If you please, Sir, would you be kind enough to patch this serious vulnerability in that software you charged me a lot of money for?

Last week, the Wall Street Journal reported that Kaseya was warned in early April of the previously-unknown vulnerability used in the recent devastating ransomware attack on hundreds of organizations worldwide (including MSP customers of Kaseya and customers of those MSPs).

It had been previously reported that a Dutch security research organization had informed Kaseya of the vulnerability (along with others linked to it) some time before the attack. Now we know that time was three months ago. Kaseya patched some of the vulnerabilities in April and May, but unfortunately, they didn’t get around to this vulnerability (actually one in a chain of vulnerabilities) before the successful attack. Darn the luck! Moreover, Kaseya still hasn’t fully patched the vulnerability, because of some sort of technical issue.

At the same time, we’ve learned about the potentially devastating PrintNightmare vulnerability in the Windows print spooler. It’s a long story, but the gist is that in late June, some researchers mistakenly released a proof-of-concept exploit for the vulnerability. When the mistake became clear, they pulled the code back, but not before it had been copied and improved upon. Now the ambitious hacker has at least three sets of exploit code to choose from. So there is some good news in this story…for the hackers.

Of course, all this vulnerability does is allow attackers to take control of the Windows domain controller…nothing serious or anything like that. We have to assume they (and probably our Russian government friends, as usual busy as beavers in their never-ending quest to make life hard for Western countries. All without having to resort to nuclear weapons, since using those is messy and is regarded as a real faux pas in polite company) have already penetrated as many targets as they possibly can, since they assume that Microsoft will finally fix this vulnerability.

Indeed, Microsoft did issue a patch for the vulnerability last Tuesday. However, on Wednesday a researcher demonstrated online how exploits could bypass the patch. So it seems we’re not out of the woods yet.

Clearly, leaving important software companies – critical infrastructure, if the term has any meaning at all – to make all the decisions about when, or even if, they’ll patch important vulnerabilities isn’t working. This isn’t like your dry cleaners messing up one of your shirts. Both of the above failures have potentially huge consequences, just like SolarWinds did.

Maybe there should be fines that kick in X number of days after the company learns of a serious vulnerability, and increase every day that the vulnerability isn’t patched (and if there’s no way to patch the vulnerability for some reason, then the software company should order their vulnerable product to be taken down, and be required to compensate their customers for whatever damage this causes them).

With great power comes great responsibility. The companies are quite happy with the former, but they’re not so keen on the latter.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.