with FFIEC guidelines. The Information Security Booklet requires that financial institutions implement a patch management program that provides “for identifying, evaluating, approving, testing, installing, and documenting patches.” In many cases institutions focus only on installing patches without regard to the other steps in the process – i.e. configuring workstations to automatically download and install all Windows updates using the Microsoft Update service.
Fortunately for most organizations, the footprint of affected machines is relatively small – according to Sophos, affected machines must “have one or more Open Type Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames.” Nonetheless, a properly implemented patch management program in accordance with FFIEC guidance has a much better shot at catching the bug during the testing phase if a system is vulnerable than blindly installing the update throughout the organization and hoping for the best. If you were one of the unlucky ones that got hit with this issue, the Sophos article linked above includes the steps to take to correct the issue.
All organizations should consider this as a demonstration of what could potentially happen if patches are not properly vetted and reflect upon existing patch management procedures. Ask yourself what the impact on your organization would be if a maligned patch were to be installed on all of your workstations and whether your patch management program would have caught it prior to mass installation. If the answer is no, then it is probably time to re-evaluate your patch management program!