After pulling out of releasing its regular “Patch Tuesday” bundle of security updates last week due to an issue found at the last minute, Microsoft belatedly released security patches for critical vulnerabilities in Adobe Flash Player yesterday for users of Internet Explorer on Windows 8.1 and later, and Edge for Windows 10.
That was an unexpected treat, as it had been thought Microsoft would wait until the next scheduled update on Tuesday, March 14, 2017. Users’ PCs can now pull down the patches via the regular Windows Update process.
The released patches do not include fixes for two known zero-day vulnerabilities in Microsoft’s code.
Exploit code for a vulnerability in how Windows handles SMB traffic has been published on GitHub, and could allow a remote unauthenticated attacker to launch a denial-of-service attack against a vulnerable system.
The other security hole in Microsoft’s code was controversially made public by Google last week, despite the chocolate factory knowing that Microsoft’s customers did not yet have any protection in place.
Microsoft’s delivery of fixes on Patch Tuesday has been impressively reliable over the years, and as far as I recall this is the first time ever that they have missed the date.
Let’s hope that the remaining security vulnerabilities are fixed quickly, and malicious attackers do not attempt to exploit the flaws widely before patches are released.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “Good news and bad news on the Microsoft patch front”
There's a great artiicle on Sophos Naked Security which explains how the vulnerability disclosure works – Google have the LEAST aggressive disclosure policy:
"Google works to three timescales: the 90-day rule applied to the latest vulnerability, which drops to 60 days if the flaw is rated critical, and seven days if it is being exploited."
"US CERT/CC works to an even more aggressive 45-day policy, Yahoo 90 days, while TippingPoint’s old Zero Day Initiative (ZDI) assumed 120 days. Arguably, by this measure, Google is being overly generous."
That's all well and good – so Google are the lesser of the 2 evils. But for a company whose motto is "do no evil", why do they put helpless users at risk just to say "look how clever we are" and score political points over Microsoft? Sure they've given Microsoft plenty of notice, but releasing full info whilst knowing that users have no protection available is hardly 'doing no evil'. Surely a responsible company that actually have a damn about the people from whom they make money would at least wait until a patch was available before announcing all the gory details and basking in the glory they feel is due to them?
Their old motto has been dropped Paul* by their parent company. Even though it still appears in official Google documents their founder has admitted on previous occasions it's no longer practicable for Google itself based on the size of the company and their commercial data monitoring activities.
Don't for one second kid yourself into believing that the bad guys didn't already know about these vulnerabilities. Microsoft delayed one of the patches for reasons of 'convenience'. They wanted to keep things tidy by releasing it within another patch pack instead of pushing it out as a critical security update.
If companies like Microsoft adopt a blasé and arrogant attitude towards user security then they deserve to be publicly disgraced. Google aren't perfect either.
Just remember this: if public disclosures didn't exist then we'd all be much less secure because vendors only pull their finger out when they know there's bad publicity around the corner.
20+ years for one still unfixed vulnerability (that they've refused to patch) is unconscionable and I don't accept your view that keeping things hidden is better.
Sunlight is the best disinfectant.
Microsoft & Google can suck my balls. Linux is so much better for security and they won't smile & laugh behind your back.