{"id":17427,"date":"2020-01-14T06:30:04","date_gmt":"2020-01-14T14:30:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/01\/14\/news-11163\/"},"modified":"2020-01-14T06:30:04","modified_gmt":"2020-01-14T14:30:04","slug":"news-11163","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/14\/news-11163\/","title":{"rendered":"Today's Patch Tuesday brings fireworks and \u2014 a magic bullet?"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Tue, 14 Jan 2020 05:48:00 -0800<\/strong><\/p>\n

Over the past few years we\u2019ve seen a few security holes that have drawn Chicken Little warnings and vast amounts of unthinking press reports. When you turn on a local news program and hear from the hometown weather reporter that you really need to get Windows patched, a bit of skepticism might be in order.<\/span><\/p>\n

Today\u2019s Patch Tuesday appears to be headed down the same well-worn chute.<\/span><\/p>\n

Brian Krebs, the security guru with impeccable credentials, fired an opening salvo in his <\/span>blog post yesterday<\/span><\/a>:<\/span><\/p>\n

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers\/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.<\/span><\/p>\n

On the one side, we have Will Dorman, a highly respected analyst at the federal CERT Coordination Center, <\/span>who tweeted<\/span><\/a>:<\/span><\/p>\n

I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know… just call it a hunch? \u00af_(\u30c4)_\/\u00af<\/span><\/p>\n

On the other hand we have Kevin Beaumont, my favorite plucky porg down in the trenches, <\/span>who says<\/span><\/a>, simply:<\/span><\/p>\n

Don\u2019t panic re this one.<\/span><\/p>\n

A bit of histrionic history here.<\/span><\/p>\n

Back on Monday\u00a0\u2014 not Tuesday, mind you, but Monday\u00a0\u2014 Sept. 23, Microsoft released a highly publicized <\/span>out-of-band patch<\/span><\/a> for an \u201cexploited\u201d Internet Explorer 0day known as CVE-2019-1367. The fix was so badly botched that Microsoft ended up releasing four separate fixes for it, over the course of three weeks, and many (millions?) of Windows customers got caught up in the bugs. The security hole itself? It never amounted to a hill of beans.<\/span><\/p>\n

In November we got a <\/span>similar treatment<\/span><\/a> for\u00a0 CVE-2019-1429, a scary \u201cexploited\u201d monster that never materialized. In December, <\/span>it was <\/span><\/a>\u00a0CVE-2019-1458, which has since sunk into obscurity. Back in September, we had emergency warnings about two \u201cexploited\u201d security holes, CVE-2019-1214 and CVE-2019-1215. A few days later, without any announcement, Microsoft <\/span>removed the \u201cexploited\u201d designation<\/span><\/a>.\u00a0<\/span><\/p>\n

Then there was the DejaBlue fiasco. Beaumont, who named the security hole and <\/span>followed it closely<\/span><\/a>, never found a real-world working exploit (although there were several in-the-lab, proof of concept, sorta exploits).<\/span><\/p>\n

Granted, there have been significant security holes announced with full fanfare, including their own dedicated websites and logos. The most recent real threat came in the form of BlueKeep, announced and patched in May, which actually had a working exploit that appeared <\/span>in September<\/span><\/a>. Even the NSA <\/span>warned about it<\/span><\/a>. You had four months or so to get patched. (Full disclosure: I <\/span>joined the Chicken Little crowd<\/span><\/a> and recommended early patching for BlueKeep, when it wasn\u2019t necessary.)<\/span><\/p>\n

Many patch-it-now hardliners hearken back to WannaCry, which cut a wide swath back in May, 2017. With its origins in NSA-written hacking code, WannaCry did <\/span>pose a significant threat<\/span><\/a>, but Microsoft had already released its WannaCry patch, MS17-010, two months before WannaCry appeared.\u00a0\u00a0<\/span><\/p>\n

I\u2019m not saying that you need to put on rose-colored glasses and \u201cla-la-la\u201d your way through today\u2019s Patch Tuesday shenanigans. But I am saying that a certain amount of restraint could go a long way\u00a0\u2014 especially given Microsoft\u2019s track record for botched Patch Tuesdays.<\/span><\/p>\n

Join us for a ringside seat as the patches (and problems!) roll out, <\/span>on AskWoody.com<\/span><\/a>.<\/span><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Tue, 14 Jan 2020 05:48:00 -0800<\/strong><\/p>\n

\n
\n

Over the past few years we\u2019ve seen a few security holes that have drawn Chicken Little warnings and vast amounts of unthinking press reports. When you turn on a local news program and hear from the hometown weather reporter that you really need to get Windows patched, a bit of skepticism might be in order.<\/span><\/p>\n

Today\u2019s Patch Tuesday appears to be headed down the same well-worn chute.<\/span><\/p>\n

Brian Krebs, the security guru with impeccable credentials, fired an opening salvo in his <\/span>blog post yesterday<\/span><\/a>:<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,10525],"class_list":["post-17427","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17427"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17427\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17427"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}