Microsoft’s customers have paid a heavy price for Microsoft’s delays in releasing fixes for the security holes in their Exchange Server technology.
According to various reports, the company wanted to delay releasing the so-called ‘HAFINIUM’ patch until the March ‘Patch Tuesday’. That self-serving pause gave hackers an opportunity to steal vital data that customers rely on Microsoft to keep secure.
See What Exchange Server ‘HAFNIUM’ attacks mean to you
Patch Tuesday as a PR tactic
Having a monthly release of security patches is mostly a PR tactic by Microsoft
‘Patch Tuesday’ limits the ‘bad news’ to a single bundle of security bugs announced once a month.
Before ‘Patch Tuesday’, security patches were released immediately. That was better for customers but made for a regular flow of adverse news that Microsoft was anxious to avoid.
So we got ‘Patch Tuesday’, the Microsoft equivalent of ‘Take out the Trash Day’ from The West Wing. All the bad news for a month is dropped on customers (and the media) in one dump. That combined, with vague wording and obfuscation, limits the perception of continually buggy products.
Security bug fixes (patches) are developed by Microsoft with external partners then held back until the next PR approved monthly release.
In that period between the security bug being discovered, patch being ready and the next ‘Patch Tuesday’ the hackers can strike. They have done it in the past and did it with a vengeance this time.
Delays between a security bug being discovered and the patch going public is always a problem, each day that passes increases the risk of hackers finding out about the bug and taking advantage of it before the patch is released. Knowing Microsoft’s fixed ‘Patch Tuesday’ schedule gives hackers a window of opportunity to attack vulnerable systems.
That’s exactly what happened with the widespread Exchange Server hack. News of the security holes in Exchange Server leaked from one of the many people who knew the details both inside and outside Microsoft. To be fair, the leak was more likely from one of Microsoft’s external collaborators.
In this case, Microsoft knew about the ‘HAFINIUM’ bugs in Exchange Server from about mid-January 2021. According to the Washington Post, security patches were ready by the second half of February 2021, waiting for the March ‘Patch Tuesday’ to be released.
Hackers started using the four security holes in Exchange Server on 26 February and moved quickly to attack as many machines as possible. The hackers knew (or reasonably guessed) they had to work fast because Microsoft had patches ready for 9 March, the next Patch Tuesday.
By the time Microsoft realised what had happened, four days later, they finally released the vital security bug fixes they had been sitting on.
The headline that “Microsoft Raced to Avert Cyber-Attack” isn’t entirely true. Microsoft held the vital security fixes back and only ‘raced to avert’ when caught napping by the more nimble hackers.
Hackers who took advantage of Microsoft’s delay and known schedule for releasing security fixes.
What about Exchange Online?
Microsoft was quick to point out that their own hosted Exchange Servers, known as Exchange Online, were not affected by the ‘HAFINIUM’ bugs. The company has been pushing cloud services like Exchange Online in preference to ‘on premises’ systems.
When were Microsoft’s own systems patched to protect against these four security holes?
It appears they were fixed before Microsoft’s other customers could do the same. Redmond’s cloud services aren’t affected by ‘Patch Tuesday’ delays.
The US Government, among many, should be asking Microsoft’s some hard questions about their ‘Patch Tuesday’ policy. This PR spin approach leaves customers open to hackers and allows time for leaking of sensitive information about the software bugs.
