Well, here’s something different. Microsoft, for the first time since it started its monthly Patch Tuesdays in October 2003, has completely blown a deadline. There will be no major patch release in February. Instead, the patch package will be released on March 14.
Why? We don’t know and Microsoft isn’t saying.
Color me concerned.
I have reason to be. Greg Lambert, chairman of Qompat, who covers software patches like paint, had hoped Microsoft would delay the patches by only a week. After all, Lambert observed, “This month’s update cycle from Microsoft is especially important as a now critical zero-day vulnerability (CVE867968) has been reported related to how a component of the Microsoft SMB [Server Message Block] protocol handles traffic. This was initially reported as a denial of service attack, but now looks like to be rated as critical by Microsoft as it may lead to a more serious (RCE) remote code execution scenario.”
And according to CERT, “Exploit code for this vulnerability is publicly available.“ CERT’s security pros also report that there is, by the by, no known fix for this.
Oh, boy!
So, here we have a known zero-day vulnerability with an exploit, and Microsoft is just twiddling its thumbs.
Sure, I know that it’s not as if this vulnerability opens you up to being attacked over the internet. Because your outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) are blocked on your firewall. Right?
OK, now that you’re back from checking on that, let me note that, inside your network, all it takes is one grumpy employee for your Windows infrastructure to be in for a world of hurt.
So what could be happening that would make Microsoft delay such a critical fix? Even though there are separate patch trees for Windows 7 and 10, could something still zap both operating systems? History suggests it is more than possible. Although Microsoft insists that each new Windows version is much more secure than the previous one, many serious security bugs somehow smack the entire Windows family.
But even given that history, Microsoft has been patching serious problems for years and it has never before told its users to wait an extra month for patches. So I don’t think this is a run-of-the-mill problem.
Chris Goettl, product manager at patch management vendor Ivanti (formerly Shavlik), guesses, “Something is broken in the infrastructure, in Windows Update or the [Microsoft Update] Catalog.”
There’s searing logic in what Goettl says. No updates at all for an entire month even as a critical vulnerability is staring us in the face? Suspecting that something is deeply wrong with the update software itself makes a lot of sense. But it doesn’t leave me feeling warm and secure about Windows.
And you know, Microsoft has a lousy Windows updates record. There was the Jet Database patch, which bricked Windows 2000; the .Net SP that knocked out Quicken in 2008 just before tax season; and the time Microsoft released six — six! — bad patches at once.
Still, things were supposed to be better — no, really! — with cumulative updates for all verisons of Windows. With that move you could no longer get individual patches. Instead, Windows bundles all the patches together, except for Edge and Internet Explorer.
This was to make everything better. And I guess it was, until it wasn’t.
A lot of us saw this coming. When cumulative updates were announced for Windows 7 and 8.x, Susan Bradley, who writes on Windows patching for the Windows Secrets newsletter, worried, “Bottom line, everyone is holding their breath, hoping for the best, expecting the worst.”
Guess what: Microsoft missing an entire monthly patch cycle with a zero-day defect hanging over our heads counts as the worst.