November’s most popular day in the United States is arguably the fourth Thursday of the month – Thanksgiving Day. In the Tech industry, however, it is the second Tuesday of the month – yesterday to be exact – that garners heightened interest. The reason for the additional interest is that the second Tuesday of the month means Microsoft Patch Tuesday.
And this month in particular there was a bit more interest in Patch Tuesday than is ordinary, only the added interest was not due to the patches released by Microsoft; in fact, those were quite light. It was a kernel patch NOT released that drew the greatest attention.
As Microsoft confirmed last week, the patch to resolve the zero-day vulnerability used in the “Duqu” malware attack was not among the patches it chose to release this week. ZDNet’s Ryan Narraine reports that, “The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode.” He notes that Microsoft has issued a temporary workaround for the vulnerability in the kernel, but the software giant has not indicated when a full-resolution patch will be delivered.
The good news is that the workaround is an easily installed, one-click fix. The bad news, as with all workarounds, is that it does not fix the problem.
Of its decision not to issue a patch for the kernel vulnerability exploited by the Duqu attack, the Microsoft Security Response Center blog offered the following explanation:
To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.
Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.
Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.
Unfortunately, the response exposes two problems. First, while Microsoft knows what to look for, apparently it still does not know how to close the hole. Second, it confirms something often noted in this blog – that companies are pushing out structurally unsound application software.
It’s not like patching the kernel is anything new or uncommon for Microsoft. On many occasions this year Patch Tuesday has included a kernel patch of one variety or another, which is a scary thought. It means that multiple times this year Microsoft has needed to patch its security and core of its operating system because it contained flaws and vulnerabilities – multiple flaws and vulnerabilities.
This begs the question yet again, “Where was the structural analysis of the software before it was distributed?”
Other industries would be hard pressed to run in a similar manner. Consumers would be livid if Ford, GM or Toyota held a “Recall Thursday” every month. Just imagine the indignation we would all feel if we had to line up our cars at out dealerships’ repair bays to replace the faulty hoses, wires or brackets that someone had “just discovered” were faulty many months after the car was purchased.
And I guess that’s where the real issue lies. Exactly when does Microsoft know about the flaw or vulnerability and should they have known about it sooner? Some say they know about these vulnerabilities well-ahead of time and hard core “conspiracy theorists” even go so far as to say that Patch Tuesday is a way for Microsoft to take a sneak peak at what you’re doing with their software and possibly even disable XP to force an upgrade to Vista.
Regardless of whether it’s some great, untold conspiracy or just an oversight, there should be some increased level of scrutiny in the development phase. Microsoft needs to take more steps to ensure the application software – and especially the core and security of operating system software – is neither flawed nor vulnerable. Not doing more encompassing pre-production structural analysis is leaving far too many businesses at risk for malfunctions of missioncritical software or security breaches.
Until Microsoft starts assessing its application software more closely before delivery, it appears the monthly rite of passage known as Patch Tuesday will continue…we’ll see you on December 13 for the next installment.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.