Is MS Office patching scheme under siege?

This is the second month in a row that Microsoft Office is being exposed by an active exploit for an entire month. This month it's Microsoft PowerPoint, last month it was two Microsoft Excel problems. The big problem is that both attacks in both months were released a day after patch Tuesday so that the unpatched window of opportunity for the exploit is maximized. Since Microsoft declined to offer an immediate out-of-cycle patch last month and in the past, hackers know that if the release a patch right after patch Tuesday they can get a full month of open season on unpatched Office software.

This is the second month in a row that Microsoft Office is being exposed by an active exploit for an entire month.  This month it's Microsoft PowerPoint, last month it was two Microsoft Excel problems.  The big problem is that both attacks in both months were released a day after patch Tuesday so that the unpatched window of opportunity for the exploit is maximized.  Since Microsoft declined to offer an immediate out-of-cycle patch last month and in the past, hackers know that if the release a patch right after patch Tuesday they can get a full month of open season on unpatched Office software.

I've always defended the practice of monthly patching because it's the only reasonable way organizations can deal with patch management.  When a patch is released immediately, it becomes easy for hackers to reverse engineer and produce a exploit.  If patches are randomly released and most organizations are not immediately patching them, more people are put at risk with random patch schedules.  But when there already is an active proof-of-concept exploit in the wild, that whole argument goes out the window.  When the exploit is already being utilized in either targeted or large scale attacks, the responsible thing for a software vendor to do is to release a patch as soon as possible.  Microsoft did the responsible thing with the WMF exploit by releasing an out-of-band patch, but they've been skipping out-of-band patches since the last zero-day Internet Explorer exploit.  That may be attributed to the fact that the WMF exploit got a HUGE amount of press coverage (even more than usual for a Microsoft vulnerability) while the others didn't so they didn't feel quite as much pressure.

Theoretically, someone could have a batch of multiple Microsoft exploits but they're holding on to them and only releasing them one at a time right after patch Tuesday.  Since you only need one critical vulnerability to root a system, this technique would maximize their effectiveness and we're starting to see a pattern of this against Microsoft's ubiquitous software.  If Microsoft wants to break this vicious pattern and protect their customers, they're going to have to stop waiting a full month to patch a zero-day exploit running in the wild.  If they fail to do so, it will have disastrous consequences for their public perception for a long time to come and it will negate all the good security progress they've made.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All