Patching vulnerabilities has always been challenging, but these days, it is getting more and more complicated as manufacturers try to stay abreast of zero-day vulnerabilities and issue patches as quickly as they can.

Microsoft is well-known for its Patch Tuesday, which is a monthly roll-out of the patches for vulnerabilities it has become aware of in the past month. This past Tuesday, October 13, 2020, was Patch Tuesday for the month of October. It was not the largest release that Microsoft has had on Patch Tuesday this year, with a mere 87 patches. That is down from more than 100 patches released every month between March and September of 2020. In September, Patch Tuesday produced 129 patches.

When IT professionals receive 87 patches from one manufacturer in a month, it puts in perspective just how complicated and hard it is to keep up with all of the patches received from every software vendor and manufacturing companies are using in day to day operations. It could be a full-time job.

The failure to patch a vulnerability in a timely manner has been the cause of well-known security incidents and data breaches, which magnified the importance of timely patching. However, the number of patches continues to grow exponentially, making it difficult for IT professionals to keep up with the alerts. It is hard to imagine how they don’t become a little numb to the issuance of another patch.

When issuing the patches on Patch Tuesday, Microsoft categorizes the patches into “critical,” “important” and “moderate” in severity so that IT professionals can prioritize the patches when applying them to systems. They also provide helpful information about whether the vulnerabilities are known to be actively exploited by criminals at the time of the release. This month, 11 of the 87 patches were categorized as critical, 75 were categorized as important, and one was classified as moderate. Six of the vulnerabilities were publicly known at the time of the release, so were potentially available to criminals before the release.

According to reports by security experts, the recently released patches IT professionals may wish to concentrate on first this month are the ones that address vulnerabilities in remote code execution or RCEs, which allow attackers access to a system without user action—like clicking on a phishing email. Once in the system, the attacker can obtain privileges, start a ransomware attack or steal data.

Although patching gets more and more complicated, it is important for IT systems to continue to prioritize them and stay on top of security alerts from vendors regarding vulnerabilities. It is easy to become numb to the number and frequency of the issuance of patches, but it is critical to minimizing risk.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.