Let’s start with a recent history of Microsoft’s security oddities:
- February 2: A zero-day Window SMB bug is published with no patch. CVE-2017-0016 is a high severity vulnerability affecting Windows 8, Windows 10, Windows Server 2012 R2 and Windows Server 2016. It exists due to a memory corruption issue while handling of SMB traffic (more information, including the workaround, can be found in the US CERT post). A security researcher released its exploit code in the wild on the first of the month after reporting the vulnerability Microsoft in September 2016.
- February 14: Microsoft’s Patch Tuesday is delayed. To mid-March. Without any notice. This is the first time Microsoft has essentially cancelled the monthly update.
- February 15: A zero-day vulnerability in the Windows Graphics Device Interface (GDI) library is published with no patch. Google’s Project Zero properly reported the remote information disclosure vulnerability (CVE-2017-0038) to Microsoft. The vulnerability affects all versions of Windows, including Windows 10 and Windows Vista. Microsoft failed to release a patch within 90 days after the submission of the report – the timeframe Google gives vendors to release a patch before going public – so it was published with no fix available.
- February 21: Microsoft publishes fixes to previously patched Flash vulnerabilities. This is a weird one. Adobe released their fix to several remote code execution vulnerabilities in Adobe Flash a week prior in APSB17-04. That didn’t stop Microsoft from issuing the bulletin MS17-005.
So thanks for the fix of Adobe vulnerabilities, but what about those two zero-days?
These recent events are what critics of Microsoft’s new patch release process feared: that bundling fixes in one “all or nothing” update would mean patches are held until other kinks can be worked out. Even the SMB zero-day reportedly has had a patch since December, but Microsoft delayed its release to package it with other pending SMB fixes, according to the security researcher who disclosed the vulnerability. The argument sits at the crossroads of process efficiency and security – don’t except a resolution to this debate any time soon.
Bug Bounties and Ransomed Security: Whether you view Kristian Hermansen, Luca Todesco, or the Miller/Valasek duo as rebels or heroes, their message is clear: respect the researcher.