Patch Lag is the time between patches being released and their application by users and organisations. In a new blog by Vinay Pidathala from Menlo Research, he highlights, in the case of Google Chrome, how long it takes for users to patch their browsers. On average, it takes a month before any start a significant application of major patches. It can continue for several months as laggards finally apply outstanding patches.
Pidathala writes: “while Chrome 87 was released on November 17, it took at least a month for customers to start updating their browsers. December was when Chrome 87 saw adoption rates of close to 84 percent. We see the same trend going into January 2021.”
That patch lag might be closing. Pidathala notes: “Chrome 88 was released on January 19, 2021, and we are now seeing a considerable increase in Chrome updates. This quicker adoption for Chrome 88 might be attributed to the recent SolarWinds breach, with customers being more vigilant with updates.”
Some industries and regions are acting faster than others
One of the things to come out of the blog is that some industries and regions are trying to eliminate patch lag. Pidathala did not say why this was but did name four specific industries:
- Finance and Banking
- Government
- Construction
- Oil and Gas
Pidathala also says that customers in North America and Singapore were the two regions where customers update as soon as the patch releases.
What is causing patch lag?
By default, Chrome’s built-in auto-update feature checks for the latest version several times a day. When it finds an update, it downloads and installs it. That doesn’t mean everyone is updated immediately. There is a delay while Google synchronises its updates around the world. However, that delay is minimal.
What is happening here is that auto-update has been disabled through the use of enterprise policies. It is likely that many other software updates from other vendors are also delayed due to the policies. This is often caused by organisations that still don’t trust software to auto-update and control the process.
It is also important here to separate Chrome from Chromium-based browsers. Many browser vendors use the Chromium engine, including Microsoft Edge, Brave, Epic and several others. All of these rely on the vendor to set the auto-update cycle rather than Google.
Enterprise Times: What does this mean?
Patch lag is becoming a serious security problem. It is driven by centralised IT’s control nature and a lack of trust in vendors’ auto-update process. Cybercriminals are taking advantage of this growing gap in IT security. As Pidathala point out, it leaves companies open to zero-day attacks.
He writes: “While we continue to see new and novel types of attacks, one attack technique that has persisted is the use of web browser exploits to compromise endpoint systems. While we do not see a lot of exploit kits these days, we are seeing more sophisticated attackers that continue to use this infection vector by developing zero days.”
Zero-day attacks, by their very nature, will always have some success. Vendors are getting more responsive to them and often issuing patches on the fly. However, users still have to apply those patches for them to have any impact. Auto-update is a key part of that process that removes the need for a user to take specific action to patch their device and its software.
If enterprise IT departments are now delaying those patches, they are becoming part of the security problem, not the solution. It’s time for organisations to deal with their patch lag problem.
