Good news and bad news on the Microsoft patch front

Microsoft has *some* patches for you.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Good news and bad news on the Microsoft patch front

Good news.

After pulling out of releasing its regular “Patch Tuesday” bundle of security updates last week due to an issue found at the last minute, Microsoft belatedly released security patches for critical vulnerabilities in Adobe Flash Player yesterday for users of Internet Explorer on Windows 8.1 and later, and Edge for Windows 10.

That was an unexpected treat, as it had been thought Microsoft would wait until the next scheduled update on Tuesday, March 14, 2017. Users’ PCs can now pull down the patches via the regular Windows Update process.

Sign up to our free newsletter.
Security news, advice, and tips.

Bad news.

The released patches do not include fixes for two known zero-day vulnerabilities in Microsoft’s code.

Exploit code for a vulnerability in how Windows handles SMB traffic has been published on GitHub, and could allow a remote unauthenticated attacker to launch a denial-of-service attack against a vulnerable system.

The other security hole in Microsoft’s code was controversially made public by Google last week, despite the chocolate factory knowing that Microsoft’s customers did not yet have any protection in place.

Microsoft’s delivery of fixes on Patch Tuesday has been impressively reliable over the years, and as far as I recall this is the first time ever that they have missed the date.

Let’s hope that the remaining security vulnerabilities are fixed quickly, and malicious attackers do not attempt to exploit the flaws widely before patches are released.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Good news and bad news on the Microsoft patch front”

  1. Bob

    There's a great artiicle on Sophos Naked Security which explains how the vulnerability disclosure works – Google have the LEAST aggressive disclosure policy:

    TL;DR

    "Google works to three timescales: the 90-day rule applied to the latest vulnerability, which drops to 60 days if the flaw is rated critical, and seven days if it is being exploited."

    "US CERT/CC works to an even more aggressive 45-day policy, Yahoo 90 days, while TippingPoint’s old Zero Day Initiative (ZDI) assumed 120 days. Arguably, by this measure, Google is being overly generous."

    https://nakedsecurity.sophos.com/2017/02/22/google-outs-windows-flaw-after-microsoft-misses-a-patch-deadline/

    1. Paul · in reply to Bob

      That's all well and good – so Google are the lesser of the 2 evils. But for a company whose motto is "do no evil", why do they put helpless users at risk just to say "look how clever we are" and score political points over Microsoft? Sure they've given Microsoft plenty of notice, but releasing full info whilst knowing that users have no protection available is hardly 'doing no evil'. Surely a responsible company that actually have a damn about the people from whom they make money would at least wait until a patch was available before announcing all the gory details and basking in the glory they feel is due to them?

      1. Bob · in reply to Paul

        Their old motto has been dropped Paul* by their parent company. Even though it still appears in official Google documents their founder has admitted on previous occasions it's no longer practicable for Google itself based on the size of the company and their commercial data monitoring activities.

        Don't for one second kid yourself into believing that the bad guys didn't already know about these vulnerabilities. Microsoft delayed one of the patches for reasons of 'convenience'. They wanted to keep things tidy by releasing it within another patch pack instead of pushing it out as a critical security update.

        If companies like Microsoft adopt a blasé and arrogant attitude towards user security then they deserve to be publicly disgraced. Google aren't perfect either.

        Just remember this: if public disclosures didn't exist then we'd all be much less secure because vendors only pull their finger out when they know there's bad publicity around the corner.

        20+ years for one still unfixed vulnerability (that they've refused to patch) is unconscionable and I don't accept your view that keeping things hidden is better.

        Sunlight is the best disinfectant.

        *http://time.com/4060575/alphabet-google-dont-be-evil/

  2. Tom

    Microsoft & Google can suck my balls. Linux is so much better for security and they won't smile & laugh behind your back.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.