In general, I think most companies are doing better in security than before. They at least are admitting that they have to pay attention to it, and Microsoft has made huge changes in its programming and business practices that have made it far more difficult to break into systems than it used to be. But there’s still room for improvement, and it’s a change that needs to happen sooner rather than later because it’s undermining a key aspect of user security awareness.
A very common way of gaining access to a system or network is to send an e-mail claiming to be something it’s not, a practice known as phishing. Frequently, this is done by attaching a malicious file to e-mail and sending it to specific users (such as happened to RSA) or by including a URL to a malicious site. One of the most common ruses in both of those scenarios is to send a file masquerading as a patch from Microsoft.
We in the security field tell users never to open these files or click on links that purport to download patches. It’s simple advice to keep everyone safe. We warn users not to do this for obvious reasons and can even point to Microsoft’s own words to back us up. They have a Knowledge Base article that says, in part:
Microsoft does not distribute security updates by using e-mail attachments. Security notification e-mail messages from Microsoft always encourage you to go the security bulletin for the updates.
This kind of thing is great for us. It’s clear, unambiguous wording that we can provide to users. Microsoft does not distribute security updates by using e-mail attachments.
But there’s a catch, and it’s one that many users won’t understand. Microsoft doesn’t distribute security updates by e-mail, but it does distribute some hotfixes by e-mail. Here’s the problem: a very large swath of users, probably the vast majority, don’t distinguish between security patches and hotfixes. To them, they’re all just “Microsoft patches.”
I discovered this behavior recently when trying to troubleshoot one of my systems and ended up at KB2719594. A hotfix is available, as can clearly be seen at the top of the KB article, and the issue described seemed like it fit what I was seeing, so I clicked on the link to download it. Instead of beginning a download, though, I was led to a page that requested my e-mail address so Microsoft could send me the hotfix by e-mail.
I thought I needed the file (it turned out later that my computer just needed a new BIOS battery), so I gave them my e-mail address. A few minutes later, I get an e-mail entitled Hotfix download link you requested from firstname.lastname@example.org. I clicked on the link provided in the e-mail (you can go to it, too) and the download simply started. No sign-in, no page, no additional steps of any kind. It’s a lot like an attack run by someone trying to get control of the system.
I don’t see why Microsoft requires the extra steps. There’s no mention in the KB article or e-mail page saying they’ll update me when a new version comes out. It’s not a paid support option, so it’s not a case of limited distribution. There is no reason whatsoever that I can find for using this method to provide a patch.
Had I not expected it, I would have been extremely suspicious. Instead, I’m concerned. This is exactly the edge case that makes a regular user (trying to be helpful to the computer guy in the family by doing his own troubleshooting) try to start analyzing other e-mail that comes in to decide whether that patch should be installed, too. That’s a user behavior that we’re trying to eradicate, and Microsoft is not helping by employing this practice. I understand there may be a limited need for this kind of thing when working actively with tech support and custom patches are provided, but Microsoft needs to end the practice for what are effectively freely-downloadable hotfixes and other patches.
For reference, here’s the basic headers and original e-mail body from Microsoft, sent in plain text with no PGP signature, graphic, or anything else that would suggest that it actually came from Microsoft. Even though I know it’s clean, it still looks an awful lot like a phishing message to me.
Date: Sun, 24 Mar 2013 11:32:18 -0700
Subject: Hotfix download link you requested
For your convenience, we put the hotfix that you requested on an HTTP site. You can download the hotfix from this site without us filling up your e-mail inbox.
WARNING This hotfix has not undergone full testing. Therefore, it is intended only for systems or computers that are experiencing the exact problem that is described in the one or more Microsoft Knowledge Base articles that are listed in “KB Article Numbers” field in the table at the end of this e-mail message. If you are not sure whether any special compatibility or installation issues are associated with this hotfix, we encourage you to wait for the next service pack release. The service pack will include a fully tested version of this fix. We understand that it can be difficult to determine whether any compatibility or installation issues are associated with a hotfix. If you want confirmation that this hotfix addresses your specific problem, or if you want to confirm whether any special compatibility or installation issues are associated with this hotfix, support professionals in Customer Support Services can help you with that. For information about how to contact support, copy the following link and then paste it into your Web browser:
For additional support options, please copy the following link and then paste it into your Web browser:
Before you install this hotfix
If you decide to install this hotfix, please note the following items:
Do not deploy a hotfix in a production environment without first testing the hotfix.
Back up the system or the computer that will receive the hotfix before you install the hotfix.
Additional hotfix information
NOTE For your convenience, we send the hotfix location to you in a hyperlink. To connect to this hotfix location, you can click the hyperlink in the “Location” field that is listed in the table at the end of this e-mail message to have your Web browser open that location. However, sometimes e-mail program settings disable hyperlinks. If the hyperlink in this e-mail message is disabled, please copy the hyperlink in the “Location” field and then pastes it into the address box of your Web browser. Make sure that you include the exact text (without spaces) between the parentheses in the http:// address.
KB Article Number(s): 2719594
Language: All (Global)
NOTE Make sure that you include all the text between “(” and “)” when you visit this hotfix location.