Microsoft issues security patches for 31 separate vulnerabilities

Graham Cluley

Tuesday thumb

Patch tuesday
It was the second Tuesday of the month yesterday, and you know what that means… Patch Tuesday!

Microsoft has issued a bundle of security bulletins, detailing fixes for 31 vulnerabilities, including critical remote code execution flaws in Internet Explorer and Microsoft Edge.

BadlockAnd this Patch Tuesday update includes a fix for the Badlock bug – a vulnerability that was pre-announced three weeks ago, with a cutesy name, its own website and (of course) logo.

Initially the Badlock website arguably scared the willies out of sysadmins, just saying there was a “crucial security bug in Windows and Samba” and that affected systems should be updated when the fix was released on April 12.

After online criticism, the site defended its pre-announcement and its “marketing” of the vulnerability:

Why announce Badlock before April 12th, 2016?

The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.

Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.

Yet Another Bug With A Logo?

What branded bugs are able to achieve is best said with one word: Awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs.

It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding – it started a while ago with everyone working on fixes.

Despite the hoopla, however, it doesn’t appear that Badlock is the most serious of the flaws to be fixed by Microsoft this month. In fact, some have dubbed the man-in-the-middle attack “Sadlock” because it fails to live up to its hype.

Yes, you should patch affected systems against Badlock, but many will find other vulnerabilities inside Microsoft’s Patch Tuesday bundle that are a higher priority.

A bigger risk than Badlock for most computer users are the flaws that allow malicious attackers to remotely execute malicious code on your computer through boobytrapped webpages and Word documents.

Microsoft flaw

For more details, read Microsoft’s advisory and make sure that your computer is running the latest security patches.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “Microsoft issues security patches for 31 separate vulnerabilities”

  1. 1. I haven't accepted any Windows Updates for over a year.
    2. I don't use Microsoft Office; I use LibreOffice.
    3. I have not encountered any problems / "security issues" and I am no longer inconvenienced.

    1. Fact of computer security: many hosts that are compromised are oblivious to the fact.

      Want a funny example? I had a friend years ago (and I remember when he did this) who made the file server of a specific (which I will not name) security company open to everyone. It was unknown for >= 10 years.

      And Microsoft Office versus Libre is only going to matter for vulnerabilities specifically targeting Microsoft Office documents.

      Eventually your poor practises will bite you but the wound might not even be known to you. I have many examples including government hosts trying to use my primary mail server to relay spam. I know many other admins also have plenty of examples. But I suppose this is all beyond your comprehension – for better or for worse.

  2. Martijn certainly has a point but it's still (and I know he knows this) worth remembering that MiTM attacks are quite serious.

    But rather than call this sadlock why not call it gladlock since it's not as serious as was suggested ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.