Microsoft advisory points to the much larger third-party security problem
Software behemoth Microsoft may be one of the biggest fish in the information technology ocean, but in one way it’s just like all the other thousands of smaller fish: It’s not bulletproof.
That’s partially because a longtime security cliché applies to all the fish: If any third party connected to your organization — vendor, partner, supplier, contractor — isn’t secure, then you aren’t secure either.
This past month for Microsoft, that third party was Adobe.
Microsoft issued an advisory March 23 on what it called “limited targeted Windows 7 based attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library.”
But while the attacks might be based on the Windows 7 operating system (OS), the risks apply to later versions as well, including Windows 10, although the company said the threat to Windows 10 systems is low “due to mitigations that were put in place with the first version released in 2015.” Still, it ranked the severity of possible remote code execution attacks against Windows 10 as “important.”
Advisories like this should be no surprise. Supposedly, anybody who hadn’t been aware of third-party risks before 2014 got the proverbial wake-up call then, after mega-retailer Target’s point of sale (PoS) systems were breached because hackers had penetrated a third party — an HVAC contractor — via malware delivered in an email.
But those sorts of breach still happen — regularly. Five years after the Target debacle, the Ponemon Institute reported that 53% of organizations had been the victims of one or more data breaches caused by a third party.
Not that Microsoft has ever claimed to be bulletproof — it launched what was unofficially labeled “Patch Tuesday” back in 2003. The idea was to accumulate a month’s worth of security patches and then make them all available on the second Tuesday of each month, to give system administrators a predictable schedule to apply them.
Nearly two decades later, Patch Tuesday is still going strong. And so is the cliché about third parties.
In this case, a patch probably won’t be available until, yes, the next Patch Tuesday (which the advisory calls “Update Tuesday”) on April 14. “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” it said.
But until the patch is available, it offers workarounds and reminds users that they should upgrade to Windows 10, since Microsoft’s support for Windows 7 ended in January.
Meanwhile, for organizations that, like most, are connected to multiple third parties ranging from their supply chain to partnerships, this latest vulnerability should serve as a reminder about the ongoing risks of those relationships and what to do about them.
Jonathan Knudsen, senior security strategist at Synopsys, said it illustrates a universal reality about the software upon which just about every element and function of the internet is built. These days, software components come from multiple, sometimes thousands, of sources. Software developers no longer write much original, proprietary code for an app. They assemble it.
Thousands of third-party parts
“Creating software is essentially a kind of manufacturing, where a finished product is assembled from software components, just as an airplane is assembled from thousands of individual parts,” he said. “It is the responsibility of the manufacturer to keep track of those parts to make sure they are correct and safe.”
For Microsoft, even though Adobe created the library, it is a component of the Windows OS. Windows users, whether they know it or not, are indirect “customers” of Adobe. As Knudsen’s colleague at Synopsys Adam Brown, associate managing consultant, puts it, “Just by using email or documents in Windows you’re using it [the Adobe library].”
But Windows users are direct customers of Microsoft, and therefore have a right to expect that the primary responsibility for fixing defects lies with the company that sold them the finished product, not with a vendor that made one of the thousands of parts.
It is similar to a car with a defective part like an airbag. While a third-party vendor made the airbag, it is the manufacturer of the vehicle that issues the recall and handles the repairs.
The actual fallout from the vulnerability is hard to evaluate or predict. In its advisory, Microsoft said it is “not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible.”
Knudsen said that based on what has been released, “I do not believe Windows 10 is vulnerable to this type of attack.”
But at least some press reports have said there is a risk, in part because of the massive number of people now working at home, thanks to the ongoing health crisis. According to Verdict, these newly remote workers “will have less access to tech support and need to make more decisions about their computer’s cybersecurity than would usually be the case.”
Brown disagrees. “These days tech support is mostly delivered remotely anyway,” he said. “Further, most corporate machines are managed via policies from the IT organization and users wouldn’t be expected or able to make any adjustments themselves to their workstations.”
That, of course, doesn’t apply to freelancers or those who are self-employed. “But this was always the case and the current pandemic hasn’t changed their situation,” Brown said.
Legacy is risky
But finally, the advisory should also be a warning to both individual users and organizations that sticking with “legacy” technology can put them at increased risk. Not only are Windows 7 systems vulnerable, but they also can’t be patched for this vulnerability even when a patch is issued, since Microsoft ended support for Windows 7 in January. That puts an estimated 200 million devices still using the OS at continued risk unless users apply the workarounds, which can affect performance — what the advisory calls “usability issues.”
Knudsen and Brown both say this is simply a reality of technology. “No software manufacturer can support every product they’ve ever made,” Knudsen said.
Brown said companies “have to end support for software that was built on what is now out-of-date architecture.”
He added that he thinks companies should “offer upgrade paths for their operating systems that make sense to customers.” But in many cases users don’t want to upgrade, not just because of the cost but because they use other third-party software that will only work with an older OS like Windows 7.
In those cases, “even if the software giant were to update the old version of the operating system, the new architectures or even features implemented in those operating systems might stop that third-party software from working anyway,” Brown said.
Which means that while this immediate problem is with Microsoft and Adobe, the overall problem is much bigger. It is the entire ecosystem. And that will take much more than a single Patch Tuesday to fix.