Manage Learn to apply best practices and optimize your operations.

When should a virtual patch be used?

Learn how virtual patches can help administrators review, test and schedule official patch updates and find out about the benefits a virtual patch provides, such as protection against identified vulnerabilities.

In what situations is a virtual patch appropriate, and is it a safe, recommended way to get an immediate fix for an emerging flaw?
Patch management is certainly the bane of most network administrators' workload. They have to balance securing the system with making sure they don't break it. When a security patch is issued, it can be a stressful time waiting for a maintenance window to install the fix. The business is at risk of attack and the hackers have all the information they need to break in. Many organizations find they can't patch their systems at the rate new vulnerabilities are discovered. At best, it is a painful process, disrupting day-to-day business and requiring additional time and resources for testing and deployment.

A virtual patch gives administrators the option of being able to review, test and schedule official patch updates without leaving the system at risk in the intervening period. Unlike traditional patching, it allows an application to be patched without touching it or its libraries, the operating system or even the system it is running on. Virtual patching aims to fix a problem by altering or eliminating the vulnerability by controlling either the inputs into or outputs from the application.

A common method of implementing a virtual patch is to place some type of a proxy or in-line packet manipulator in front of the application to control the inputs or outputs from the application, preventing or eliminating the dangerous behavior until the actual source code can be updated or fixed. An alternative approach is to change the application's runtime code, but this can introduce new risks or problems.

A benefit of virtual patching is that it can be crafted based solely on known safe behavior for an application. This kind of setting is really useful in those cases when nothing it known about how the actual attack works, such as when vendors are reluctant to discuss the specific nature of a particular threat. You can create virtual patches that both prevent the attack, as well as implement rules that define trusted behavior, thereby adding an extra layer of security. For example, an output patch could prevent an application from exposing sensitive information by dropping the connection or by allowing it to only output certain content.

There is no doubt that a virtual patch is an extremely valuable technique that can be used to provide immediate protection against identified vulnerabilities. To make the most of this patching approach, you need to stay up to date with vendor or public vulnerability disclosures and conduct your own code reviews and vulnerability assessments. Of course, if you actually suffer a security incident, virtual patching can prove to be invaluable as you have to respond to such an event immediately. Virtual patching, however, is not an alternative to patching. You will still have to deploy them whenever possible and practical, but it can provide reliable protection in the interim. Although it's probably not realistic to implement virtual patching across a large deployment of desktops, servers and data centers can certainly benefit from the quick fix it can provide.
This was last published in February 2009

Dig Deeper on Microsoft Patch Tuesday and patch management