Last week, the Wall Street Journal reported
that Kaseya was warned in early April of the previously-unknown
vulnerability used in the recent devastating ransomware attack on hundreds of organizations
worldwide (including MSP customers of Kaseya and customers of those MSPs).
It had been previously reported that a Dutch security
research organization had informed Kaseya of the vulnerability (along with others
linked to it) some time before the attack. Now we know that time was three
months ago. Kaseya patched some of the vulnerabilities in April and May, but
unfortunately, they didn’t get around to this vulnerability (actually one in a
chain of vulnerabilities) before the successful attack. Darn the luck! Moreover,
Kaseya still hasn’t fully patched the vulnerability, because of some sort of
technical issue.
At the same time, we’ve learned about the potentially
devastating PrintNightmare
vulnerability in the Windows print spooler. It’s a long story, but the gist is
that in late June, some researchers mistakenly released a proof-of-concept
exploit for the vulnerability. When the mistake became clear, they pulled the
code back, but not before it had been copied and improved upon. Now the ambitious
hacker has at least three sets of exploit code to choose from. So there is some
good news in this story…for the hackers.
Of course, all this vulnerability does is allow attackers to
take control of the Windows domain controller…nothing serious or anything like
that. We have to assume they (and probably our Russian government friends, as
usual busy as beavers in their never-ending quest to make life hard for Western
countries. All without having to resort to nuclear weapons, since using those
is messy and is regarded as a real faux pas in polite company) have
already penetrated as many targets as they possibly can, since they assume that
Microsoft will finally fix this vulnerability.
Indeed, Microsoft did issue a patch for the vulnerability last
Tuesday. However, on Wednesday a researcher demonstrated online how exploits
could bypass the patch. So it seems we’re not out of the woods yet.
Clearly, leaving important software companies – critical
infrastructure, if the term has any meaning at all – to make all the
decisions about when, or even if, they’ll patch important vulnerabilities isn’t
working. This isn’t like your dry cleaners messing up one of your shirts. Both
of the above failures have potentially huge consequences, just like SolarWinds
did.
Maybe there should be fines that kick in X number of days
after the company learns of a serious vulnerability, and increase every day
that the vulnerability isn’t patched (and if there’s no way to patch the
vulnerability for some reason, then the software company should order their vulnerable
product to be taken down, and be required to compensate their customers for
whatever damage this causes them).
With great power comes great responsibility. The companies
are quite happy with the former, but they’re not so keen on the latter.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment