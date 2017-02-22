Opinion by Steven J. Vaughan-Nichols

What’s up with Windows patching, Microsoft?

A month late? Seriously? It’s both outrageous and unsurprising.

|

Computerworld |

windows trouble controversy crash problem hacked
Credit: Thinkstock
More like this

Well, here’s something different. Microsoft, for the first time since it started its monthly Patch Tuesdays in October 2003, has completely blown a deadline. There will be no major patch release in February. Instead, the patch package will be released on March 14.

Why? We don’t know and Microsoft isn’t saying.

Color me concerned.

I have reason to be. Greg Lambert, chairman of Qompat, who covers software patches like paint, had hoped Microsoft would delay the patches by only a week. After all, Lambert observed, “This month’s update cycle from Microsoft is especially important as a now critical zero-day vulnerability (CVE867968) has been reported related to how a component of the Microsoft SMB [Server Message Block] protocol handles traffic. This was initially reported as a denial of service attack, but now looks like to be rated as critical by Microsoft as it may lead to a more serious (RCE) remote code execution scenario.”

And according to CERT, “Exploit code for this vulnerability is publicly available.“ CERT’s security pros also report that there is, by the by, no known fix for this.

Oh, boy!

So, here we have a known zero-day vulnerability with an exploit, and Microsoft is just twiddling its thumbs.

Sure, I know that it’s not as if this vulnerability opens you up to being attacked over the internet. Because your outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) are blocked on your firewall. Right?

OK, now that you’re back from checking on that, let me note that, inside your network, all it takes is one grumpy employee for your Windows infrastructure to be in for a world of hurt.

So what could be happening that would make Microsoft delay such a critical fix? Even though there are separate patch trees for Windows 7 and 10, could something still zap both operating systems? History suggests it is more than possible. Although Microsoft insists that each new Windows version is much more secure than the previous one, many serious security bugs somehow smack the entire Windows family.

But even given that history, Microsoft has been patching serious problems for years and it has never before told its users to wait an extra month for patches. So I don’t think this is a run-of-the-mill problem.

Chris Goettl, product manager at patch management vendor Ivanti (formerly Shavlik), guesses, “Something is broken in the infrastructure, in Windows Update or the [Microsoft Update] Catalog.”

There’s searing logic in what Goettl says. No updates at all for an entire month even as a critical vulnerability is staring us in the face? Suspecting that something is deeply wrong with the update software itself makes a lot of sense. But it doesn’t leave me feeling warm and secure about Windows.

And you know, Microsoft has a lousy Windows updates record. There was the Jet Database patch, which bricked Windows 2000; the .Net SP that knocked out Quicken in 2008 just before tax season; and the time Microsoft released six — six! — bad patches at once.

Still, things were supposed to be better — no, really! — with cumulative updates for all verisons of Windows. With that move you could no longer get individual patches. Instead, Windows bundles all the patches together, except for Edge and Internet Explorer.

This was to make everything better. And I guess it was, until it wasn’t.

A lot of us saw this coming. When cumulative updates were announced for Windows 7 and 8.x, Susan Bradley, who writes on Windows patching for the Windows Secrets newsletter, worried, “Bottom line, everyone is holding their breath, hoping for the best, expecting the worst.”

Guess what: Microsoft missing an entire monthly patch cycle with a zero-day defect hanging over our heads counts as the worst.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Related:

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast Internet connection, WordStar was the state-of-the-art word processor, and we liked it!

10 super-user tricks to boost Windows 10 productivity
You Might Like
Shop Tech Products at Amazon
What Readers Like
Tianhe 2
China reminds Trump that supercomputing is a race

China said it plans to develop a prototype of an exascale supercomputer by the end of this year,...

ibm pc dos 1.0 screenshot
Say goodbye to the MS-DOS command prompt

It had a good 36-year run, but its day is done.

H-1B visa collage
Trump eyes an H-1B visa aimed at ‘best and brightest’

President Donald Trump is considering a new way of distributing the H-1B visa to ensure they go to the...

BrandPosts
Learn more
Popular Resources
Top Stories
03 patch
Microsoft pushes out critical Flash Player patches after one-week delay

After deciding to postpone its February patches for a month, Microsoft released one critical security...

tango Google
Why Google and Apple will rule mixed reality

Sorry, Microsoft and Magic Leap. The Silicon Valley smartphone giants have one thing you haven't got.

Privacy
True privacy online is not viable

You can hide from casual observers, but a motivated person will see through your attempts at...

windows 10 wallpaper logo
Microsoft's decision to scrap February security updates unnerves patch experts

Patch experts struggled with Microsoft's decision to cancel this month's updates, pointing out that...