igor - Fotolia
Microsoft issues critical patches but not for zero days
After missing the monthly security update for 14 February, Microsoft has issued some patches but not for zero-day vulnerabilities despite the availability of exploit code
Microsoft is issued security updates for “critical” vulnerabilities in its browsers, but has left at least two zero-day vulnerabilities unpatched even though exploit code is publicly available.
A week later than schedule, Microsoft issued via patches via Windows Update to fix vulnerabilities in Adobe Flash for Internet Explorer on Windows 8.1 and later, as well as Edge for Windows 10.
But the updates did not include fixes for two vulnerabilities that have publicly disclosed exploit code, and Microsoft told customers not to expect any more security updates until 14 March 2017.
The first zero-day exploits a Windows server message block (SMB) flaw. Proof of concept exploit code was released just days before Microsoft’s scheduled February software update.
The second zero-day exploits a Windows graphics library flaw that Google’s Project Zero team went public with on 14 February 2017.
Google has come under fire from some quarters for going public with the flaw before Microsoft released a patch, but Google claims to have disclosed the flaw to Microsoft six months before.
Microsoft responded by issuing a patch in June 2016 (MS16-074), but Google’s Project Zero team found other ways to exploit the flaw in November 2016 and released proof of concept code three months later, according to its policy of disclosing vulnerabilities within 90 days of reporting them to the supplier.
Independent security consultant Graham Cluley said it is good that Google finds flaws in other company’s software that might otherwise have never been patched. “I’m less of a fan of it making details public when users are unable to roll out patches to protect against them,” he wrote in a blog post.
Read more about responsible disclosure
- Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
- Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
- Is 90 days enough time for software suppliers to address vulnerabilities?
It is still not clear exactly what caused the first-ever delay in Microsoft’s monthly security updates. The company has declined to comment beyond its initial statement on the issue:
“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could affect some customers and was not resolved in time for our planned updates today.
“After considering all options, we made the decision to delay this month’s updates. We apologise for any inconvenience caused by this change to the existing plan.”
However, according to ZDNet’s Mary Jo Foley, sources said problems with Microsoft’s build system could be the cause of the delay. ... ... ... ... ...