What with all the Presidential brouhaha this week, it would be quite understandable to have overlooked the fact that election day fell on the second Tuesday of the month, a day we all look forward to with baited breath; Patch Tuesday.
Unlike this week’s election day, Patch Tuesday did not disappoint with a swathe of updates from the usual suspects.
It will come as no surprise to any of you that Adobe announced even more patches to the ubiquitous Flash Player. Surely rewriting the entire product would be easier than writing a gazillion patches a month, well that is a slight exaggeration – there are 9 critical patches this month. You can download the latest, shiny, err bug free copy here.
Microsoft announced a total of 14 patches (they call them updates these days, less confrontational we suppose), which fix a total of 68 flaws in Windows and associated products.
Of these flaws, Microsoft announced that (at least) two are being actively exploited in the wild and a further three have been published and are therefore probably about to be exploited.
Of the 14 ‘updates’, 6 are listed as critical, the very highest honour a bug could have, with the remainder ‘Important’, a mention in Dispatches at the very least.
What is worrying, or at the very least interesting, is that amongst these bugs is a real nasty (currently being exploited) critter that was discovered by Google and disclosed to Microsoft on October the 21st, a full 19 days before it was patched. Google then announced the vulnerability to the world on October 31st here.
The bug is an Escalation of Privilege (EoP) exploit, nothing serious then. Microsoft’s bulletin is here.
Yes you are reading that correctly, Microsoft has left a critical vulnerability, which they knew was being exploited in the wild, unpatched for the best part of three weeks.
As with all of these matters there are two sides to the story. On the Microsoft side, they are saying that Google should have waited until after the regular patch cycle to make the public announcement. On the Google side, they are saying that a week is easily enough time to fix a serious vulnerability.
What is our perspective? It seems crazy in this era of seemingly daily vulnerability announcements that we have to wait until the second Tuesday of the following month to fix them, especially when they are being published and rapidly exploited in the wild. Whilst we are (amongst) the biggest fans of process and procedure (honest), this second Tuesday policy is beginning to look like a dinosaur and is surely destined for extinction.
All of this comes out in the week that Apple announced its new MacBook Pros. Even the dedicated Apple Fanbois in ITC Towers, and they are plenty, are so disappointed with the huge prices, lack of interfaces, the relatively low specification of the majority of the range and the fact that the power cable (the one that goes from the wall socket to the adapter) is now an optional and chargeable extra and doesn’t ship in the box, that we are seriously considering moving back to higher spec, more reasonably priced, can I even bring myself to say it, WINDOWS laptops.
At least we now have a great excuse not to do that. Phew.
If you would like to discuss the joys of patching (you are patching aren’t you?), please contact us at: e[email protected] or 020 7517 3900.