People are waiting for Thor’s thunder from a Windows patch later today. Given Microsoft’s history of bright and exaggerated patches, a bit of skepticism is in order. Here’s a little history and an invitation to come together in the first place.
In recent years, we have seen a few security holes that have led to Chicken Little’s warnings and a series of thoughtless press releases. When you start a local news show and hear from your hometown weather reporter that you really need to fix Windows, you may need a little skepticism.
It seems that today’s Patch Tuesday is heading for the same worn hub.
Brian Krebs, the security guru with impeccable credentials, released an opening message yesterday in his blog post yesterday:
Sources tell KrebsOnSecurity that Microsoft Corp. is scheduled to release a software update on Tuesday to fix an extraordinarily severe security vulnerability in a core cryptographic component present in all versions of Windows. These sources say that Microsoft has quietly delivered a bug patch to U.S. military affiliates and other high-value customers / targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements that prevent them from revealing details of failure before of January 14, the first Patch Tuesday of 2020.
On the one hand, we have Will Dorman, a highly respected analyst at the Federal CERT Coordination Center, who wrote on Twitter:
I think maybe people should pay close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more than others. I don’t know … do I call this just a suspicion? ¯ _ (ツ) _ / ¯
On the other hand, we have Kevin Beaumont, my favorite courage in the trenches, who simply says:
Don’t panic with it.
A little histrionic history here.
On Monday, not Tuesday, of course, but on Monday, September 23, Microsoft released a highly publicized out-of-band patch for an Internet Explorer «exploited» day 0 known as CVE-2019-1367. The solution was so wrong that Microsoft ended up launching four separate solutions for it in three weeks, and many (millions?) Windows customers were caught in bugs. The mouth of security itself? It never became a bean hill.
In November I received a similar treatment for CVE-2019-1429, a terrifying «exploited» monster that never materialized. In December, it was CVE-2019-1458, which has since plunged into obscurity. In September, we received emergency warnings about two «exploited» security holes, CVE-2019-1214 and CVE-2019-1215. A few days later, without any announcement, Microsoft removed the name «exploited».
Then there was the DejaBlue fiasco. Beaumont, who named the security hole and followed it closely, never found a work feat in the real world (although there were several exploits in the lab, proof of the concept, such as exploits).
Of course, there were major security holes advertised with fanfare, including their own dedicated websites and logos. The most recent real threat came in the form of BlueKeep, announced and repaired in May, which actually had a work feat that appeared in September. Even the NSA has warned about this. You had about four months to put the patch on. (Full disclosure: I joined the Chicken Little crowd and recommended an early patch for BlueKeep when it wasn’t needed.)
Many hardline fans of the patches now remember WannaCry, which opened a broadband in May 2017. With its origins in the NSA-written piracy code, WannaCry posed a significant threat, but Microsoft has already released the patch. WannaCry., MS17. -010, two months before WannaCry came out.
I’m not saying you have to wear pink and «la-la-la» glasses to get over today’s Patch Tuesday games. But I’m saying that a certain amount of moderation could go a long way, especially given Microsoft’s history of the Patch Tuesday failure.