Microsoft released security updates for 89 vulnerabilities in its Patch Tuesday for the month of March. It was another monthly reminder of why companies should not rely on Microsoft for cybersecurity.
That is a huge volume of vulnerabilities for Defenders to have to deal with, but what is more important—and concerning—is the severity of the vulnerabilities and the risks they expose companies to. Of the 89 vulnerabilities, 75 are rated by Microsoft as Important and 14 are Critical. Three of them are zero-day vulnerabilities—two of which are being actively exploited in the wild.
These vulnerabilities affect a wide range of platforms and products that companies depend on—the Microsoft Windows operating system, Internet Explorer and Edge browser, Office tools and web apps, Exchange Server, SharePoint Server, Azure Cloud and related services, and more.
I don’t envy IT teams that have to scramble every month to patch and update their Microsoft products. I wonder how people would feel if General Motors issued 14 safety recalls in a month–with 3 of them being for problems they were not previously aware of and 2 of them actively causing vehicles to fail and in doing so putting lives at risk.
Focused On the Wrong Priorities
The vulnerabilities themselves are not the problem. As I have stressed in previous posts, there is no such thing as perfect code. Microsoft is responsible for billions of lines of code, so some vulnerabilities are inevitable.
The problem is twofold: first, while vulnerabilities are inevitable, that doesn’t fully justify why there are consistently so many every single month (it’s basically a monthly fire drill for SOC and IT teams for the better part of two decades), or why such a high percentage of them are zero-days or other Critical vulnerabilities.
Ideally, Microsoft should be able to focus on secure coding principles and reduce both the volume and severity of the flaws that are constantly being introduced into the market and putting everyone at risk.
Second, and it’s the larger issue, is that Microsoft now wants to provide cybersecurity tools and services for customers, ostensibly to protect them from all the vulnerabilities they themselves are pushing to market almost daily.
Even worse, they have a very coercive licensing model that bundles together their vulnerable business software and services that customers need with their largely untested (and likely vulnerable as well) “security” products that customers don’t necessarily want but may feel pressured to implement for budgetary or other non-security reasons.
The net result is that many organizations simply adopt those tools because they can’t justify spending additional budget to obtain better cybersecurity solutions.
Who Watches the Watchers?
Setting aside that Microsoft should be more focused on improving the security of its code than selling customers tools to protect against the vulnerabilities they created, and the fact that the cybersecurity tools they provide are generally inferior to competing solutions, there is also the danger of trusting your security posture to a monoculture that is a self-feeding circle.
If you choose Microsoft to keep watch over your networks to protect against cyberattacks, ask yourself who it is that is keeping watch over Microsoft?
There is a reason that we have independent oversight for things like the safety of pharmaceuticals, aircraft, vehicles, our food, and more. There is a reason that scientific claims are checked by peer review. A company or industry that monitors itself has an incentive to protect its own interests. Even those with the best integrity are under significant pressure to look the other way or cut corners when it benefits the organization’s bottom line.
Paying Microsoft again for security tools to protect against exploits of vulnerable Microsoft products you already paid for once is like paying the arsonist to install smoke detectors in your house before he burns it down.
Defending Better
Microsoft has issued patches and updates for 234 vulnerabilities in just the first 3 months of 2022 (and it’s still early March). Of those, 23 have been rated as Critical and 10 have been zero-days. That’s an average of almost 8 Critical vulnerabilities and more than 3 zero-day vulnerabilities per month.
Microsoft has also consistently failed to detect and stop attacks that exploit flaws in its own platforms and tools— as we witnessed with the exploitation of Microsoft products in both the SolarWinds and HAFNIUM attacks. If they can’t protect themselves, how are they going to protect you and your organization?
It is a bad idea to put all of your eggs in Microsoft’s basket. It’s impractical to not use Microsoft operating systems, platforms, or applications, but that doesn’t mean you also have to rely on Microsoft for cybersecurity. Make sure you have tools in place to defend your environment effectively—including Microsoft vulnerabilities and zero-days.
There will always be vulnerabilities, and Microsoft will always be Microsoft.
