The perils of shouting 'fire' in a crowd of PC patchers

It happens over and over again. Microsoft releases a patch and the world panics. Dire predictions of doom stampede Windows customers into installing patches, then – poof! – the threat disappears. Who gets hurt when the industry cries “Wolf!”?

Glowing orange forest fire at night [destruction, bushfire]
byronsdad / Getty Images

Time and again we see the same drama play out. Microsoft releases a security patch and scary warnings appear from every corner. When your local news broadcast tells you that you better patch Windows right now…, more temperate advice should prevail.

A little over two weeks ago, on Patch Tuesday, Microsoft released a patch for a security hole known as  CVE-2020-0601 – the Crypt32.dll vulnerability also called ChainOfFools or CurveBall

The claxons screamed. In a first, even the U.S. National Security Agency got into the act, first by staking an unprecedented claim on the security hole’s genesis, and then by issuing the first-ever NSA Cybersecurity Advisory (PDF) warning folks to duck and cover:

NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.

Of course, every news outlet in the world picked it up. What news editor could avoid echoing an NSA pronouncement, for heaven’s sake, even if it involves Elliptic Curve Cryptography certificates, whatever those are? My son’s precocious nine-year-old friend asked me if I’d installed the patch – then scolded me (in the nicest possible way) when I scoffed.

NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.

To be fair, Microsoft didn’t take up NSA’s sky-is-falling routine. The CVE-2020-0601 warning says now, as it said then, that this is a not-publicly-disclosed, not-exploited vulnerability with an “Important” (which is lower than a “Critical”) severity rating.

That didn’t stop the pandits or pundits from recommending that you drop everything and get the Patch Tuesday patches installed.

It’s hardly an isolated incident:

  • On Sept. 23, Microsoft released an out-of-band “Critical” security update for a zero-day vulnerability in Internet Explorer’s JScript engine, CVE-2019-1367, along with stern warnings that everyone needed to patch right away. That started a merry chain of four separate patches for the same problem, each with its unique set of bugs. We never saw a major outbreak of CVE-2019-1367 infections.
  • On Patch Tuesday, Sept. 17, Microsoft released patches for two “Exploited” zero-day holes, identified as CVE-2019-1214 and CVE-2019-1215. Security folks tripped all over themselves insisting that normal users needed to get both of those patches applied right away. Without announcement or fanfare, sometime late on Sept. 11 or early Sept. 12, Microsoft simply switched those two patches from “Exploited: Yes” to “Exploited: No.” Few people noticed. 
  • Last August, Microsoft released fixes for four separately identified, but similar,  “wormable” security holes known collectively as DejaBlue. Within a day, we started seeing reports of major bugs in Visual Basic, VBA and VBScript. Turns out the patches broke the VB variants. What, you’ve never heard of in-the-wild DejaBlue attacks? Joke’s on you.

That’s just the past five months. Go back farther and you see the same pattern repeated: Patch gets released. Security folks cry “Wolf!” Knowledgeable experts expound. News outlets, industry blogosphere, popular magazines, local TV newscasters and your car mechanic’s brother-in-law parrot the battle cry. People applying patches get embroiled in a tizzy… and no significant attack ever appears.

That said, there certainly are legitimate “get-patched” cries. The BlueKeep security hole in Microsoft Remote Desktop was fixed in CVE-2019-0708, released in May 2019. That patch fixed a vulnerability that was finally exploited (but not very successfully) in the wild in November. The daddy of them all, WannaCry, started spreading in May 2017 (thank you, NSA), although it had been patched by MS17-010 in March

Viewed from 30,000 feet, the repeat behavior would seem comical – what’s that quote about doing the same thing over and over and expecting different results? But it masks two very important, deleterious consequences of crying “Wolf!”

1. Lots of people get stampeded into applying buggy patches.  I know that some of you feel that the quality of Microsoft’s Windows patching is pretty good, and that it’s getting better. To my mind, recent observations don’t support that conclusion. Take a look at this ongoing list of bad patches and their consequences, going back two and a half years.

2. Organizations put off patching important holes when they’re distracted by these howlers. So the CEO or CIO or CFO or some other exec hears about a horrible new security hole, and the people in charge of patching are cowed into fixing the high profile problems first. Heck if the NSA or the US Department of Homeland Security issues an alert, it’s gotta be a big, spooky problem, right? Well, no. In the past few weeks, several organizations have responded to the perceived threat to get the ChainOfFools/CurveBall security hole plugged, when their time would've been much better spent on more important patches for, i.a., Citrix network apps and Pulse Secure VPN

The Sky-is-falling organizations have their own priorities, their own chests to beat, their own products to peddle. What’s good for them isn’t necessarily good for you.

Copyright © 2020 IDG Communications, Inc.

  
Shop Tech Products at Amazon