{"id":6744,"date":"2017-02-22T10:30:23","date_gmt":"2017-02-22T18:30:23","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/22\/news-535\/"},"modified":"2017-02-22T10:30:23","modified_gmt":"2017-02-22T18:30:23","slug":"news-535","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/22\/news-535\/","title":{"rendered":"What\u2019s up with Windows patching, Microsoft?"},"content":{"rendered":"

<\/p>\n

Credit to Author: Steven J. Vaughan-Nichols| Date: Wed, 22 Feb 2017 08:36:00 -0800<\/strong><\/p>\n

Well, here\u2019s something different. Microsoft, for the first time since it started its monthly Patch Tuesdays in October 2003<\/a>, has completely blown a deadline. There will be no major patch release in February. Instead, the patch package will be released on March 14<\/a>.<\/p>\n

Why? We don\u2019t know and Microsoft isn\u2019t saying.<\/p>\n

Color me concerned.<\/p>\n

I have reason to be. Greg Lambert, chairman of Qompat<\/a>, who covers software patches like paint<\/a>, had hoped Microsoft would delay the patches by only a week<\/a>. After all, Lambert observed, \u201cThis month\u2019s update cycle from Microsoft is especially important as a now critical zero-day vulnerability (CVE867968<\/a>) has been reported related to how a component of the Microsoft SMB [Server Message Block] protocol handles traffic. This was initially reported as a denial of service attack, but now looks like to be rated as critical by Microsoft as it may lead to a more serious (RCE)<\/a> remote code execution scenario.\u201d<\/p>\n

And according to CERT, \u201cExploit code for this vulnerability is publicly available.<\/a>\u201c CERT\u2019s security pros also report that there is, by the by, no known fix for this.<\/p>\n

Oh, boy!<\/p>\n

So, here we have a known zero-day vulnerability with an exploit, and Microsoft is just twiddling its thumbs.<\/p>\n

Sure, I know that it\u2019s not as if this vulnerability opens you up to being attacked over the internet. Because your outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) are blocked on your firewall. Right?<\/p>\n

OK, now that you\u2019re back from checking on that, let me note that, inside your network, all it takes is one grumpy employee for your Windows infrastructure to be in for a world of hurt.<\/p>\n

So what could be happening that would make Microsoft delay such a critical fix? Even though there are separate patch trees for Windows 7 and 10, could something still zap both operating systems? History suggests it is more than possible. Although Microsoft insists that each new Windows version is much more secure than the previous one, many serious security bugs somehow smack the entire Windows family.<\/p>\n

But even given that history, Microsoft has been patching serious problems for years and it has never before told its users to wait an extra month for patches. So I don\u2019t think this is a run-of-the-mill problem.<\/p>\n

Chris Goettl, product manager at patch management vendor Ivanti<\/a> (formerly Shavlik), guesses, \u201cSomething is broken in the infrastructure<\/a>, in Windows Update or the [Microsoft Update] Catalog.\u201d<\/p>\n

There\u2019s searing logic in what Goettl says. No updates at all for an entire month even as a critical vulnerability is staring us in the face? Suspecting that something is deeply wrong with the update software itself makes a lot of sense. But it doesn\u2019t leave me feeling warm and secure about Windows.<\/p>\n

And you know, Microsoft has a lousy <\/a>Windows updates<\/a>\u00a0record<\/a>. There was the Jet Database patch, which bricked Windows 2000; the .Net SP that knocked out Quicken in 2008 just before tax season; and the time Microsoft released six \u2014 six! \u2014 bad patches<\/a> at once.<\/p>\n

Still, things were supposed to be better \u2014 no, really! \u2014 with cumulative updates for all verisons of Windows<\/a>. With that move you could no longer get individual patches. Instead, Windows bundles all the patches together, except for Edge and Internet Explorer<\/a>.<\/p>\n

This was to make everything better. And I guess it was, until it wasn\u2019t.<\/p>\n

A lot of us saw this coming. When cumulative updates were announced for Windows 7 and 8.x, Susan Bradley, who writes on Windows patching for the Windows Secrets<\/a> newsletter, worried, \u201cBottom line, everyone is holding their breath, hoping for the best, expecting the worst.\u201d<\/p>\n

Guess what: Microsoft missing an entire monthly patch cycle with a zero-day defect hanging over our heads counts as the worst.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Steven J. Vaughan-Nichols| Date: Wed, 22 Feb 2017 08:36:00 -0800<\/strong><\/p>\n

\n
\n

Well, here\u2019s something different. Microsoft, for the first time since it started its monthly Patch Tuesdays in October 2003<\/a>, has completely blown a deadline. There will be no major patch release in February. Instead, the patch package will be released on March 14<\/a>.<\/p>\n

Why? We don\u2019t know and Microsoft isn\u2019t saying.<\/p>\n

Color me concerned.<\/p>\n

I have reason to be. Greg Lambert, chairman of Qompat<\/a>, who covers software patches like paint<\/a>, had hoped Microsoft would delay the patches by only a week<\/a>. After all, Lambert observed, \u201cThis month\u2019s update cycle from Microsoft is especially important as a now critical zero-day vulnerability (CVE867968<\/a>) has been reported related to how a component of the Microsoft SMB [Server Message Block] protocol handles traffic. This was initially reported as a denial of service attack, but now looks like to be rated as critical by Microsoft as it may lead to a more serious (RCE)<\/a> remote code execution scenario.\u201d<\/p>\n

To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11073,714,10761],"class_list":["post-6744","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-malware-vulnerabilities","tag-security","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6744"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6744\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6744"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}