Over the past few years we’ve seen a few security holes that have drawn Chicken Little warnings and vast amounts of unthinking press reports. When you turn on a local news program and hear from the hometown weather reporter that you really need to get Windows patched, a bit of skepticism might be in order.
Today’s Patch Tuesday appears to be headed down the same well-worn chute.
Brian Krebs, the security guru with impeccable credentials, fired an opening salvo in his blog post yesterday:
Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.
On the one side, we have Will Dorman, a highly respected analyst at the federal CERT Coordination Center, who tweeted:
I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know… just call it a hunch? ¯\_(ツ)_/¯
On the other hand we have Kevin Beaumont, my favorite plucky porg down in the trenches, who says, simply:
Don’t panic re this one.
A bit of histrionic history here.
Back on Monday — not Tuesday, mind you, but Monday — Sept. 23, Microsoft released a highly publicized out-of-band patch for an “exploited” Internet Explorer 0day known as CVE-2019-1367. The fix was so badly botched that Microsoft ended up releasing four separate fixes for it, over the course of three weeks, and many (millions?) of Windows customers got caught up in the bugs. The security hole itself? It never amounted to a hill of beans.
In November we got a similar treatment for CVE-2019-1429, a scary “exploited” monster that never materialized. In December, it was CVE-2019-1458, which has since sunk into obscurity. Back in September, we had emergency warnings about two “exploited” security holes, CVE-2019-1214 and CVE-2019-1215. A few days later, without any announcement, Microsoft removed the “exploited” designation.
Then there was the DejaBlue fiasco. Beaumont, who named the security hole and followed it closely, never found a real-world working exploit (although there were several in-the-lab, proof of concept, sorta exploits).
Granted, there have been significant security holes announced with full fanfare, including their own dedicated websites and logos. The most recent real threat came in the form of BlueKeep, announced and patched in May, which actually had a working exploit that appeared in September. Even the NSA warned about it. You had four months or so to get patched. (Full disclosure: I joined the Chicken Little crowd and recommended early patching for BlueKeep, when it wasn’t necessary.)
Many patch-it-now hardliners hearken back to WannaCry, which cut a wide swath back in May, 2017. With its origins in NSA-written hacking code, WannaCry did pose a significant threat, but Microsoft had already released its WannaCry patch, MS17-010, two months before WannaCry appeared.
I’m not saying that you need to put on rose-colored glasses and “la-la-la” your way through today’s Patch Tuesday shenanigans. But I am saying that a certain amount of restraint could go a long way — especially given Microsoft’s track record for botched Patch Tuesdays.
Join us for a ringside seat as the patches (and problems!) roll out, on AskWoody.com.
