A new global survey of over 300 CIOs, CSOs, IT managers and network administrators said that 45 percent of respondents thought using a third-party patch was acceptable if an official one was unavailable and a zero-day exploit threatened their systems. It was a different story in the U.K. where only 31 percent would use third party patches to protect against zero day threats.
The study, commissioned by patch management company Patchlink, found that only 13 percent of organisations deployed the unofficial third-party patch when the Microsoft WMF exploit surfaced last January. More than one in five (21 percent) organizations waited to apply the early release of the Microsoft patch.
The survey showed nearly three-quarters of IT professionals (74 percent) thought patch cycles, such as the Microsoft Patch Tuesday, improved their overall security patching process. Forty-two per cent saw the improvement as reducing time spent on patching and 18 percent believed they were able to reduce the number of employees assigned to patching.
However, more than 50 percent of IT administrators wanted vendors to take a more flexible approach and release patches for zero-day exploits as soon as possible while maintaining a monthly patch release date for unexploited vulnerabilities.
When it came to web-based applications and browser vulnerabilities, IT professionals felt an increased pressure to deploy patches on tight deadlines with 65 percent having to agree an internal deadlines for non-critical patch deployment. The survey found that nine percent of organizations had to deploy newly-released patches within 72 hours of release. Twenty-two percent set a time frame of between two to five days and 30 percent of organizations defined their roll out time frame for between one to eight weeks and 3 percent aimed to deploy their patches with two months.
Alan Bentleyof PatchLink EMEA said that zero-day threats ranked the biggest challenge facing the patching process.
"The survey shows customers are taking a more proactive approach to effectively defending their networks against zero-day exploits through process and prioritization," he said.