Microsoft puts corporate pride and weasel words ahead of their customers safety and security.
Hackers take advantage of Microsoft’s patch release scheduled to release a virus as widely as they can in the days before fix was available.
The Dridex security bug was known to Microsoft but they stubbornly stuck to their ‘Patch Tuesday’ schedule for releasing updates to the public. That delay gives a window of opportunity to hackers and is a window of vulnerability for Microsoft’s customers.
The monthly update schedule suits Microsoft as a PR tactic to reduce the news of Windows/Office bugs to a single monthly batch. From a security point of view it makes no sense at all.
Before ‘Patch Tuesday’ started, there was a constant flow of security bug news as timely patches where released. Those timely updates meant that security holes in Office/Windows were fixed quickly with little delay. But it also meant a regular series of bad headlines that Microsoft hated and had to stop, at any cost. So they changed to a monthly dump of security patches that became known as ‘Patch Tuesday’. The monthly drop meant all the news of security lapses came in one hit so there was only one headline.
The known monthly schedule means that hackers can time their attacks for the gap between developing a hack and when a patch might appear.
That’s exactly what’s happened with the ‘Dridex’ hack. The security gap in Office documents became known so hackers worked on misusing the trick while Microsoft worked to patch the bug. But the hackers have an advantage – they know when Microsoft will release any patch for the bug. The attackers pushed out as many nasty emails as they could to infect vulnerable computers as quickly as possible. They do that safe in the knowledge that no computer is immune until the next ‘Patch Tuesday’.
Microsoft knows very well of that risk to customers but prefers to maintain their PR and marketing agenda over their customers welfare.