New Year, Same Old Microsoft Issues

I appreciate the beginning of a new year–it’s like a reset button. January is a fresh, clean slate that kicks off 12 months of possibilities and opportunities. It’s a chance to do things differently and be better than the year before. 

The challenge—for both individuals and organizations—is to seize that opportunity rather than simply doing more of the same. For all of our sakes, I hope Microsoft is striving to make some changes and do better than last year (or any year prior) when it comes to securing its products and protecting its customers. But if the January “Patch Tuesday” release earlier this week is any indication, they have a long way to go.

Kicking Off 2022 with a Bang

Microsoft released 97 security updates this week, including guidance for six zero-day vulnerabilities that they do not have a patch developed for yet. The vulnerabilities could lead to remote code execution (RCE), privilege escalation, spoofing, and cross-site scripting exploits that affect every version of Windows.

Nine of the vulnerabilities are rated as Critical, but the zero-day flaws are especially troubling. Brian Krebs explains, “Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is “wormable,” meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.”

A Matter of Priorities

The 97 fixes this month follow 67 in December and 55 in November. That is 219 security fixes in the last 3 months, so the volume of vulnerabilities and fixes is trending in the wrong direction month-over-month. Meanwhile, Microsoft continues its disingenuous double-dipping by pushing customers to pay for Microsoft security tools to protect them from the insecure Microsoft software they already paid (a hefty price) for from new exploits targeting the vulnerabilities Microsoft introduced into the market. 

There is no such thing as perfect code, and Microsoft develops a ton of software, so vulnerabilities are expected. It would be unreasonable to suggest that Microsoft should just create flawless code. However, that doesn’t mean there isn’t tremendous room for improvement. It’s a simple matter of priorities. 

Microsoft shouldn’t be  wasting resources developing mediocre cybersecurity tools, spending marketing dollars, and coercing customers into using them by bundling them in their licensing, which customers must pay for in order to gain access to valuable business applications and services. Instead, Microsoft should be investing as much as possible into improving secure coding practices and proactively identifying and resolving vulnerabilities in the software that customers already paid for. 

It comes down to motive and motivation. Is it more important to deliver value for customers by creating secure software, or is it more important to maximize revenue by pushing software filled with vulnerabilities and then selling additional software to protect it?

Defending 2022

In Microsoft’s defense, the vulnerabilities reported this week don’t necessarily mean that they are not striving to do better in 2022. It takes time to analyze vulnerabilities and develop patches and guidance, and these flaws are carryovers from 2021. I would like to think that Microsoft has the integrity to put customers over profit, but only time will tell. 

Regardless, January is a fresh start for Defenders. Take a look at the threat landscape and your security posture and consider where you can improve your defenses this year. Your New Year’s resolution as a Defender should be to ensure you have the tools necessary to quickly identify and stop attacks no matter how many vulnerabilities Microsoft exposes you to. 

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div