13 October 2009

Vista calling today's Critical updates only "Important"??

Today (Patch Tuesday!) Microsoft released a record number of security patches. This includes some items rated  Critical -- here's a good breakdown of the patches at SANS and another from Microsoft themselves.

I've been through the Patch Tuesday rounds seemingly countless times now, whether on my personal machines, in data centers, or as part of the process of building and operating commercial security software that's patch-aware. It's complex -- lots of moving parts that can go wrong.

So I immediately noticed something when doing my check for today's patches. None of the patches were rated Critical on my Vista machine. Instead, Vista told me that I had 15 Important patches ready to download and install:

With all the news and hype surrounding this release, I certainly expected more than this. Where was the Windows Media Player vulnerability? The SMBv2 vulnerability?  I dug in and looked:

Well, there they are:  the Media Player fix is KB954155. The SMBv2 fix is KB975517. Etc. These are Critical vulnerabilities with known exploits. But they are all listed as only Important by my Vista Home Premium SP2 personal laptop.

This is a major oversight. If someone thinks these updates are only Important, they may defer installation. Since there are in-the-wild exploits, this would be a very dangerous choice to make.  People who aren't following the news, aren't tech-savvy, and don't have their updates set to automatically install could find themselves in a bad situation.

Microsoft needs to investigate and correct this. I'll report the issue and follow up on anything I learn.