So where were you when the great big double-barrelled Patch Tuesday of March 2017 rolled around?
Me? I was in my office and carrying on about my business as I always do, whether it’s Patch Tuesday or not. The fact that it is a regular occurrence, means that it has become a mundane and expected part of our daily digital existence. For this reason, and this reason alone, is why last month’s absence of a Patch Tuesday is of great concern to security professionals like myself.“I got updates on Windows last month!” I hear you cry. So did I, but it was only for that disgrace of a piece of software that is Adobe Flash Player.
What we were missing were a number of patches for Microsoft’s various software that we have installed on our desktops, laptops and servers. This was the first time in 14 years that they skipped a month and they did so without providing us with any indication of what the problem was.
So in March 2017 Microsoft fixed 135 vulnerabilities across their software estate, which is pretty freakin’ big. The number of vulnerabilities though is only a small part of the serious problem that us concerned security folk have with Microsoft. One of the critical vulnerabilities that was patched on the 14th of March was a flaw that was publicly disclosed on the 2nd of February. This meant that the evil doers would have been attempting to exploit the vulnerability for nearly 6 weeks … which is an aeon in a hacker’s world.
Now, we can’t take umbrage at the fact that Carnegie Mellon University revealed the existence of the vulnerability in February, which had been discovered last year. Microsoft were notified about it and so an expectation that they were going to fix it in February 2017 was reasonable. However, something went awry with the whole month-worth of patches and so a lot of people were exposed for a very long period of time, which is really inexcusable.
I preach to people, telling them they need to keep their software and devices up-to-date. Then M$FT go ahead and make a mockery of the arrangement.