I've always believed that using what you've got is a wise approach to IT security, but just because a technology is built in or "free" doesn't mean it's the best solution for the enterprise. Microsoft's Windows Server Update Services (WSUS) is no exception. Without fail, in every internal security assessment I'm involved with, there's at least a handful -- often dozens or more -- of workstations that are missing critical patches. With auditors, regulators and malware writers doing everything they can to make IT administrators' lives more difficult, unpatched desktops are the last thing you need.
It doesn't require elaborate hacking skills to uncover these desktop vulnerabilities. All it takes is running a basic vulnerability scanner such as QualysGuard or GFI LanGuard to find the weaknesses. I often find missing patches in Windows XP dating back to 2002. Even current Windows 7 patches are absent. Yet, at the same time, WSUS reports that everything is current. What gives?
Even more of a concern is WSUS's lackluster ability to patch third-party software from Adobe, Java and the like. The extensibility is available, but it's hardly ever used. Unpatched third-party software is arguably the biggest desktop hole. According to Microsoft's 2011 Security Intelligence Report, Java exploits made up 33% to 50% of all exploits.
More on WSUS and Windows patching
How to remove a bad patch using WSUS
Answering a WSUS configuration question
Addressing problems with WSUS connectivity
Use WSUS to automate Windows patch management
Windows 7 has built-in security tools
The simple solution to this age-old problem may be to invest in a third-party patch management tool that can handle third-party applications. If your budget is a little tight, you may want to check out the open source Local Update Publisher tool that integrates with WSUS. The important thing is to not overlook third-party patches.
I've yet to get to the bottom of why WSUS falsely reports that all's well with Windows patching when that's not the case. It may be related to certain patch installations failing and Windows not reporting back to WSUS. Or perhaps admins, vendors or users have uninstalled certain patches, and the changes never made it to WSUS. Regardless, if you use WSUS, this is a problem that's virtually guaranteed to be on your network right now. There's only one way to find out: Run a vulnerability scanner of every desktop. Ideally, you'll want to run your first scan with authentication so the tool can actually log in to see everything that's missing.
Centralized management, control and visibility are essential for security. WSUS certainly helps in this regard, but it's not a complete solution. In security, the simple stuff will get you. Unpatched desktops should not be ignored. As Microsoft outlined in its Security Intelligence Report, nearly half of malware infections were the result of people making bad choices. You have to set your users up for success. A fragile and unproven patching process that facilitates the exploitation of user gullibility is not really a user problem. It's a failure of IT shops to use the proper security tools to keep desktops in check.
Know your environment -- including potential gaps in desktop security. Even if WSUS reports that all is well, you still need to verify. This Windows patching weakness is everywhere, and it doesn't have to be. Address gaps in desktop patch management today, and be done with it. There are many bigger and better things you can be doing with your time.
This was first published in January 2013