Microsoft goes after the critical flaws and pushes updates the hard way

July 30, 2015

Last week, Microsoft released a critical out-of-band patch for all versions of Windows in order to contain the possible harm from a vulnerability in Windows’ Adobe Typ Manager Library. It was erroneously handling OpenType fonts, which allowed for a remote code execution on the attacked machine.

Fixing the flaws

A hasty patch release is always somewhat of an eyebrows-raising event: It means that something is so wrong it can’t wait for the next routine patch distribution day (Patch Tuesday, in Microsoft’s case). Microsoft said it had no information of real-world exploitation of MS15-078 vulnerability, although it was known that this bug is already public.

According to Threatpost, “An attacker could leverage the vulnerability to take complete control of a system – meaning they could be given the ability to install programs, view, and change or delete data, along with the ability to create new accounts with full user rights.”

This is indeed a critical problem, which required a quick resolution.

In fact, just a week ago there was yet another patch for the Adobe Type Manager Font Driver flaw, – the already notorious CVE-2015-2387. So users who have automatic updates for Windows turned on could have seen – over the course of a few days – two notifications in a row, encouraging the users to reboot in order to install the patches.

Both were considered critical, even though the latter was a bit less dire.


Errarum est

The fact that Microsoft chose to fix things ASAP is encouraging. The Windows maker is often (historically, even) criticized for the amount of errors and vulnerabilities it has to patch, when, in fact, every software vendor makes mistakes, and the more complex the system is, the more these mistakes are going to happen – and be found. Both things are inevitable. It’s fine if the white-hats discover the flaw. But the second vulnerability – CVE-2015-2387 – appears to be in exploitation for at least some time, keeping a zeroday status. And the circumstances of its discovery were quite displeasing.

But after all the flaws are discovered, the most important thing is how quickly and efficiently they are fixed. Microsoft did handled it in a properly responsive fashion.

Then there’s the end-users’ reaction. The sheer amount of fixes, updates, and patches raining down on them is actually a good thing, even though it may be a bit irritating. Is it a reason to ignore them? By no means. But they are often ignored.

Pushing through

In other – related – news, Windows 10 was released to general availability just yesterday: for the first time in its lifetime, perhaps, Microsoft actually gave it out to users of genuine copies of eligible editions of Windows 7 or Windows 8.1.

Among all of its promised security enhancements, Microsoft also said that updates will be performed as a “service”: Users will receive new features at no charge for the “supported lifetime” of the device it is installed on. The Home and Pro editions automatically receive all non-critical updates as they are released without the possibility of declining them, in addition to automatic driver updates. Pro versions will be able to defer updates for a limited time, but not ignore them completely.

This approach may look a little “insensitive,” but those often – and sometimes indefinitely long – delays with installing the patches create extra risks, which have to be dealt. Microsoft has chosen this certain course of action.