The perils of shouting 'fire' in a crowd of PC patchers
Credit to Author: Woody Leonhard| Date: Thu, 30 Jan 2020 10:14:00 -0800
Time and again we see the same drama play out. Microsoft releases a security patch and scary warnings appear from every corner. When your local news broadcast tells you that you better patch Windows right now…, more temperate advice should prevail.
A little over two weeks ago, on Patch Tuesday, Microsoft released a patch for a security hole known as CVE-2020-0601 – the Crypt32.dll vulnerability also called ChainOfFools or CurveBall.
The claxons screamed. In a first, even the U.S. National Security Agency got into the act, first by staking an unprecedented claim on the security hole’s genesis, and then by issuing the first-ever NSA Cybersecurity Advisory (PDF) warning folks to duck and cover:
NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.
Of course, every news outlet in the world picked it up. What news editor could avoid echoing an NSA pronouncement, for heaven’s sake, even if it involves Elliptic Curve Cryptography certificates, whatever those are? My son’s precocious nine-year-old friend asked me if I’d installed the patch – then scolded me (in the nicest possible way) when I scoffed.
NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.
To be fair, Microsoft didn’t take up NSA’s sky-is-falling routine. The CVE-2020-0601 warning says now, as it said then, that this is a not-publicly-disclosed, not-exploited vulnerability with an “Important” (which is lower than a “Critical”) severity rating.
That didn’t stop the pandits or pundits from recommending that you drop everything and get the Patch Tuesday patches installed.
It’s hardly an isolated incident:
That’s just the past five months. Go back farther and you see the same pattern repeated: Patch gets released. Security folks cry “Wolf!” Knowledgeable experts expound. News outlets, industry blogosphere, popular magazines, local TV newscasters and your car mechanic’s brother-in-law parrot the battle cry. People applying patches get embroiled in a tizzy… and no significant attack ever appears.
That said, there certainly are legitimate “get-patched” cries. The BlueKeep security hole in Microsoft Remote Desktop was fixed in CVE-2019-0708, released in May 2019. That patch fixed a vulnerability that was finally exploited (but not very successfully) in the wild in November. The daddy of them all, WannaCry, started spreading in May 2017 (thank you, NSA), although it had been patched by MS17-010 in March.
Viewed from 30,000 feet, the repeat behavior would seem comical – what’s that quote about doing the same thing over and over and expecting different results? But it masks two very important, deleterious consequences of crying “Wolf!”
1. Lots of people get stampeded into applying buggy patches. I know that some of you feel that the quality of Microsoft’s Windows patching is pretty good, and that it’s getting better. To my mind, recent observations don’t support that conclusion. Take a look at this ongoing list of bad patches and their consequences, going back two and a half years.
2. Organizations put off patching important holes when they’re distracted by these howlers. So the CEO or CIO or CFO or some other exec hears about a horrible new security hole, and the people in charge of patching are cowed into fixing the high profile problems first. Heck if the NSA or the US Department of Homeland Security issues an alert, it’s gotta be a big, spooky problem, right? Well, no. In the past few weeks, several organizations have responded to the perceived threat to get the ChainOfFools/CurveBall security hole plugged, when their time would’ve been much better spent on more important patches for, i.a., Citrix network apps and Pulse Secure VPN,
The Sky-is-falling organizations have their own priorities, their own chests to beat, their own products to peddle. What’s good for them isn’t necessarily good for you.