With Patch Tuesday's delivery imminent, and no one except paying Premier customers knowing what's coming, it's a bit disconcerting to hear that an old flaw is being reported.
The flaw, which has existed since the late 1990's, has been uncovered by security firm, Cylance. Cylance is, of course, suggesting that the sky is falling, but Microsoft is proposing that it's not as serious an issue as the security company states.
The old vulnerability called "Redirect to SMB," required a user to click a bad link in an email or on a web site. Once the user had been duped, miscreants to could steal sensitive information within the communication stream. Cylance is reporting that the flaw has evolved so that a user can be hacked without even clicking a link.
This man-in-the-middle attack has not been found in the wild, only confirmed in Cylance's test lab.
Microsoft admits that the flaw does exist, but advises that several things have to happen for hackers to be successful. But, instead of promising a fix, the company has redirected comments to review guidance it issued in a Security Research and Defense blog post from 2009.
I'm sure we'll hear more about this in the coming weeks or month. Microsoft could be taking a lax stance on the matter because a patch is coming. But, of course, we won't know until today's updates arrive if Microsoft is including a fix this month. Microsoft used to provide clarity and be more transparent with its patches, but the company took that away from normal customers earlier this year. To be notified for upcoming updates companies must be paying members of Microsoft's Premier Support service. This is still an open wound for many customers.
