Imperva CTO says Patch Tuesday only resolves disclosed vulnerabilities
June 2010 by Imperva
Microsoft announced it is planning 10 patches next week, with one of them addressing a vulnerability in Sharepoint. However, waiting for patch cycles to mitigate vulnerabilities will not protect enterprises.
Since April 12, Microsoft SharePoint users have been vulnerable to a web-based attack through their help.aspx page. The problem was made public on April 29, after which Microsoft has been working to produce a patch, due for next Tuesday June 8.
“Many organizations have SharePoint servers accessible from the Internet, for partners and customers to access that may be unprotected. Having to wait almost two months for patching a vulnerability related to a very common attack vector (Cross Site Scripting) is just too long,” said Amichai Shulman, CTO, Imperva. “We are repeatedly reminded by such incidents that regardless of the amount of resources poured into SDLC applications still go out of the factory door with vulnerabilities in them. Some of them pop up as a side note on a patch and some as 0days.”
Shulman continues “We all rely on vendor patch cycles to keep us and our businesses secure, however as one vulnerability is patched, sooner or later another one will appear. Businesses need to ensure they are secure from all vulnerabilities whether notified or not.”
“The criminals do not need to wait for a vulnerability to be notified before they exploit it, so businesses with a public facing portal need to take a holistic approach to security and look at how they can protect their business at all times, especially between patch cycles, whether this is via a web application firewall (WAF) to mitigate vulnerabilities or other security tools. For those relying on Microsoft’s patch cycles the only mitigation possible in the short term is ‘virtual patching’ via a WAF,” Shulman adds.
For more on Microsofts Patch Tuesday - http://bit.ly/bc85JV
For more information on Imperva – http://bit.ly/aKrtxj