You’ll have to wait for Microsoft’s zero-day patch

ThinkstockPhotos-468005219

The latest debate about when it is or isn’t OK to release details of a security vulnerability involves a couple of familiar foes, Microsoft and Google. And while this debate rages, Windows customers will have to wait, knowing they’re vulnerable to attack. 

Google recently went public with news that Microsoft Windows has a critical zero-day vulnerability. The announcement was made a week after the local privilege escalation vulnerability was discovered, but before Microsoft had a fix for it.

Microsoft seemed upset by the announcement. It’s long been understood that companies won’t report on each others’ zero-days, as it gives hackers a leg up while manufacturer’s patch vulnerable systems. But Google doesn’t wait forever to report vulnerabilities, as exhibited by an earlier feud with Redmond.

Microsoft said it was irresponsible to make the information public, but Google argued the vulnerability was already being used in the wild, so putting the word out wouldn’t matter.

Consumers left waiting

But enough big picture stuff: What does this mean for Windows customers?

Nothing, for almost a week. Microsoft has said it won’t be able to patch the vulnerability until next Tuesday, Nov. 8. (Election day: Don’t forget to vote.)

That’s sure to continue to lead to questions about Microsoft’s policy of releasing most of its patches on Patch Tuesday. Although things have changed with how these updates are delivered, it can still be a frustration for IT pros left to manage them all.

In the meantime …

Right now there are things you can do to protect your organization from this threat. First, Microsoft advises that Windows users with Windows Defender Advanced Threat Detection won’t have to worry about the vulnerability, as they’re already protected.

Also, since the vulnerability relies on an outdated version of Flash to be successful, Google urges companies that don’t automatically update Flash to manually update it ASAP.

Finally, be sure to tell users to be on the lookout for the sure signs of a phishing attempt. Since that’s the delivery method for this security threat, having them advise you of any suspicious activity could help prevent this (or similar) attacks.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy