Patch Tuesday only resolves disclosed vulnerabilities

Amichai Shulman, CTO of Imperva, makes the point that, since April 12, Microsoft SharePoint users have been vulnerable to a web-based attack through their help.aspx page. The problem was made public on April 29, after which Microsoft has been working to produce a patch, due for tomorrow (Tuesday June 8). "Many organisations have SharePoint servers accessible from the Internet, for partners and customers to access that may be unprotected," comments Shulman. "Having to wait almost two months for patching a vulnerability related to a very common attack vector [cross site scripting] is just too long," he adds. "We are repeatedly reminded by such incidents that, regardless of the amount of resources poured into SDLC, applications still go out of the factory door with vulnerabilities in them. Some of them pop up as a side note on a patch and some as 0days." Shulman worries that we all rely on vendor patch cycles to keep our businesses secure. However as one vulnerability is patched, sooner or later another appears. "Businesses need to ensure they are secure from all vulnerabilities whether notified or not," he says. "The criminals do not need to wait for a vulnerability to be notified before they exploit it, so businesses with a public facing portal need to take a holistic approach to security and look at how they can protect their business at all times, especially between patch cycles, whether this is via a web application firewall (WAF) to mitigate vulnerabilities or other security tools," insists Shulman.