Security Research
Showing results for 
Search instead for 
Do you mean 

Subtle shift in Microsoft’s patching policy could have wide-reaching effect

Dustin_Childs on ‎04-05-2016 06:57 AM

pimgpsh_fullsize_distr.jpg

In February 2016, Microsoft made a subtle but possibly significant change to certain security updates. With the release of MS16-022, Microsoft for the first time made available a security bulletin for third-party software and pushed the fix through their automatic update system. If this sounds unprecedented, it’s because it is. Microsoft has never before used the Windows Update infrastructure to push out a third-party security patch, although it has been doing almost that since 2012. The difference, however, opens both exciting and troubling possibilities.

A brief history of Flash in IE

To understand where this begins, we must travel back to the heady days of 2012 and the impending release of Windows 8. By this time, Steve Jobs had already published his “Thoughts on Flash” blog describing why Apple does not allow Adobe Flash on iPhones, iPods, or iPads. He also declared Flash unnecessary and undesirable for many reasons, including security. At the time, many websites relied on Flash to deliver content, and many customers clamored for Flash content on their devices.

Unlike Apple, Microsoft embraced Flash. Starting with the release preview of Windows 8, Adobe Flash was integrated into Internet Explorer (IE) 10. Microsoft worked with Adobe to completely integrate Flash within IE – despite its own Silverlight program being a direct competitor. This version of Flash was not treated as an add-on or plug-in; it was integrated code, and in many ways, that alone was unprecedented.

The inclusion of Flash in IE left Microsoft with an interesting challenge: how would Flash security updates from Adobe be delivered to the version of Flash in IE? In the end, they settled on shipping Flash in IE security updates through Security Advisory 2755801. This advisory first released the same day as an unscheduled out-of-band (OOB) patch for IE (unrelated to Flash or Adobe).

The inclusion of Flash in IE left Microsoft with an interesting challenge: how would Flash security updates from Adobe be delivered to the version of Flash in IE?

 Microsoft’s MSRC blog announcing the availability of that advisory stated:

With respect to Adobe Flash Player in Internet Explorer 10, customers can expect the following:

  • On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing.
  • When the threat landscape requires action outside of Adobe’s normal update cadence, we will also work to align our release schedules. For example, this may mean that in some cases we will issue updates outside of our regular monthly security bulletin release.

Since its initial release, Security Advisory 2755801 has been revised a whopping 53 times. Each of these revisions coincided with an Adobe Product Security Bulletin (APSB) that offered a security update for Flash.

That changed with the release of MS16-022, which promoted Flash updates from Security Advisories to full-fledged Security Bulletins.

Advisory v bulletin and why it matters

In Microsoft parlance, there is a significant difference between a security advisory and a security bulletin (the thing known outside Microsoft as a “patch,” as in “Patch Tuesday”.) As discussed in Security Briefing 22, Microsoft uses advisories to communicate about security issues that may not rise to the level of a full bulletin, or about issues that are of bulletin-level importance, but for which a full fix is not yet available. A bulletin always includes the most comprehensive fix the company can manage. An advisory may include a “Fix It”, advice on Enhanced Mitigation Experience Toolkit (EMET) settings, or some other stopgap – in other words, some sort of actionable aid, but not a comprehensive fix. The MSRC blog further describes advisories by saying, “The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you’ve enabled automatic updating, there’s no action for you – the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone.”

While that seems straightforward, it did not seem to apply to Flash in IE updates. These patches were announced through an advisory as described above, but were made available through Windows Update, and if the end user had automatic updates enabled, the patch would automatically be installed without user interaction. If that sounds like a security bulletin, that’s because it matches Microsoft’s definition of a security bulletin. The same MSRC blog cited earlier defines bulletins as, “If an issue in software can be corrected by applying new software, it becomes a security bulletin.”

So why did Flash in IE look like a bulletin while being treated like an advisory? Microsoft offers no specific statement here, but one could speculate that since the code being shipped was developed and documented by Adobe instead of Microsoft, they felt it more appropriate to announce it through an advisory. While there is a logic to this speculation, it seems to be contradicted by how Microsoft treated Oracle’s Outside In libraries, which were shipped as a part of SharePoint server. These libraries were always serviced through a security bulletin – even though the patch was developed and documented by Oracle.

Perhaps the change from advisory to bulletin is a simple correction of strategy to align with how they treat the Oracle Outside In updates. Speculation is again required because there has been no official word from Microsoft on why the change was made. However, there is one other subtle shift that could point to why this change was made: The bulletin changed the way Adobe Flash was referenced by Microsoft. In the advisory, it was always referred to as “Adobe Flash Player in Internet Explorer.” In the bulletin, it is simply listed as “Adobe Flash Player.” The bulletin also notes Flash may be invoked through Microsoft Office. As stated in the bulletin, “An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.” Perhaps the change was meant to acknowledge Flash can be invoked through many applications within the Windows OS and not just the browser.

