Microsoft Patch Tuesday Settles a lot of concerns including blockbuster Badlock
Qualys CTO Wolfgang Kandek shares his opinion of April’s Patch Tuesday releases.
IT'S THAT time of the month when you put your head in your hands and say: 'Not bloody Patch Tuesday again.'
Fraid so, but fret not as we have a nice collection of security folk, not to mention guidance from Microsoft, to help you through it.
The headline fixes include mitigation against man-in-the-middle (MITM) menace Badlock which had been causing some concern.
The Microsoft Security Bulletin Summary for April 2016 includes fixes for 31 vulnerabilities, and prevents things like remote code execution in Internet Explorer and elevation of privilege in Windows.
The big news is the destruction of Badlock, but the security community does not appear to be so taken with the threat, or its solution.
Badlock was announced with much fanfare on 22 March with a dedicated domain and webpage, a cool icon and a codename, but there were no details about the nature of the bug.
"That gave the security community three weeks to get worked up about whether this vulnerability was going to be big or a bust," said Trustwave threat intelligence manager Karl Sigler.
"Well, we now know the details and I'm guessing most people will consider Badlock a bust. The very fact that it is a MITM attack limits the severity greatly."
However, all press is good press, unless you used to work on the telly, and Sigler reckons that such "celebrity" security threats better inform users about the situation.
"As silly as they may seem to some in the industry, celebrity vulnerabilities can be very useful. The prime example, and the standard most celebrity vulnerabilities are put to, is Heartbleed," said Sigler.
"Heartbleed was a critical vulnerability, and the name, website and icon helped draw attention to it. It could be argued that more servers were patched in a quicker time because of the high profile brought by the name.
"Since Heartbleed, however, the bulk of these celebrity vulnerabilities have been more or less non-issues. I'm not saying that these aren't vulnerabilities that could cause a breach or data loss.
"However, the large portion of them stole the spotlight from much more critical vulnerabilities, and that is a problem. Even in this case of Badlock there are more critical vulnerabilities being patched today."
His peers feel the same. Todd Schell, product manager at HEAT Software, said: "Because Badlock has been in the news, it's interesting to note MS16-047. Microsoft rates it as 'important'. It hasn't proved as serious as originally thought. The Badlock exploit is covered by a number of CVEs, but primarily under CVE-2016-0128.
"Take note that these MITM attacks and their respective fixes are getting more attention these days. In this case Badlock even has a nice logo to remember it by. If the bad guys are paying attention, you should too."
Qualys CTO Wolfgang Kandek, a chap who likes a good Patch Tuesday, reckons that a lot of this is a fuss about nothing.
"Badlock seems to be tamer than expected and is addressed by Microsoft in MS16-047, a bulletin categorised as 'important'. It's a MITM-type vulnerability and can be used to log-in as another user for applications that use the SAMR or LSAD protocol. The SMB protocol is not affected," he said.
"All versions of Windows are affected from Vista to Server 2012 R2. We are not sure where to rank it, but it certainly does not have our top spot."
It appears that this honour is saved for a problem with something called Flash. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.