Microsoft issues security patches for 31 separate vulnerabilities

Critical bugs fixed, but Badlock fails to live up to the hype.

Patch tuesday

It was the second Tuesday of the month yesterday, and you know what that means… Patch Tuesday!

Microsoft has issued a bundle of security bulletins, detailing fixes for 31 vulnerabilities, including critical remote code execution flaws in Internet Explorer and Microsoft Edge.

BadlockAnd this Patch Tuesday update includes a fix for the Badlock bug – a vulnerability that was pre-announced three weeks ago, with a cutesy name, its own website and (of course) logo.

Initially the Badlock website arguably scared the willies out of sysadmins, just saying there was a “crucial security bug in Windows and Samba” and that affected systems should be updated when the fix was released on April 12.

Sign up to our free newsletter.
Security news, advice, and tips.

After online criticism, the site defended its pre-announcement and its “marketing” of the vulnerability:

Why announce Badlock before April 12th, 2016?

The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.

Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.

Yet Another Bug With A Logo?

What branded bugs are able to achieve is best said with one word: Awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs.

It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding – it started a while ago with everyone working on fixes.

Despite the hoopla, however, it doesn’t appear that Badlock is the most serious of the flaws to be fixed by Microsoft this month. In fact, some have dubbed the man-in-the-middle attack “Sadlock” because it fails to live up to its hype.

Yes, you should patch affected systems against Badlock, but many will find other vulnerabilities inside Microsoft’s Patch Tuesday bundle that are a higher priority.

A bigger risk than Badlock for most computer users are the flaws that allow malicious attackers to remotely execute malicious code on your computer through boobytrapped webpages and Word documents.

Microsoft flaw

For more details, read Microsoft’s advisory and make sure that your computer is running the latest security patches.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Microsoft issues security patches for 31 separate vulnerabilities”

  1. mickthebrick

    1. I haven't accepted any Windows Updates for over a year.
    2. I don't use Microsoft Office; I use LibreOffice.
    3. I have not encountered any problems / "security issues" and I am no longer inconvenienced.

    1. coyote · in reply to mickthebrick

      Fact of computer security: many hosts that are compromised are oblivious to the fact.

      Want a funny example? I had a friend years ago (and I remember when he did this) who made the file server of a specific (which I will not name) security company open to everyone. It was unknown for >= 10 years.

      And Microsoft Office versus Libre is only going to matter for vulnerabilities specifically targeting Microsoft Office documents.

      Eventually your poor practises will bite you but the wound might not even be known to you. I have many examples including government hosts trying to use my primary mail server to relay spam. I know many other admins also have plenty of examples. But I suppose this is all beyond your comprehension – for better or for worse.

    2. BowDowntoZod · in reply to mickthebrick

      Give us your IP and we'll show you how you can be inconvenienced!

  2. coyote

    Martijn certainly has a point but it's still (and I know he knows this) worth remembering that MiTM attacks are quite serious.

    But rather than call this sadlock why not call it gladlock since it's not as serious as was suggested ?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.