Are Patches Leading to Exploits?

In October, for the second time in as many months, Microsoft's "Patch Tuesday" gave way to "Exploit Wednesday."

This could be a sign of an emergent modus operandi for those who would exploit vulnerabilities just after Microsoft releases its security bulletins, according to some security experts.

In September, it was Clippy's Revenge; last Wednesday, an exploit related to Microsoft Word came to light.

Researchers at Symantec discovered a malicious Word file in the wild which, when opened, was crashing the program. Symantec investigated further, using various combinations of Word versions, patches and languages, and in each case -- with the exception of Office 2007 -- opening the document caused Word to crash, Symantec said. Later it became apparent that someone created the document using Word for Macintosh.

These incidents over the past two Patch Tuesdays suggest ongoing efforts by hackers to anticipate what will be patched and attempt to pounce on weaknesses immediately after getting up to speed on an exploit's implications. They also highlight the muddy waters of proof-of-concept exploit releases by independent security vendors -- intended to help IT organizations, they often do just the opposite.

"The exploits come from everywhere, whether in the wild or through more controlled means," said Alfred Huger, vice-president of Software Engineering for Symantec Security Response. "But (the exploits) can be like a hammer in the respect that you can use them to build on weakness or destroy defenses."

Huger added that Microsoft is handling a two-edged sword when releasing patches: as a vendor, it should and must disclose fixes to products, programs and services; but doing that also gives hackers a laundry list of potential attack vectors and weak spots.

Ideally, proof-of-concept exploits are supposed to stop that cold. These types of hypothesis-based programs that emerge in the wake of any given Patch Tuesday are designed to show people how to deter these threats, as well as hopefully give vendors and IT pros a sense of what they're up against before a hacker can strike.

That's why security organizations like TippingPoint, VeriSign and research project Metasploit all help locate and provide possible solutions to exploits and potential exploits of Microsoft vulnerabilities.

But such help may not always be welcome in Redmond, according to Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies.

"I don't think (Microsoft) really cares for the VeriSigns of the world," Schultze said. "I think they would rather hear about an exploit privately and then fix it rather than have an exploit already out there used for the wrong reasons, only to release a patch and have it re-engineered and used against them."

Schultze said that going forward, the application-based exploits (Clippy, MS Word) and client-side issues, while important, aren't as critical as server-side issues such as the denial of service risk via remote call procedures (RPC) that Redmond patched on Tuesday.

"As a hacker, the gold medal is the server side, controlling the network," said Schultze, who expects that either a proof-of-concept and/or a wild exploit release is forthcoming for both the RPC vulnerability and likely the Network News Transfer Protocol issue.

Meanwhile, as an indication of what may be covered in future Patch Tuesdays -- the next one is on Nov. 13 -- Microsoft announced this week that it was looking into remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed.

As always, security admins must remain vigilant: know your weaknesses, test your network for holes and fix any problems quickly.

"We know that proof of concepts are used maliciously, we know that exploits are released every month, every week and every day for that matter," Symantec's Huger said. "We also know that hackers keep things close to the vest and then tend to dump their exploits to coincide with patches to throw you off while they're moving on to something else. Since we know this, we should act accordingly."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Joins Amazon, Google, OpenAI and Other Tech Giants in AI Safety Pledge

    Over a dozen companies at the forefront of today's generative AI boom have agreed to a set of "AI safety commitments" as part of last week's AI Seoul Summit.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • SharePoint Embedded Becomes Generally Available

    After a six-month preview, SharePoint Embedded, an API-based version of SharePoint that developers and ISVs can use to embed Microsoft 365 capabilities into their apps, is now generally available.

  • Copilot in Microsoft 365 Getting Agents, Extensions and Team (Not Teams) Support

    Microsoft is adding more functionality to its Copilot AI assistant aimed at improving business collaboration, processes and workflows for Microsoft 365 users.