Year's first Patch Tuesday highlights conflict between Microsoft and Google
Normally, the second Tuesday of the month is just another day at the office for Microsoft security researchers and IT pros who support enterprise networks.
For the first Patch Tuesday of 2015, Microsoft has released a total of eight new security updates (one rated Critical, the other seven rated Important) for Windows desktop and server editions. In addition, the company released an update to an Internet Explorer patch from last month and an update for the Adobe Flash Player component built into Internet Explorer 11.
But this batch of patches is strikingly different from its predecessors in two respects.
First, thanks to a change in Microsoft's advance security notification policy, most Microsoft customers didn't get a heads-up last week. (That honor is now reserved for customers with paid Premier support contracts and organizations involved with security research.)
Second, two of the eight updates are listed as responses to "publicly disclosed" vulnerabilities rather than the more customary "privately reported" issues. Google isn't called out by name in either of the security bulletins, but bulletins MS15-001 and MS15-003 are direct responses to disclosures that Google made as part of a hard-line policy on disclosure of security issues it identifies.
The one Critical update, MS15-002, fixes a vulnerability in the Windows Telnet service that could allow remote code execution. This update is essential for Windows Server installations. It's unlikely to affect you if you run Windows on a desktop or laptop PC, however. Telnet is an optional component and is not installed by default on Windows Vista and later desktop versions of Windows, so unless you've gone out of your way to install it, you're not at risk.
MS15-004, although not rated Critical, should probably be moved to the top of your organization's update queue. According to the comments, this flaw, which involves a combination of the Remote Desktop client and TS WebProxy component, is "being used in limited, targeted attacks as a sandbox bypass." It affects all supported Windows desktop versions and all Windows Server releases except Windows Server 2003.
But the two most closely watched updates are at the core of this month's ugly dispute between Microsoft and Google.
MS15-001 and MS15-003 are the result of vulnerabilities discovered by Google researchers. Both bugs became zero-day vulnerabilities after they reached Google's arbitrary 90-day disclosure deadline and were automatically made public.
The first bulletin identifies a bug in the Windows Application Compatibility Cache, which was first reported by Google's James Forshaw on September 30, 2014, and then automatically disclosed after 90 days, on December 29. This bug affects Windows Server 2008 R2 and later versions (but not Windows Server Core), as well as Windows 7, Windows 8, and Windows 8.1.
The second bulletin involves a vulnerability in the Windows User Profile service. That vulnerability, also reported by James Forshaw, was entered in Google's Security Research database on October 13 and then automatically made public after 90 days, on January 11. This bug affects all supported Windows versions, desktop and server.
A note in the comments of that second bug report highlights the fundamental mismatch between Google's calendar and Microsoft's established update procedure.
On November 11, less than a month after the bug was reported, a comment in the Google bug database noted that Microsoft planned to release a fix in February 2015.
> Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline.
< Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.
As a result of that discussion, Microsoft apparently accelerated its testing process for this patch. A December 11 note says "Microsoft confirmed that they anticipate to provide fixes for these issues in January 2015."
Unfortunately for Windows users, the 90-day deadline ran out two days before today's scheduled patch release, which means that proof-of-concept code exploiting the vulnerability was available before the patch was.
It wasn't all bad news for bugs reported by Google. Bulletin MS15-008 was also reported by Google's James Forshaw, according to the Microsoft Acknowledgments page. The corresponding CVE number was assigned on November 18, 2014; assuming that's roughly when the bug was entered in Google's database, it means that Microsoft beat the 90-day clock with this patch.
It's likely that we'll see more of these timing mismatches between Google and Microsoft going forward. The nightmare scenario is a bug that's entered into the database a day or two before Patch Tuesday, with the 90-day clock expiring a few days before the Patch Tuesday three months later.
In that scenario, Microsoft has to accelerate its testing to confirm the vulnerability, identify the fix, test the patch to confirm it works as expected and doesn't have unintended consequences, and then deliver the patch in two months. Waiting an extra month means the bug automatically becomes a zero-day vulnerability.
One obvious solution would be for Google to acknowledge that both Microsoft and Adobe have standardized on the second Tuesday of each month as their date for delivering patches and adjust the deadline to correspond to the Patch Tuesday after the 90-day deadline expires. That would be trivially easy code to write, and it would be no less arbitrary than 90 days.
Unfortunately, it would also require meaningful cooperation between Google and Microsoft, which means it's probably not going to happen anytime soon.