In recent years, we have seen some security holes that have generated Chicken Little warnings and large amounts of thoughtless press reports. When you turn on a local news program and hear from the weather reporter in your city that you really need to repair Windows, some skepticism may be necessary.
Tuesday’s patches today seem to go to the same worn ramp.
Brian Krebs, the security guru with impeccable credentials, fired an opening save in his blog post yesterday:
Sources tell KrebsOnSecurity that Microsoft Corp. will launch a software update on Tuesday to correct an extraordinarily serious security vulnerability in a central cryptographic component present in all versions of Windows. Those sources say that Microsoft has quietly sent a patch for the error to the branches of the US military. UU. And to other high-value clients / objectives that manage the key Internet infrastructure, and that these organizations have been asked to sign agreements that prevent them from revealing details of the failure before January 14, the first patch Tuesday, 2020.
On the one hand, we have Will Dorman, a highly respected analyst at the federal CERT Coordination Center, who tweeted:
I have the impression that people should perhaps pay close attention to installing Microsoft Patch Tuesday updates tomorrow in a timely manner. Even more than others. I don’t know … just call it a hunch? ¯ _ (ツ) _ / ¯
On the other hand we have Kevin Beaumont, my brave porg in the trenches, who says, simply:
Do not panic with this.
A bit of histrionic history here.
On Monday, not Tuesday, but on Monday, September 23, Microsoft released a highly publicized out of band patch for an Internet Explorer 0day “exploited” known as CVE-2019-1367. The solution was so bad that Microsoft ended up launching four separate solutions for it, over the course of three weeks, and many (millions?) Of Windows clients were caught in the errors. The security hole itself? He never climbed a hill of beans.
In November we have a similar treatment for CVE-2019-1429, a scary “exploited” monster that never materialized. In December, was CVE-2019-1458, which has since sunk into darkness. In September, we received emergency warnings about two “exploited” security holes, CVE-2019-1214 and CVE-2019-1215. A few days later, without any ads, Microsoft removed the designation of “exploited”.
Then there was the DejaBlue fiasco. Beaumont, who named the security hole and I followed him closely, I never found an exploit that works in the real world (although there were several proofs of concept in the laboratory, more or less exploits).
Of course, important security holes with complete fanfare have been announced, including their own dedicated websites and logos. The most recent real threat came in the form of BlueKeep, announced and patched in May, which actually had a functional exploit that appeared in September. Even the NSA warned about it. You had four months or so to be repaired. (Full disclosure: I joined the crowd of Chicken Little and recommended early patches for BlueKeep, when it wasn’t necessary.)
Many uncompromising patching now listen to WannaCry, which cut a wide strip in May 2017. With its origins in the piracy code written by the NSA, WannaCry did pose a significant threat, but Microsoft had already released its WannaCry patch, MS17-010, two months before WannaCry appeared.
I’m not saying you should wear pink glasses and “la-la-la” through the pranks of Patch Tuesday today. But I am saying that a certain amount of restriction could be very useful, especially given Microsoft’s history for failed patch Tuesdays.
Join us for a front row seat as patches unfold (and problems!), on AskWoody.com.
Copyright © 2020 IDG Communications, Inc.