By the end of March no one will remember that Microsoft missed a Patch Tuesday

february patch tuesday 2017Like the weather in Minnesota, the March Patch Forecast is unpredictable at best. Be prepared for turbulent times interspersed with moments of calm.

Will March Patch Tuesday go off without a hitch? What really happened last month? I had a number of people ask that question in the past month. There was a lot of speculation that there was a critical bug in a fix in the rollup. If that was the case, why did they delay on getting the Flash for IE update (MS17-005) released until February 21? It seems like there was something else going on. In fact, I would have expected the IE updates as well since they were supposed to be broken out of the cumulative updates last month.

No, I expect there was something else up that caused the month delay.

CIA’s hacking capabilities

More importantly though (yes, more important than Microsoft missing its first Patch Tuesday in over eight years) is the news regarding Vault 7. There is a ton of interesting stuff in the Vault 7 archive.

If you have not already heard, this is the first part of a series of revelations regarding the CIA’s cyber arsenal being leaked en masse dubbed “Year Zero”. And, oh baby, is there an arsenal of hacks in there! Amongst them are some very interesting DLL hijacks across a huge number of vendors that are definitely in your environments today. Props to the guys over at Notepad++ who were one of the first vendors to respond with an update to a hijacking method for the IT-beloved source code editor and notepad replacement.

Expect this to be the first of many vendor responses to these exploits. Other notable vendors include Kasperksy, Sophos, Symantec, Google Chrome, Mozilla Firefox, PDF alternative Foxit Reader, Office alternative Libre Office, VLC Media Player, Skype and many more.

Takeaways from this event:

  • No vendor is “safe”. This is why you need to update third-party vendors as much as Microsoft. I was actually surprised not to see Adobe Reader or Flash in this initial list. I would have expected those two for sure.
  • The updates to plug these zero days are not going to come at once. This month and the coming months, very likely, are going to see a number of vendors responding with security updates. As they come you should be applying them as quickly as possible. Once a month does not cut it, especially for end user systems and those who can leave the network perimeter. We are monitoring each of the vendors on this list closely and will be releasing any security updates they provide into our product catalog as quickly as we can.

March: What to look out for

Considering we have two months worth of updates you can expect a lot of vulnerabilities are going to be resolved this month. Good news is the total number of updates to be applied won’t be double. As many of the bulletins each month were OS related under the cumulative rollup and security bundle model they are mostly in one large package. Products like Office, Exchange, SQL and SharePoint are still updates on their own, but I would wager we are going to have maybe four to six total updates to install.

Here are some updates: OS rollup, IE (should break out into a separate update this month), Flash for IE, and we are likely going to get a mix of some office and other updates.

We have a lingering zero day (yes, not related to Vault 7). Microsoft still owes their customers an update on the SMB exploit that was exposed on February 1 by researcher Larent Gaffie. Gaffie wasn’t pleased with Microsoft’s plan to postpone releasing a fix until February when they were planning multiple fixes for SMB services and deliberately disclosed the vulnerability a week before Patch Tuesday February. Little did he know that Patch Tuesday would receive a full month delay, so his intended week-long punishment turned into five weeks of exposure for all of us.

Internet Explorer is supposed to finally be breaking out of the security bundles for Win 7 and 8.1 this month. The details are not fully clear yet, but in an article by Peter Bright from Arstechnica he specifically calls out that the security only package will be splitting out IE. The cumulative rollup would still bundle in the IE updates by the sound of things.

The bulletin change should be happening this month. According to Microsoft, they were going to move away from the bulletin system, since moving to the rollups tracking by bulletins has caused bit of a compliance headache. You deploy one package that spans across multiple bulletins, but correlating that information is rather difficult unless you know exactly what bulletins are included in the rollup. We have to see how they relate all the information under the new method, but will we get to a point where you can be more accurate because of this change? The Flash update for IE that released on February 21 was still using the old bulletin model and released under MS17-005, so we still have not seen an example of an update released under the “non-bulletin” model.

On the non-Microsoft front, there should be plenty of activity.

Even before Vault 7 hit, there was activity on the Google release channel, and it looks like that activity has increased. You can expect a Google Chrome update very soon.

Adobe will likely have a Flash update. Acrobat and Reader were updated in January so we may or may not see an update for those two products this month as they usually come out every two to three months.

Notepad++ just released, but there are many more vendors who will likely be in a mad scramble to get security fixes out the door, so be ready for many third-party updates and expect them to come in at odd intervals.