Another theory suggests that Microsoft chose the advisory mechanism because of the nature of Flash updates – that is, frequent and often released out-of-band. Microsoft bulletins are released on the second Tuesday of every month. Adobe updates are also scheduled for this day, but Flash updates often are released outside of this schedule due to active attacks. As seen in our 2016 Cyber Risk Report, out of the top 20 vulnerabilities by targeted platform, half affected Adobe Flash. Since in the case of the advisory Microsoft was simply repackaging code developed by Adobe, shipping a Flash in IE update through a Security Bulletin would have meant many disruptive OOB bulletins – all due to a third-party product. Security advisories do not occur on a schedule and therefore do not count as OOBs. Perhaps the distinction was born out of not wanting multiple OOB bulletins due to a third-party product. Again, without official word from Microsoft, we can only speculate.

Questions remain

Regardless of why the change occurred, we now live in a world where Microsoft uses its update infrastructure to push third-party security updates. Again, the key point here is that Microsoft is no longer patching “Adobe Flash Player in Internet Explorer.” They are now patching “Adobe Flash Player.” On the surface, using a robust and trusted infrastructure to patch one of the most targeted applications in the world is definitely welcome, but it does raise some interesting questions.

Which other apps should Microsoft consider for shipping security patches?

According to our 2016 Cyber Risk Report, after Flash and Microsoft products, Adobe Reader is the next most targeted application. Should Microsoft consider shipping Reader updates alongside Flash?

Does this give Adobe an unfair competitive advantage?

It’s hard to imagine how being one of the most targeted applications can become advantageous. Still, Adobe Flash is now the only third-party application being patched using Microsoft’s WU infrastructure. If Reader becomes the second, should updates for Foxit Reader – a popular PDF reader not published by Adobe, but susceptible to its own set of security vulnerabilities – be implemented at the same time?

Will there be a formal program for security patches to be included in Windows Update?

Currently, some non-security third-party updates – think device drivers – are sent as optional updates through Microsoft’s WU infrastructure. Microsoft also maintains a thorough list of officially compatible products that have met all of Microsoft's requirements to be offered through that system. If other vendors request Microsoft deliver their security updates, will a program be developed?

Will these updates stay on a Patch Tuesday schedule?

Adobe does follow a standard release schedule, but they are not afraid to release Flash security updates outside of this schedule in response to active attacks. Flash updates are not necessarily convenient to install, but they do not tend to require reboots – a long-time sticking point with Microsoft updates – and are thus comparatively less disruptive to customers looking to reboot only once a month. When unscheduled Flash releases happen, one of two scenarios is likely: Microsoft releases an OOB bulletin, or Windows users remain unprotected until the next Patch Tuesday.

People are afraid of security patches

Will this change the trend of people not trusting updates?

As discussed in Security Briefing 22, people are afraid of security patches. They are afraid of what will break when they install them. They are frustrated by the disruptions to their work during installation and reboot. And vendors are not being open and transparent with them to assuage those fears. One of the disconcerting things about this shift was that neither Microsoft nor Adobe released any public notification or information about the change. In the end, this shift might be a good decision, but vendors must earn back the trust of users – their direct customers – to help restore faith in automatic updates. A key part of that effort must include better communications.

Final thoughts

Adding new ways to patch broadly targeted software is not a bad thing. Security patches should be easy to access and install. Unfortunately, lack of communications from the vendors involved leaves the rest of the world with more questions to be answered. For years, many people have wanted Microsoft to deliver security patches through Windows Update. Setting up a Windows Software Update Service (WSUS) server to publish third-party patches within an enterprise is possible, but not trivial. Many administrators would prefer everything run through a centralized program. Still, questions remain on how the implementation occurs. Which programs will be chosen and how will the quality be tested? In the end, customers will likely demand more accountability and transparency from their vendors before the vendors demand more from themselves.

0 Kudos
About the Author

Dustin_Childs

I am a senior security content developer with Hewlett Packard Enterprise Security Research. In this role, I write and edit security analysis and supporting content from researchers. I am also responsible for providing insight into the threat landscape; competitive intelligence to the research team; and providing guidance on the social media roadmap. Part of my role includes speaking publicly and promoting the research and technology of HPE Enterprise Security Products .

Comments
Larry Seltzer
on ‎04-06-2016 07:36 AM

Microsoft's long-term solution for unpatched third party hardware is to copy Apple's for iOS: Software issued through the Windows Store is automatically updated by the Store app. This is manageable in a managed environment. 

I've been arguing for years that Microsoft should include key third party programs in Windows Update, or at least open the interface so that third parties could establish signed, trusted updates that would be pulled and installed by Windows Update client software. But if they haven't done it by now they aren't going to. The real problem is on unmanaged clients and the real solution for them, as Microsoft sees it, is the Store.

 

Labels
Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Apr 18, 2017
Houston, TX
HPE Tech Days - 2017
Follow a group of tech bloggers for a new HPE Tech Day, a full day of sessions about how to create a hybrid IT, from hyperconverged to Composable Infr...
Read more
View all
//Add this to "OnDomLoad" event