{"id":17597,"date":"2020-01-30T10:30:05","date_gmt":"2020-01-30T18:30:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/01\/30\/news-11332\/"},"modified":"2020-01-30T10:30:05","modified_gmt":"2020-01-30T18:30:05","slug":"news-11332","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/30\/news-11332\/","title":{"rendered":"The perils of shouting 'fire' in a crowd of PC patchers"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 30 Jan 2020 10:14:00 -0800<\/strong><\/p>\n

Time and again we see the same drama play out. Microsoft releases a security patch and scary warnings appear from every corner. When your local news broadcast tells you that you better patch Windows <\/span>right now<\/i><\/strong>\u2026, more temperate advice should prevail.<\/span><\/p>\n

A little over two weeks ago, on Patch Tuesday, Microsoft released a patch for a security hole known as\u00a0 CVE-2020-0601 \u2013 the Crypt32.dll vulnerability also called\u00a0<\/span>ChainOfFools or CurveBall<\/span><\/a>.\u00a0<\/span><\/p>\n

The claxons screamed. In a first, even the U.S. National Security Agency got into the act, first by staking an unprecedented claim on the security hole\u2019s genesis, and then by issuing the first-ever NSA Cybersecurity Advisory (<\/span>PDF<\/span><\/a>) warning folks to duck and cover:<\/span><\/p>\n

NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016\/2019 systems.<\/span><\/p>\n

Of course, every news outlet in the world picked it up. What news editor could avoid echoing an NSA pronouncement, for heaven\u2019s sake, even if it involves Elliptic Curve Cryptography certificates, whatever those are? My son\u2019s precocious nine-year-old friend asked me if I\u2019d installed the patch \u2013 then scolded me (in the nicest possible way) when I scoffed.<\/span><\/p>\n

NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.<\/span><\/p>\n

To be fair, Microsoft didn\u2019t take up NSA\u2019s sky-is-falling routine. The <\/span>CVE-2020-0601 warning<\/span><\/a> says now, as it said then, that this is a not-publicly-disclosed, not-exploited vulnerability with an \u201cImportant\u201d (which is lower than a \u201cCritical\u201d) <\/span>severity rating<\/span><\/a>.<\/span><\/p>\n

That didn\u2019t stop the pandits or pundits from recommending that you drop everything and get the Patch Tuesday patches installed.<\/span><\/p>\n

It\u2019s hardly an isolated incident:<\/span><\/p>\n

That\u2019s just the past five months. Go back farther and you see the same pattern repeated: Patch gets released. Security folks cry \u201cWolf!\u201d Knowledgeable experts expound. News outlets, industry blogosphere, popular magazines, local TV newscasters and your car mechanic\u2019s brother-in-law parrot the battle cry. People applying patches get embroiled in a tizzy\u2026 and no significant attack ever appears.<\/span><\/p>\n

That said, there certainly <\/span>are <\/i><\/strong>legitimate \u201cget-patched\u201d cries. The BlueKeep security hole in Microsoft Remote Desktop was fixed in <\/span>CVE-2019-0708<\/span><\/a>, released in May 2019. That patch fixed a vulnerability that was finally exploited (but <\/span>not very successfully<\/span><\/a>) in the wild in November. The daddy of them all, WannaCry, started spreading in May 2017 (thank you, NSA), although it had been patched by <\/span>MS17-010 in March<\/span><\/a>.\u00a0<\/span><\/p>\n

Viewed from 30,000 feet, the repeat behavior would seem comical \u2013 what\u2019s <\/span>that quote about <\/span><\/a>doing the same thing over and over and expecting different results? But it masks two very important, deleterious consequences of crying \u201cWolf!\u201d<\/span><\/p>\n

1. Lots of people get stampeded into applying buggy patches.<\/strong> \u00a0<\/span><\/i>I know that some of you feel that the quality of Microsoft\u2019s Windows patching is pretty good, and that it\u2019s getting better. To my mind, recent observations don\u2019t support that conclusion. Take a look at this ongoing <\/span>list of bad patches <\/span><\/a>and their consequences, going back two and a half years.<\/span><\/p>\n

2. Organizations put off patching important holes when they\u2019re distracted by these howlers.<\/strong> So the CEO or CIO or CFO or some other exec hears about a horrible new security hole, and the people in charge of patching are cowed into fixing the high profile problems first. Heck if the NSA or the US Department of Homeland Security issues an alert, it\u2019s gotta be a big, spooky problem, right? Well, no. In the past few weeks, several organizations have responded to the perceived threat to get the ChainOfFools\/CurveBall security hole plugged, when their time would’ve been much better spent on more important patches for, <\/span>i.a.<\/span><\/i>, <\/span>Citrix network apps<\/span><\/a> and <\/span>Pulse Secure VPN<\/span><\/a>,\u00a0<\/span><\/p>\n

The Sky-is-falling organizations have their own priorities, their own chests to beat, their own products to peddle. What\u2019s good for them isn\u2019t necessarily good for you.<\/span><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 30 Jan 2020 10:14:00 -0800<\/strong><\/p>\n

\n
\n

Time and again we see the same drama play out. Microsoft releases a security patch and scary warnings appear from every corner. When your local news broadcast tells you that you better patch Windows <\/span>right now<\/i><\/strong>\u2026, more temperate advice should prevail.<\/span><\/p>\n

A little over two weeks ago, on Patch Tuesday, Microsoft released a patch for a security hole known as\u00a0 CVE-2020-0601 \u2013 the Crypt32.dll vulnerability also called\u00a0<\/span>ChainOfFools or CurveBall<\/span><\/a>.\u00a0<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,13764,714,10525],"class_list":["post-17597","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-pcs","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17597"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17597\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17597"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}