Show me the Beef

I keep seeing reports about all of these horrible exploits for Microsoft’s most recent crop of security patches. “Attack code comes on heels of Microsoft patches” reads one headline. “Just one day after Microsoft shipped its monthly security patches this week, hackers had already released code to exploit some of the flaws,” says another. Sorry folks, but it’s all waaaaaay overblown.

The day after Microsoft pushed the patches out to millions of machines, SANS Handler’s Diary published this list of known exploits. It’s an accurate list. And it’s the source of all the Chicken Little reports I’ve been reading. I don’t know of any other exploits that have made it into the wild.

If you look closely at the SANS list, you’ll find:

There were two “Exploit(s) released by penetration testing vendor to customers.” Those exploits aren’t in the wild; they are demos, created by the companies that submitted the original hole reports, and they haven’t bitten anybody.

Exploit code for the 0day Word hole was “available before release of patch.” We’ve all known that for a long time: that’s what made it a 0day hole. Antivirus software makers have been protecting against that problem for weeks. More than that, I haven’t seen any reports of attacks other than the original, extremely limited attack. Have you?

The MS06-030 patch had “Two exploits released to the public.” But in order to run the exploits, the bad guy has to be able to log on to your system and run a program – and if a cretin can do that, your system’s toast anyway.

The MS06-032 patch has “DoS exploits released privately (trivial exploit)”.

That’s it. No zapped PCs. No exploits running amok. No reason to duck and cover. Chicken Little may swear the sky’s falling, but I just see a bunch of unfounded fearmongering. Bottom line: nobody’s been bitten (YET!) by any of the holes covered by last Tuesday’s patches. Nobody.

But plenty of people have been hit by the MS06-025 dial-up scripting bug. If you installed that patch, and you need a script to get onto the Internet, you’re SOL, until you figure out that you have to uninstall the patch in order to get back online.

Yes, you should patch eventually. Yes, you should switch to Windows Media Player 11 beta and you should run Firefox, for the reasons given in my summary of the current crop of patches. No, there’s no pressing need for plain ol’ Windows customers to install last Tuesday’s crop right now.

So when you see a statement like, “Microsoft’s track record with security patches is pretty darn good. Let’s stop being silly and just protect our systems and our data. Turn on Automatic Updates,” you have my permission to guffaw. If you had Automatic Updates turned on, you’d be running Windows Genuine Spyware right now – and if you needed a script to get online, you wouldn’t be running at all!